SSH with Dropbear: "Permission denied (publickey)"

I've create a RSA key pair with ssh-keygen. In /etc/dropbear-initramfs/authorized_keys I have the public key, and on my client machine I have the keypair in the /home/<name>/.ssh/ directory. After running update-initramfs -u, I still am not able to connect with Dropbear.

Here is how I have it set up on the server:

/etc/dropbear-initramfs/authorized_keys:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCi3gJaNC89jJSdzlD/qxjwzKC33PpERqpyt7q2PIHFM7hoDk7M/MU9/5k+jmIy80Xt0ZvswLdxAi4p26wr+13vtwNHJIdsLdswCNmKxz+nyBvIw2g/pT7I3368B6KZ1MKokQ4Nz4HQu5WuEDZXTZSnsvP/7n732+zwhFZDPz+NZ4HdY0cveTeb6hW+peZEe3xCBQ4PeGNaH1U+VTuNveyAnFPxEjHvQhG39CtAn4SAEYd7UMNmyVFWDf2+ymlgWRwq2joAQKg/vB4qrdwX6MWEPf0r0H2jtnm+y8ZFrEdmjJTWmUKhliE928Oc63exAPaGmwJ4+tjrSUU0twHe+v9HnTrMiJHvOUQDoUuMsyqsO5auo3RNUMXMKEhA/tJbZjpAMj5wMtdcvHJ0u5VJ/oZQavm0uYUBAhOc94JUr6qRVfNk1PbCGgBx1hCfIKORVHz05bsMZUYeUaruhfMGg3jGTpfojgBRWZ0gbQTnEaxNcXeZnSEoTmX8jOhSsOmhqjU= root@ubuntu 

ls -la /etc/dropbear-initramfs shows:

drwxr-xr-x 2 root root 4096 Apr 17 23:11 . drwxr-xr-x 99 root root 4096 Apr 17 21:33 .. -rw------- 1 root root 565 Apr 17 23:11 authorized_keys -rw-r--r-- 1 root root 579 Apr 17 22:48 config -rw------- 1 root root 458 Apr 17 21:33 dropbear_dss_host_key -rw------- 1 root root 140 Apr 17 21:33 dropbear_ecdsa_host_key -rw------- 1 root root 805 Apr 17 21:33 dropbear_rsa_host_key -rw------- 1 root root 2590 Apr 17 23:11 id_rsa -rw-r--r-- 1 root root 565 Apr 17 23:11 id_rsa.pub 

After seeing "Begin: Starting dropbear ..." on my server, and then running the following command on my client machine from a different network: ssh -o "HostKeyAlgorithms ssh-rsa" -p <port> root@<ip> -vvv, I get the following output:

OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021 debug1: Reading configuration data /etc/ssh/ssh_config debug2: resolve_canonicalize: hostname <ip> is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/<name>/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/<name>/.ssh/known_hosts2' debug3: ssh_connect_direct: entering debug1: Connecting to <ip> [<ip>] port <port>. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 debug1: Connection established. debug1: identity file /home/<name>/.ssh/id_rsa type 0 debug1: identity file /home/<name>/.ssh/id_rsa-cert type -1 debug1: identity file /home/<name>/.ssh/id_dsa type -1 debug1: identity file /home/<name>/.ssh/id_dsa-cert type -1 debug1: identity file /home/<name>/.ssh/id_ecdsa type -1 debug1: identity file /home/<name>/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/<name>/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/<name>/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/<name>/.ssh/id_ed25519 type -1 debug1: identity file /home/<name>/.ssh/id_ed25519-cert type -1 debug1: identity file /home/<name>/.ssh/id_ed25519_sk type -1 debug1: identity file /home/<name>/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/<name>/.ssh/id_xmss type -1 debug1: identity file /home/<name>/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version dropbear_2019.78 debug1: compat_banner: no match: dropbear_2019.78 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to <ip>:<port> as 'root' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: ,aes128-ctr,aes192-ctr,aes256-ctr,, debug2: ciphers stoc: ,aes128-ctr,aes192-ctr,aes256-ctr,, debug2: MACs ctos: ,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: ,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,,zlib debug2: compression stoc: none,,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1, debug2: host key algorithms: ecdsa-sha2-nistp256,ssh-rsa,ssh-dss debug2: ciphers ctos: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-ctr,3des-cbc debug2: ciphers stoc: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-ctr,3des-cbc debug2: MACs ctos: hmac-sha1-96,hmac-sha1,hmac-sha2-256 debug2: MACs stoc: hmac-sha1-96,hmac-sha1,hmac-sha2-256 debug2: compression ctos: ,none debug2: compression stoc: ,none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-rsa SHA256:k5mkg88bVoGfNcqRVQ4dO+A3bUDOsVvKH7QBLuUud5A debug3: put_host_port: [<ip>]:<port> debug3: put_host_port: [<ip>]:<port> debug3: record_hostkey: found key type RSA in file /home/<name>/.ssh/known_hosts:1 debug3: load_hostkeys_file: loaded 1 keys from [<ip>]:<port> debug1: load_hostkeys: fopen /home/<name>/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host '[<ip>]:<port>' is known and matches the RSA host key. debug1: Found key in /home/<name>/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/<name>/.ssh/id_rsa RSA SHA256:uibL6T72PUCtFFh9FUMwgvTng4YjrQyoR1pido1PKa8 debug1: Will attempt key: /home/<name>/.ssh/id_dsa debug1: Will attempt key: /home/<name>/.ssh/id_ecdsa debug1: Will attempt key: /home/<name>/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/<name>/.ssh/id_ed25519 debug1: Will attempt key: /home/<name>/.ssh/id_ed25519_sk debug1: Will attempt key: /home/<name>/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/<name>/.ssh/id_rsa RSA SHA256:uibL6T72PUCtFFh9FUMwgvTng4YjrQyoR1pido1PKa8 debug1: send_pubkey_test: no mutual signature algorithm debug1: Trying private key: /home/<name>/.ssh/id_dsa debug3: no such identity: /home/<name>/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/<name>/.ssh/id_ecdsa debug3: no such identity: /home/<name>/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/<name>/.ssh/id_ecdsa_sk debug3: no such identity: /home/<name>/.ssh/id_ecdsa_sk: No such file or directory debug1: Trying private key: /home/<name>/.ssh/id_ed25519 debug3: no such identity: /home/<name>/.ssh/id_ed25519: No such file or directory debug1: Trying private key: /home/<name>/.ssh/id_ed25519_sk debug3: no such identity: /home/<name>/.ssh/id_ed25519_sk: No such file or directory debug1: Trying private key: /home/<name>/.ssh/id_xmss debug3: no such identity: /home/<name>/.ssh/id_xmss: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try. root@<ip>: Permission denied (publickey). 

Been struggling with this for a while now...

Any ideas? Thanks!

1 Answer

The SSH client is OpenSSH 8.8. Its release notes tell:

Potentially-incompatible changes

This release disables RSA signatures using the SHA-1 hash algorithm by default.
[...]
Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol.
[...]
For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host:

Host old-host HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa 

or its equivalent command line option (actually only the 2nd entry should be needed for this case):

ssh -o PubkeyAcceptedAlgorithms=+ssh-rsa ... 

which should prevent this to happen:

debug1: send_pubkey_test: no mutual signature algorithm 

Reproduced failing and fixed with Dropbear version 2018.76 (and tested not needed with 2020.81). OP's 2019.78 isn't good enough either. Dropbear's documentation tells the required adjustment was done after version 2020.79:

  • Support using rsa-sha2 signatures. No changes are needed to hostkeys/authorized_keys entries, existing RSA keys can be used with the new signature format (signatures are ephemeral within a session). Old ssh-rsa signatures will no longer be supported by OpenSSH in future so upgrading is recommended.

Switching to a non-RSA private/public key pair (and updating authorized_keys) should also be an alternative to lowering client's default security settings or to upgrading Dropbear, but again, one must ensure compatible choices are used.

4

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like