Thanks to all for your responses and apologies for the delay in
responding. I decided that perhaps including in this response output from
the ssh -v command might be the best way to proceed since answers to some
of the questions asked will be found there. Thus, the following
slightly-obfuscated and commented output:
### below with key-pair authentication enabled
OpenSSH_9.0p1, OpenSSL 1.1.1p 21 Jun 2022
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 6: Applying options for vps
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 12.34.56.78 [12.34.56.78] port 22222.
debug1: Connection established.
debug1: identity file /home/user/.ssh/MyMachine.id.rsa type 0
debug1: identity file /home/user/.ssh/MyMachine.id.rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version dropbear_2017.75
debug1: compat_banner: no match: dropbear_2017.75
debug1: Authenticating to 12.34.56.78:22222 as 'user'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha...@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression:
none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression:
none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:<alphanumeric string w special chars
here>
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host '[12.34.56.78]:22222' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:95
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/user/.ssh/MyMachine.id.rsa RSA SHA256:<long
alphanumeric string here> explicit agent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/MyMachine.id.rsa RSA
SHA256:<long alphanumeric sequence here> explicit agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: No more authentication methods to try.
user@12.34.56.78: Permission denied (publickey).
### below with key-pair authentication disabled (no -s switch under
/etc/default/dropbear config file)
OpenSSH_9.0p1, OpenSSL 1.1.1p 21 Jun 2022
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 6: Applying options for vps
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 12.34.56.78 [12.34.56.78] port 22222.
debug1: Connection established.
debug1: identity file /home/user/.ssh/MyMachine.id.rsa type 0
debug1: identity file /home/user/.ssh/MyMachine.id.rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version dropbear_2017.75
debug1: compat_banner: no match: dropbear_2017.75
debug1: Authenticating to 12.34.56.78:22222 as 'user'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha...@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression:
none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression:
none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:<alphanumeric string w special chars
here>
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host '[12.34.56.78]:22222' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:95
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/user/.ssh/MyMachine.id.rsa RSA SHA256:<long
alphanumeric string here> explicit agent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/MyMachine.id.rsa RSA
SHA256:<long alphanumeric sequence here> explicit agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Next authentication method: password
user@12.34.56.78's password
I have an ~/.ssh config and I do have stipulated there under the vps entry
HostkeyAlgorithms +ssh-rsa and PubkeyAcceptedAlgorithms +ssh-rsa, as can
be seen below:
Host vps
Hostname 12.34.56.78
Port 22222
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
IdentityFile /home/user/.ssh/MyMachine.id.rsa
I did recently install on the client system keychain, since I had
generated a new ecdsa (ed25519) key set on this machine for other
purposes. keychain has not been configured to save that key in memory,
but rather the rsa key stipulated in the config.
I suppose the quick and sure-fire way to address the issue I'm having
would be to generate new keys, as suggested by Konstantin. I decided I
might first try to gain some understanding of why the issue cropped up
since, if it will happen again in the future, a better understanding of
what's gone wrong could be helpful. But I do need to admit that my
understanding of authentication/encryption is quite limited, so perhaps I
will be unable to retain much of whatever I might learn about the current
issue.
In response to Fabricio's suggestion of compiling a newer version of
Dropbear, that is precluded by 2 factors: 1) I have no toolchain installed
on the vps and, 2) that is by intention, since system resources are so
paltry that compiling software there would be an iffy proposition. That
said I suppose I could scour the interwebs for a static/standalone
dropbear binary that uses uclibc or something, or perhaps compile my own
on a better-endowed host.
Further input will be appreciated.
Thanks
On Sat, 25 Jun 2022, Matt Johnston wrote:
-- Delivered via SpamCon Foundation DEA: http://dea.spamcon.org
-- Replies will be sent to m...@ucc.asn.au
-- Additional Info: http://dea.spamcon.org/i/?v=134557338
On 2022-06-25 7:49 am, James Miller wrote:
I set up a small low-resource VPS a few years ago to use mainly as a
light-use xmpp server. I got Dropbear operating there so I could admin
it. Dropbear seemed a good choice since system resources were so
anemic. I recall it being quite challenging to get key-pair
authentication to finally work there, though I can't recall many
details about how I finally succeeded.
Most likely would be OpenSSH requiring sha2 for RSA signatures. If you can
use
ecdsa keys instead those should work OK.
Alternatively to keep using RSA, set
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
in your .ssh/config for the client which will allow the older sha1 RSA
signatures.
Which OpenSSH version is it? https://www.openssh.com/releasenotes.html has
details
of what has been deprecated.
Matt
The VPS runs Ubuntu 16.04 (EMS), so the version of Dropbear there is a
bit outdated (v2017.75). Since that release was made, various changes
have happened to openssh that may, I assume, make it incompatible with
this version of Dropbear. I am using ssh when I try to connect to the
VPS, btw.
