Re: Who is the problem kid: Win10 or Fedora?
On Sun, Jul 16, 2023 at 2:29 PM Walter H. via users wrote: > > On 16.07.2023 15:11, francis.montag...@inria.fr wrote: > > > > On Sun, 16 Jul 2023 14:48:04 +0200 "Walter H. via users" wrote: > > > >> ssh -vvv didn't really give any useful hints; I guess the problem is NOT > >> caused by just the key; > > Although a ED25519 one works ? > yes this does ... > > You may perhaps find the reason in the journal of sshd on the Fedora VM. > > sshd[159804]: userauth_pubkey: signature algorithm rsa-sha2-512 not in > PubkeyAcceptedAlgorithms [preauth] > > what does this mean? The OpenSSH client tries keys in a certain order. running `ssh -vvv ` will show you the order. You can change the order with the use of IdentityFile in your SSH config file. OpenSSH will try keys in the order specified by IdentityFile's in the config file. $ cat ~/.ssh/config Host *.fsffrance.org fsffrance.org User noloader Host *.opencsw.org User jwalton Host *.home.pvt User jwalton Host * User jwalton IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_ecdsa # IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_rsa Protocol 2 PreferredAuthentications publickey,password OpenSSH will parse and expand the tilde (~). Jeff ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
On Fri, Jul 14, 2023 at 11:23 AM Walter H. via users < users@lists.fedoraproject.org> wrote: > Hello, > > I've got a Win10 box und a Fedora VM > > both are latest updates / release [Win10 22H2 19045.3086 and Fedora 38] > > I was used to connect to the Fedora VM from the Win10 box > > - with the OpenSSH commands, that are nativly available in Windows > - with WinSCP > - or the ssh commands inside the WSL [Debian Distribution] > > some time ago I noticed that the used keys from the WSL don't work any > more; > > I added this inside the Fedora in the sshd_config > > HostKeyAlgorithms +ssh-rsa > > PubkeyAcceptedKeyTypes ssh-rsa > > then the login using the keys from WSL were working again; > > but why didn't this help to login using the keys via the Win 10 OpenSSH > commands; > > there I had to create new keys > > ssh-keygen -t ed25519 > > and then to modify the above addings like this: > > HostKeyAlgorithms +ssh-rsa,ssh-ed25519 > > PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519 > > the same with WinSCP, there I had to gernerate a new key, too; > > the used ssh-rsa keys are refused, even from WSL they work; > > a bit confusing/strange; > See: < https://venafi.com/blog/best-practices-ssh-key-management-what-are-your-ssh-security-risks/ > More recent ssh versions will use defaults chosen for the current risk environment, so key types and other defaults change over time. It would be unusual for WSL to be accessible from arbitrary internet sites, but that is in scope for Fedora, so you would expect Fedora defaults that increase security even if that is nor compatible with some other distributions running in WSL. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
