Hi,
i have a strange problem with ssh public key auth under CentOS8.
I can login with with username and password but if i want to use an public key it failed.
In my log i can see this:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
If i check the supported key types:
[root@xxxxx ~]# ssh -Q key
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
i can see that ssh-rsa is included.
Also in the crypto policy files is is include:
[root@xxxx back-ends]# grep ssh-rsa opensshserver.config
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
-oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
-oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
-oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'
CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512
-oGSSAPIKeyExchange=no
-oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
-oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
-oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'
I don't know why i have 2 CRYPTO_POLICY rules in this files.
Has anyone an idea what i can do or where i can look for additional infos?
Thanks
Silvio
Solved: ssh pubkey auth with ssh-rsa failed
Solved: ssh pubkey auth with ssh-rsa failed
Last edited by silvio on 2020/05/04 12:08:49, edited 1 time in total.
Re: ssh pubkey auth with ssh-rsa failed
I found the reason for the second crypto policy.
The policy is include by an OpenScap rule which hardens the sshd crypto policy.
If i delete the second policy:
What i not understand is that in the PubKeyAcceptedKeyTypes ssh-rsa is allowed but it is not working with this rule.
I checked with an rulefile which includes:
only the first rule -> pubkey auth is working
only the second ruleset -> pubkey auth is not working
both rulesets -> pubkey auth not working
Can anyone give me a hint why these rule disable ssh-rsa ?
Silvio
The policy is include by an OpenScap rule which hardens the sshd crypto policy.
If i delete the second policy:
The pubkey auth is working.'CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512
-oGSSAPIKeyExchange=no
-oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
-oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
-oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384''
What i not understand is that in the PubKeyAcceptedKeyTypes ssh-rsa is allowed but it is not working with this rule.
I checked with an rulefile which includes:
only the first rule -> pubkey auth is working
only the second ruleset -> pubkey auth is not working
both rulesets -> pubkey auth not working
Can anyone give me a hint why these rule disable ssh-rsa ?
Silvio
-
KernelOops
- Posts: 416
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: ssh pubkey auth with ssh-rsa failed
Maybe this will be helpful: viewtopic.php?f=57&t=72948
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: ssh pubkey auth with ssh-rsa failed
Thanks for the answer.
Yes it helps but but it does not explain why i can not use ssh-rsa with my config.
I want to understand where my problem is and where i think wrong.
Silvio
Yes it helps but but it does not explain why i can not use ssh-rsa with my config.
I want to understand where my problem is and where i think wrong.
Silvio
Re: ssh pubkey auth with ssh-rsa failed
I changed every option in the the cryptofile step by step and after every change i restarted the ssh server and checked.
It stopped working as i changed the -oPubkeyAcceptedKeyTypes part.
With
public key auth failed with:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
.
But as you can see, it is included.
Any ideas?
Silvio
It stopped working as i changed the -oPubkeyAcceptedKeyTypes part.
With
Code: Select all
-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
.
But as you can see, it is included.
Any ideas?
Silvio
Solved: ssh pubkey auth with ssh-rsa failed
Found it:
The Client systems use SHA256 keys.
So server needs rsa-sha2-256 as allowed key type.
The logmessage is a little bit confusing for me if the server write ssh-rsa in the log and means rsa-sha2. If we have different options for these key types in the config then we should have different messages in the log ...
Silvio
The Client systems use SHA256 keys.
So server needs rsa-sha2-256 as allowed key type.
The logmessage is a little bit confusing for me if the server write ssh-rsa in the log and means rsa-sha2. If we have different options for these key types in the config then we should have different messages in the log ...
Silvio
Re: Solved: ssh pubkey auth with ssh-rsa failed
In file /etc/crypto-policies/back-ends/opensshserver.config, append ssh-rsa to the end of the line
Then restart your sshd
You should see ssh-rsa in the output below...
Tested this on Fedora release 33.
Code: Select all
PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
Code: Select all
systemctl restart sshdCode: Select all
[root@mythtv user]# sshd -T |grep ssh-rsa
hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
pubkeyacceptedkeytypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa
Tested this on Fedora release 33.