Solved: ssh pubkey auth with ssh-rsa failed

Issues related to applications and software problems and general support
Post Reply
silvio
Posts: 49
Joined: 2008/11/10 13:06:03

Solved: ssh pubkey auth with ssh-rsa failed

Post by silvio » 2020/04/30 08:56:24

Hi,

i have a strange problem with ssh public key auth under CentOS8.
I can login with with username and password but if i want to use an public key it failed.

In my log i can see this:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]

If i check the supported key types:
[root@xxxxx ~]# ssh -Q key
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com

i can see that ssh-rsa is included.

Also in the crypto policy files is is include:

[root@xxxx back-ends]# grep ssh-rsa opensshserver.config
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512

-oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com

-oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com

-oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa'

CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512
-oGSSAPIKeyExchange=no
-oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
-oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
-oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'

I don't know why i have 2 CRYPTO_POLICY rules in this files.

Has anyone an idea what i can do or where i can look for additional infos?

Thanks

Silvio
Last edited by silvio on 2020/05/04 12:08:49, edited 1 time in total.

silvio
Posts: 49
Joined: 2008/11/10 13:06:03

Re: ssh pubkey auth with ssh-rsa failed

Post by silvio » 2020/04/30 11:22:43

I found the reason for the second crypto policy.
The policy is include by an OpenScap rule which hardens the sshd crypto policy.
If i delete the second policy:
'CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512
-oGSSAPIKeyExchange=no
-oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
-oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
-oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384''
The pubkey auth is working.

What i not understand is that in the PubKeyAcceptedKeyTypes ssh-rsa is allowed but it is not working with this rule.

I checked with an rulefile which includes:
only the first rule -> pubkey auth is working
only the second ruleset -> pubkey auth is not working
both rulesets -> pubkey auth not working

Can anyone give me a hint why these rule disable ssh-rsa ?

Silvio

User avatar
KernelOops
Posts: 417
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: ssh pubkey auth with ssh-rsa failed

Post by KernelOops » 2020/04/30 14:44:43

Maybe this will be helpful: viewtopic.php?f=57&t=72948
--
R.I.P. CentOS :cry:
--

silvio
Posts: 49
Joined: 2008/11/10 13:06:03

Re: ssh pubkey auth with ssh-rsa failed

Post by silvio » 2020/05/01 09:40:10

Thanks for the answer.
Yes it helps but but it does not explain why i can not use ssh-rsa with my config.
I want to understand where my problem is and where i think wrong.

Silvio

silvio
Posts: 49
Joined: 2008/11/10 13:06:03

Re: ssh pubkey auth with ssh-rsa failed

Post by silvio » 2020/05/04 09:39:15

I changed every option in the the cryptofile step by step and after every change i restarted the ssh server and checked.

It stopped working as i changed the -oPubkeyAcceptedKeyTypes part.
With

Code: Select all

-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa
public key auth failed with:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
.
But as you can see, it is included.

Any ideas?

Silvio

silvio
Posts: 49
Joined: 2008/11/10 13:06:03

Solved: ssh pubkey auth with ssh-rsa failed

Post by silvio » 2020/05/04 10:37:50

Found it:
The Client systems use SHA256 keys.
So server needs rsa-sha2-256 as allowed key type.

The logmessage is a little bit confusing for me if the server write ssh-rsa in the log and means rsa-sha2. If we have different options for these key types in the config then we should have different messages in the log ...

Silvio

Monkeypet
Posts: 1
Joined: 2021/02/21 17:59:39

Re: Solved: ssh pubkey auth with ssh-rsa failed

Post by Monkeypet » 2021/02/21 18:06:49

In file /etc/crypto-policies/back-ends/opensshserver.config, append ssh-rsa to the end of the line

Code: Select all

PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
Then restart your sshd

Code: Select all

systemctl restart sshd
You should see ssh-rsa in the output below...

Code: Select all

[root@mythtv user]# sshd -T |grep ssh-rsa
hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
pubkeyacceptedkeytypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa

Tested this on Fedora release 33.

Post Reply

Return to “CentOS 8 - General Support”