On 16.07.2023 15:11, francis.montag...@inria.fr wrote: Hi On Sun, 16 Jul 2023 14:48:04 +0200 "Walter H. via users" wrote: ssh -vvv didn't really give any useful hints; I guess the problem is NOT caused by just the key; Although a ED25519 one works ? yes this does ... You may perhaps find the reason in the journal of sshd on the Fedora VM. sshd[159804]: userauth_pubkey: signature algorithm rsa-sha2-512 not in PubkeyAcceptedAlgorithms [preauth] what does this mean? because this is in the journal even when login by ssh with the ED25519 key ... quite strange; at the time where I noticed this unorthodox weird strange problem, the journal has this: Jul 12 02:40:42 fedoravm sshd[142305]: userauth_pubkey: signature algorithm rsa-sha2-512 not in PubkeyAcceptedAlgorithms [preauth] Jul 12 02:41:08 fedoravm sshd[142305]: Accepted password for root from win10-ipv6> Jul 12 02:41:28 fedoravm sshd[735]: Received signal 15; terminating. (I entered the password, because the key wasn't working any more) I have the workaround with the ed25519 key - if it works why not ;-) smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
Hi On Sun, 16 Jul 2023 14:48:04 +0200 "Walter H. via users" wrote: > ssh -vvv didn't really give any useful hints; I guess the problem is NOT > caused by just the key; Although a ED25519 one works ? You may perhaps find the reason in the journal of sshd on the Fedora VM. Look also on the Fedora VM at: sshd -T It gives the effective (complete) configuration of sshd, ex: requiredrsasize 1024 -- francis. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
On 14.07.2023 21:26, Barry wrote: On 14 Jul 2023, at 19:01, Walter H. via users wrote: ssh -i id_rsa youruser@fedorahost doesn't work this is quite strange; because the same keyfiles works from another Linux [not Fedora] what's causing this strange behaviour? In cases like this I run ssh with debug option to see what is happening. Try ssh -v and see of the output help point to the problem. Adding more -vvv outputs more debug details. Barry ssh -vvv didn't really give any useful hints; I guess the problem is NOT caused by just the key; I found this: https://kcore.org/2023/03/27/ssh-unifi-fedora-37/ (the key would be suitable: it is a RSA 2048 bit key) but I don't want to set the crypto policies on the Fedora VM to LEGACY for connecting to the Fedora VM I created an ED25519 key (https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement) and now it works: the RSA key to the other Linux VMs and the ED25519 key just to the Fedora VM; but quite strange phenomen; Walter smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
On Fri, Jul 14, 2023 at 2:01 PM Walter H. via users wrote: > > On 14.07.2023 18:23, francis.montag...@inria.fr wrote: > > Hi. > > > > On Fri, 14 Jul 2023 16:22:56 +0200 "Walter H. via users" wrote: > > > >> I added this inside the Fedora in the sshd_config > >> HostKeyAlgorithms +ssh-rsa > >> PubkeyAcceptedKeyTypes ssh-rsa > >> then the login using the keys from WSL were working again; > >> but why didn't this help to login using the keys via the Win 10 OpenSSH > >> commands; > > Since openssh-8.8p1-7.fc37 there is also a requirement on the length of > > the rsa keys. > > > > Tru to add: > > > >RequiredRSASize 1024 > this didn't make an effekt; > > Or redo your rsa key with a biger size. > > > the key used with WinSCP already 2048-bit > > and now the confusing thing > > a regenerated a rsa key with bigger size > > in case someone has such setup: a Win10 and a Fedora 38 can try this ... > > adding this > > ssh-rsa > [...] > > ssh -i id_rsa youruser@fedorahost > > doesn't work > > this is quite strange; because the same keyfiles works from another > Linux [not Fedora] > > what's causing this strange behaviour? If authorized_keys is working on other machines... What permissions on $HOME/.ssh ? Or, do a "chmod -R o-rwx $HOME/.ssh" "Other" will cause the sshd daemon to refuse to use authorized_keys. Jeff ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
