https://bugzilla.mindrot.org/show_bug.cgi?id=3615
--- Comment #14 from Darren Tucker <[email protected]> --- (In reply to Richard Kreutzer from comment #12) > OK, for the sake of simplicity, I have tested with rsa only... > > Here is basement-gentoo:/etc/ssh/ssh_host_rsa_key.pub > basement-gentoo.krautclan.com ssh-rsa [...] That's wrong, the host public keys don't have the name in them, only when you add them to known_hosts. I'm not sure if that'll actually cause a problem since the public key can be derived from the private key, but still I'd change it back... > Here is gemini:/etc/ssh/ssh_known_hosts > > basement-gentoo.krautclan.com ssh-rsa [...] This format is right. It's hard to tell what happened without the client side debugging, but it looks like the client did not try hostbased for some reason. > debug3: append_hostkey_type: ssh-rsa key not permitted by > HostkeyAlgorithms [preauth] That's a wrinkle: ssh-rsa *keys* are also usable by the SHA2-based RSA *algorithms* such as rsa-sha2-512 which are enabled by default. It is one more variable though. Here's what I suggest to reduce the number of variables: - test only with ssh-ed25519 keys since those have only one algorithm - keep HostbasedUsesNameFromPacketOnly yes and PreferredAuthentications=hostbased - put two entries in ssh_known_hosts for your FQDN both with and without a trailing dot - always use the FQDN on the SSH command line, since "ssh ... gemini" would likely mean you're sending it without the domain name, and since you have HostBasedUsesNameFromPacket that won't match the ssh_known_hosts entry (again, without the client side debugging it's hard to tell). then once you get it working, start changing one thing at a time until you get it to the config you want (eg by adding "Hostname $your_fqdn" to your ~/.ssh/config). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
