| View previous topic :: View next topic |
| Author |
Message |
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
 Posted: Wed Jan 12, 2022 7:53 pm Post subject: [solved] Which USE flag am I missing for openssh? |
 |
|
I need to do a lot of work remotely via SSH into a network with several ProxyJumps, my ~/.ssh/config looks like this:
| Code: |
host instutite
hostname <IP FROM SERVER>
user <MY USERNAME>
ServerAliveInterval 30
ServerAliveCountMax 20
ForwardAgent yes
host cronserv
hostname cronserv
user messmoni
ForwardAgent yes
ProxyJump instutite
host sxv902
hostname sxv902
user pvlive
ForwardAgent yes
ProxyJump instutite
# and many more
|
So I usually execute ssh sxv902 to log in. Now after my new year's vacation I needed to log in and I was not able to, sxv902 keeps asking for a password. However, if do ssh institue and then ssh pvlive@sxv902, then I'm able to log in, so that shows that the my public keys are properly installed on pvlive@sxv902:.ssh/authorized_keys file and that my agent is also forwarded as well. I also tested from home ssh cronserv and I was able to log in without a problem. Then I realized that cronserv is running on debian 10 and sxv902 is running on deb8, so that seems to be the issue here.
On my computer from the office (which is running debian 10) I have the same SSH setup as at home, so I logged in into my office computer and executed the same thing (ssh sxv902) and I was able to log in without a problem).
Then I executed the same command but with -v to see what is going on:
At home I get:
| Code: |
$ ssh sxv902 -v
OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021
...
debug1: Reading configuration data /home/shaoran/.ssh/config.d/instutite.ssh
debug1: /home/shaoran/.ssh/config.d/instutite.ssh line 46: Applying options for sxv902
...
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' instutite
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Control socket "/home/shaoran/.ssh/control-sxv902-22-pvlive" does not exist
debug1: Executing proxy command: exec ssh -v -W '[sxv902]:22' instutite
...
debug1: Connection established.
...
debug1: Authenticating to sxv902:22 as 'pvlive'
debug1: load_hostkeys: fopen /home/shaoran/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:fE8AG6ImtS9/ZsQ87rIgu7Fny3eRo6AI99/o4xq/4i4
debug1: load_hostkeys: fopen /home/shaoran/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'sxv902' is known and matches the ECDSA host key.
debug1: Found key in /home/shaoran/.ssh/known_hosts:211
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/shaoran/.ssh/id_rsa RSA SHA256:8QRrQSW4VEgCNi9oNRx48UVGqErQozpejXVlx35GS38 agent
debug1: Will attempt key: shaoran@gallifrey ED25519 SHA256:yr53LMfjzstEppCaZHkGBbXfps0sPnITs1/9TvnlhJ0 agent
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/shaoran/.ssh/id_rsa RSA SHA256:8QRrQSW4VEgCNi9oNRx48UVGqErQozpejXVlx35GS38 agent
debug1: send_pubkey_test: no mutual signature algorithm <--- !!!!!!!!!!!!!!!! HERE !!!!!!!!!!!!
debug1: Offering public key: shaoran@gallifrey ED25519 SHA256:yr53LMfjzstEppCaZHkGBbXfps0sPnITs1/9TvnlhJ0 agent
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/shaoran/.ssh/id_dsa
debug1: Trying private key: /home/shaoran/.ssh/id_ecdsa
debug1: Trying private key: /home/shaoran/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/shaoran/.ssh/id_ed25519
debug1: Trying private key: /home/shaoran/.ssh/id_ed25519_sk
debug1: Trying private key: /home/shaoran/.ssh/id_xmss
debug1: Next authentication method: password
|
The interesting line is debug1: send_pubkey_test: no mutual signature algorithm
Executing the same command on my debian machine at the office yields
| Code: |
OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019
...
debug1: Reading configuration data /home/yanez/.ssh/config.d/instutite.ssh
debug1: /home/yanez/.ssh/config.d/instutite.ssh line 25: Applying options for sxv902
debug1: /home/yanez/.ssh/config.d/instutite.ssh line 103: Applying options for sxv902
...
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' instutite
debug1: Executing proxy command: exec ssh -v -W '[sxv902]:22' instutite
...
debug1: channel_connect_stdio_fwd sxv902:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /net/home/j/jyaneztr/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /net/home/j/jyaneztr/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u8
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to sxv902:22 as 'pvtest'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:fE8AG6ImtS9/ZsQ87rIgu7Fny3eRo6AI99/o4xq/4i4
debug1: Host 'sxv902' is known and matches the ECDSA host key.
debug1: Found key in /home/yanez/.ssh/known_hosts:519
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/shaoran/.ssh/id_rsa RSA SHA256:8QRrQSW4VEgCNi9oNRx48UVGqErQozpejXVlx35GS38 agent
debug1: Will attempt key: shaoran@gallifrey ED25519 SHA256:yr53LMfjzstEppCaZHkGBbXfps0sPnITs1/9TvnlhJ0 agent
debug1: Will attempt key: /home/yanez/.ssh/id_rsa RSA SHA256:KnE0NgM53V8b2bCugksmewwXFGHQ7DfLo8gKfAZFgKQ
debug1: Will attempt key: /home/yanez/.ssh/id_dsa
debug1: Will attempt key: /home/yanez/.ssh/id_ecdsa
debug1: Will attempt key: /home/yanez/.ssh/id_ed25519
debug1: Will attempt key: /home/yanez/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1001)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1001)
debug1: Next authentication method: publickey
debug1: Offering public key: /home/shaoran/.ssh/id_rsa RSA SHA256:8QRrQSW4VEgCNi9oNRx48UVGqErQozpejXVlx35GS38 agent
debug1: Server accepts key: /home/shaoran/.ssh/id_rsa RSA SHA256:8QRrQSW4VEgCNi9oNRx48UVGqErQozpejXVlx35GS38 agent
debug1: Authentication succeeded (publickey).
