I have many servers for which I have properly generated keys, set permissions and was able to ssh/scp without password. However there is one machine which is a little bit different and I think that I have found the difference.
The difference is that on machine for which I coulnd not connect without password is that ssh is accepting keys:
debug1: Server accepts key: pkalg ssh-rsa blen 279 and all other my machines are accepting:
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279 While creating ssh keys I always set argument "-t rsa" and I'm not sure which kind of key is generated. Can you help me to create ssh-rsa key instaed of rsa-sha2-512? And last one thing - I cannot modify /etc/ssh/sshd_config to change something.
Full dump of ssh log are below: One to which I can connect:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to HOSTNAME [IP] port 22. debug1: Connection established. debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug1: Authenticating to HOSTNAME:22 as 'SOMEUSER' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: MAC: <implicit> compression: none debug1: kex: client->server cipher: MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:###HASH### debug1: Host 'HOSTNAME' is known and matches the ECDSA host key. debug1: Found key in /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/known_hosts:2 debug1: rekey after ###HASH### blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after ###HASH### blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069) debug1: Next authentication method: publickey debug1: Offering RSA public key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 279 debug1: Authentication succeeded (publickey). Authenticated to HOSTNAME ([IP]:22). debug1: channel 0: new [client-session] debug1: Requesting debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype want_reply 0 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Second one to which I cannot connect:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to HOSTNAME [IP] port 22. debug1: Connection established. debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.8 debug1: no match: Sun_SSH_1.1.8 debug1: Authenticating to HOSTNAME:22 as 'USERNAME' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: got SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ssh-rsa SHA256:###HASH### debug1: Host 'HOSTNAME' is known and matches the RSA host key. debug1: Found key in /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/known_hosts:13 debug1: rekey after ###HASH### blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after ###HASH### blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_38000069) debug1: Next authentication method: publickey debug1: Offering RSA public key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_dsa debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ecdsa debug1: Trying private key: /SOMEPATH/SOMEDIR/SOMEFOLDER/.ssh/id_ed25519 debug1: Next authentication method: keyboard-interactive Password: Command which I'm using in order to generate key:
ssh-keygen -b 2048 -t rsa -E sha256 -f filename I have also tried to:
Create key with different parameters:
-t rsa1; -t ecdsa; -b 1024; -b 2048;
3 Answers
RSA keys themselves are neither "SHA1" nor "SHA2" – the key format doesn't involve any hash algorithm at all. The private key just consists of two large numbers, and unlike certificates, there is no attached signature.
However, SSH did not leave much flexibility in what hash algorithm to use with each pubkey algorithm – for example, it was originally specified that whenever an "ssh-rsa" key was used for signing it would be together with SHA1 and nothing else. So in order to allow people to use their existing RSA keys, new signature algorithm names had to be created purely for the connection handshake – pkalg rsa-sha2-512 still means using the same ssh-rsa key, only performing signatures with SHA2 instead.
Usually this feature is enabled by agreement when both the client and the server claim to support it. If you want to disable it for servers which wrongly claim support for rsa-sha2, in the OpenSSH client you can customize PubkeyAcceptedKeyTypes:
ssh -o "PubkeyAcceptedKeyTypes=ssh-rsa" [...] But it won't help in your case because the client already correctly detects that the server doesn't support RSA with SHA2. Your problem is most likely somewhere else entirely.
1I had similar situation.
As this is not answer how to generate key, but rather what causes sshd to reject pubkey authentication and accept only password. I thought for some of you this maybe useful.
Some firewalls - like Palo Alto, Fortigate, CheckPoint, and others - are able to work as transparent SSH proxy and intercept traffic, but they are unable to authenticate using private key.
So if you don't know, it won't hurt if you ask your admin if he's not doing anything nasty.