Authenticated to sxv902 (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: proc
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
debug1: Sending env LC_TIME = POSIX
debug1: Sending env LC_COLLATE = POSIX
...
|
At the office I don't get debug1: send_pubkey_test: no mutual signature algorithm. So I think that my openssh client is missing some signature algorithm but I don't know which one whether I can enable it in the use flags.
During my vacation I did update my kernel from linux-5.10.76-gentoo-r1 to linux-5.15.11-gentoo, so perhaps some chiper in the kernel is missing? I don't remember whether openssh was rebuilt in the last couple of world updates.
Does anybody know what am I missing?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth!
Last edited by pablo_supertux on Wed Jan 12, 2022 8:45 pm; edited 1 time in total |
|
| Back to top |
|
 |
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Wed Jan 12, 2022 7:59 pm Post subject: |
|
|
It's definitively my openssh client. I copied the /usr/bin/ssh file (plus *.so files) from my debiab10 installation from the office in ~/tmp/debian_ssh and If I do:
| Code: |
cd ~/tmp/debian_ssh
LD_LIBRARY_PATH=./libs ./ssh sxv902
|
Then I'm able to log in. So my openssh-client is missing some cipher. The question is which and how can I enable it again?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1660
|
| Posted: Wed Jan 12, 2022 8:04 pm Post subject: |
|
|
This is likely related to the "OpenSSH RSA SHA-1 signatures" news item where OpenSSH 8.8 disables them by default.
Edit: If not above, it would seems like some algorithm configuration difference between client and server. Particularly when going 8.8(client) vs 6.7(server):
| Quote: | | debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u8 |
|
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Wed Jan 12, 2022 8:22 pm Post subject: |
|
|
| grknight wrote: | This is likely related to the "OpenSSH RSA SHA-1 signatures" news item where OpenSSH 8.8 disables them by default.
Edit: If not above, it would seems like some algorithm configuration difference between client and server. Particularly when going 8.8(client) vs 6.7(server):
| Quote: | | debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u8 |
|
And how can I enable SHA-1 signatures?
The eselect new article says
| Code: |
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
|
I added those at the top of ~/.ssh/config but also changed
| Code: |
host sxv902
hostname sxv902
user pvlive
ForwardAgent yes
ProxyJump instutite
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
|
but that didn't help either. Am I doing it wrong?
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
grknight
Retired Dev
Joined: 20 Feb 2015
Posts: 1660
|
| Posted: Wed Jan 12, 2022 8:38 pm Post subject: |
|
|
Quick search of the internet for "openssh 8.8 no mutual signature algorithm" brings up this client configuration option:
| Code: | | PubkeyAcceptedKeyTypes +ssh-rsa |
Edit: Meh, this is just a deprecated synonym for PubkeyAcceptedAlgorithms +ssh-rsa
Edit2: The ultimate solution will be to get the ED25519 key onto the problem server. ED25519 has been supported since OpenSSH 6.5. RSA is slowing fading in many ways.
Last edited by grknight on Wed Jan 12, 2022 8:46 pm; edited 1 time in total |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Wed Jan 12, 2022 8:44 pm Post subject: |
|
|
| grknight wrote: | Quick search of the internet for "openssh 8.8 no mutual signature algorithm" brings up this client configuration option:
| Code: | | PubkeyAcceptedKeyTypes +ssh-rsa |
|
I also googled that 1 minute ago in my case adding
| Code: |
PubkeyAcceptedKeyTypes +ssh-rsa,ssh-dss
|
did the trick. I do understand when ciphers are removed because they are not secure anymore, but that sometimes that ends up breaking running setups. In this case I do not manage the openssh server, I have no control over it and because it's running behind many ssh hops and firewalls, this server will never be updated and if my ssh client refuses to work, then I cannot log in and do my proper work. Luckily I was able to find two work arounds.
Thanks for your help
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
pablo_supertux
Advocate
Joined: 25 Jan 2004
Posts: 2931
Location: Somewhere between reality and Middle-Earth and in Freiburg (Germany)
|
| Posted: Wed Jan 12, 2022 9:00 pm Post subject: |
|
|
| grknight wrote: |
Edit2: The ultimate solution will be to get the ED25519 key onto the problem server. ED25519 has been supported since OpenSSH 6.5. RSA is slowing fading in many ways. |
I have a ED25519 key as well, the first node in the chain accepts only ED25519 keys, so it's in my agent. I already had my ED25519 in the authorized_keys file on the server but that didn't help either, the only thing that helped was PubkeyAcceptedAlgorithms
| Quote: |
Edit: Meh, this is just a deprecated synonym for PubkeyAcceptedAlgorithms +ssh-rsa
|
Ah, that explains a lot, initially I had:
| Code: |
PubkeyAcceptedKeyTypes=+ssh-dss
|
and the I added PubkeyAcceptedAlgorithms +ssh-rsa as it was suggested in the news, but that didn't help. That's why I didn't understand why it didn't work. Now I removed PubkeyAcceptedKeyTypes and it's working again.
_________________
A! Elbereth Gilthoniel!
silivren penna míriel
o menel aglar elenath,
Gilthoniel, A! Elbereth! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