Here's the output with firewall enabled:
52:~ laimis$ ssh -v mem OpenSSH_7.8p1, LibreSSL 2.6.2 debug1: Reading configuration data /Users/laimis/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 48: Applying options for * debug1: Connecting to mem port 22. debug1: Connection established. debug1: identity file /Users/laimis/.ssh/id_rsa type 0 debug1: identity file /Users/laimis/.ssh/id_rsa-cert type -1 debug1: identity file /Users/laimis/.ssh/id_dsa type 1 debug1: identity file /Users/laimis/.ssh/id_dsa-cert type -1 debug1: identity file /Users/laimis/.ssh/id_ecdsa type -1 debug1: identity file /Users/laimis/.ssh/id_ecdsa-cert type -1 debug1: identity file /Users/laimis/.ssh/id_ed25519 type -1 debug1: identity file /Users/laimis/.ssh/id_ed25519-cert type -1 debug1: identity file /Users/laimis/.ssh/id_xmss type -1 debug1: identity file /Users/laimis/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.8 debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2 debug1: no match: PaloAltoNetworks_0.2 debug1: Authenticating to mem:22 as 'laimis' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: got SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: ssh-rsa SHA256:S0MWqGuhCYBUQq4T9evKCHomiPHxLw/Sdda41XmAg3g debug1: Host 'mem' is known and matches the RSA host key. debug1: Found key in /Users/laimis/.ssh/known_hosts:521 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: Skipping ssh-dss key /Users/laimis/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:B26Tg4YaV+VsS1Ou0wcKY/jD5sBh7IWIFw19DCdZhw0 /Users/laimis/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 149 debug1: Authentications that can continue: publickey,password debug1: Trying private key: /Users/laimis/.ssh/id_ecdsa debug1: Trying private key: /Users/laimis/.ssh/id_ed25519 debug1: Trying private key: /Users/laimis/.ssh/id_xmss debug1: Next authentication method: password laimis@mem's password: debug1: Authentication succeeded (password). Authenticated to mem ([10.130.10.65]:22). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype want_reply 0 debug1: Sending environment. debug1: Sending env LANG = lt_LT.UTF-8 Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64) Here's the output with firewall disabled:
52:~ laimis$ ssh -v mem OpenSSH_7.8p1, LibreSSL 2.6.2 debug1: Reading configuration data /Users/laimis/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 48: Applying options for * debug1: Connecting to mem port 22. debug1: Connection established. debug1: identity file /Users/laimis/.ssh/id_rsa type 0 debug1: identity file /Users/laimis/.ssh/id_rsa-cert type -1 debug1: identity file /Users/laimis/.ssh/id_dsa type 1 debug1: identity file /Users/laimis/.ssh/id_dsa-cert type -1 debug1: identity file /Users/laimis/.ssh/id_ecdsa type -1 debug1: identity file /Users/laimis/.ssh/id_ecdsa-cert type -1 debug1: identity file /Users/laimis/.ssh/id_ed25519 type -1 debug1: identity file /Users/laimis/.ssh/id_ed25519-cert type -1 debug1: identity file /Users/laimis/.ssh/id_xmss type -1 debug1: identity file /Users/laimis/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002 debug1: Authenticating to mem:22 as 'laimis' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes128-ctr MAC: compression: none debug1: kex: client->server cipher: aes128-ctr MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:QG8mC4gGXfD8CmWA71LTOs8yqeKhFP3Jz2pf1AYLw7s debug1: Host 'mem' is known and matches the ECDSA host key. debug1: Found key in /Users/laimis/.ssh/known_hosts:521 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: Skipping ssh-dss key /Users/laimis/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:B26Tg4YaV+VsS1Ou0wcKY/jD5sBh7IWIFw19DCdZhw0 /Users/laimis/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 149 debug1: Authentication succeeded (publickey). Authenticated to mem ([10.130.10.65]:22). debug1: channel 0: new [client-session] debug1: Requesting debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype want_reply 0 debug1: Sending environment. debug1: Sending env LANG = lt_LT.UTF-8 Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64) Try with
ssh-keygen -t rsa -b 2048 -E sha512
1