> On 14 Jul 2023, at 19:01, Walter H. via users > wrote: > > ssh -i id_rsa youruser@fedorahost > > doesn't work > > this is quite strange; because the same keyfiles works from another Linux > [not Fedora] > > what's causing this strange behaviour? In cases like this I run ssh with debug option to see what is happening. Try ssh -v and see of the output help point to the problem. Adding more -vvv outputs more debug details. Barry ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
On 14.07.2023 18:23, francis.montag...@inria.fr wrote: Hi. On Fri, 14 Jul 2023 16:22:56 +0200 "Walter H. via users" wrote: I added this inside the Fedora in the sshd_config HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes ssh-rsa then the login using the keys from WSL were working again; but why didn't this help to login using the keys via the Win 10 OpenSSH commands; Since openssh-8.8p1-7.fc37 there is also a requirement on the length of the rsa keys. Tru to add: RequiredRSASize 1024 this didn't make an effekt; Or redo your rsa key with a biger size. the key used with WinSCP already 2048-bit and now the confusing thing a regenerated a rsa key with bigger size in case someone has such setup: a Win10 and a Fedora 38 can try this ... adding this ssh-rsa B3NzaC1yc2EDAQABAAABgQDvlr2hpBHzPckf+C8Wr4VqzOozGVFam4Rw4cWfZs7ak6EfF76jnAQ1D2UkSoUUz3lK/z35ks+XuNxZrvW0OxnVbeHMUnnnklrWh8KSswoAgJ0xgsRfldyv4OMoLcaxDO0flVJ7+Xlk3ypgrzO/4fHT3JLkrf5oM7nLvPAq3y3rq1G/nY7jo9v6eRav5d75hQTvyEinkvho94QNtXHUEihoUc0P64QsegN+LI6LC6xrDrA4pRbxgVkQABr5wemukn5li51OCqaLeXOh+wbvVxp5yA9lhhkyJxt05QrT3hq10Lm93Xq/CxmczuwHbtOee3MKLRu+csxjLkLdKK5hkcPwOZCU7ucQEKRs1X6y4gAaEmO5b/ijxeVKbwB+imGYg9+CuSPPxpHj9J2ArQtDSivEQ94AicbZPoNU8oeHwE0CXbYfrF89Ocv6bE70WRUcI82TM6T9ZgFa9Ko9va8JwLEZjorqYQJ7/NkMG9G7XhbyV6mD8/xRWOYzaYz23hngK70= Test-Key to /home/youruser/.ssh/authorized_keys and this private key -BEGIN OPENSSH PRIVATE KEY- b3BlbnNzaC1rZXktdjEABG5vbmUEbm9uZQABAAABlwdzc2gtcn NhAwEAAQAAAYEA75a9oaQR8z3JH/gvFq+FaszqMxlRWpuEcOHFn2bO2pOhHxe+o5wE NQ9lJEqFFM95Sv89+ZLPl7jcWa71tDsZ1W3hzFJ555Ja1ofCkrMKAICdMYLEX5Xcr+DjKC 3GsQztH5VSe/l5ZN8qYK8zv+Hx09yS5K3+aDO5y7zwKt8t66tRv52O46Pb+nkWr+Xe+YUE 78hIp5L4aPeEDbVx1BIoaFHND+uELHoDfiyOiwusaw6wOKUW8YFZEAAa+cHprpJ+ZYudTg qmi3lzofsG71caecgPZYYZMicbdOUK094atdC5vd16vwsZnM7sB27TnntzCi0bvnLMYy5C 3SiuYZHD8DmQlO7nEBCkbNV+suIAGhJjuW/4o8XlSm8AfophmIPfgrkjz8aR4/SdgK0LQ0 orxEPeAInG2T6DVPKHh8BNAl22H6xfPTnL+mxO9FkVHCPNkzOk/WYBWvSqPb2vCcCxGY6K 6mECe/zZDBvRu14W8lepg/P8UVjmM2mM9t4Z4Cu9AAAFkFzozCNc6MwjB3NzaC1yc2 EAAAGBAO+WvaGkEfM9yR/4LxavhWrM6jMZUVqbhHDhxZ9mztqToR8XvqOcBDUPZSRKhRTP eUr/PfmSz5e43Fmu9bQ7GdVt4cxSeeeSWtaHwpKzCgCAnTGCxF+V3K/g4ygtxrEM7R+VUn v5eWTfKmCvM7/h8dPckuSt/mgzucu88CrfLeurUb+djuOj2/p5Fq/l3vmFBO/ISKeS+Gj3 hA21cdQSKGhRzQ/rhCx6A34sjosLrGsOsDilFvGBWRAAGvnB6a6SfmWLnU4Kpot5c6H7Bu 9XGnnID2WGGTInG3TlCtPeGrXQub3der8LGZzO7Adu0557cwotG75yzGMuQt0ormGRw/A5 kJTu5xAQpGzVfrLiABoSY7lv+KPF5UpvAH6KYZiD34K5I8/GkeP0nYCtC0NKK8RD3gCJxt k+g1Tyh4fATQJdth+sXz05y/psTvRZFRwjzZMzpP1mAVr0qj29rwnAsRmOiuphAnv82Qwb 0bteFvJXqYPz/FFY5jNpjPbeGeArvQMBAAEAAAGBAJQVrLHK0hlxF+39nUU9SY5gh2 T8Ag+pzetjcJ18kuAAnXa1W2yOkv8ku9P5h1X8grC7IFgwyMSzSubXwCAc43PKjeSXGafr CuBMWxQHO2hiFkay16No4lWG/4AnAwcNwUZjKe9cnA6f7PaDc83m3myfid90N6m6Rt1Js3 wcI6rlYgq4XMgQ0Hd4/m/L+cxpzkpSla2VpppiWimK+4cjjfwki0WKwVAoPh5vdc81cOVe 18a7K3osA5tjJUk39LKk8e6sd9DmMcH9c8XRzvNWSITgOgB6TU9vSphQsXogJbCIc/wicN WpYep73JlOMOXxeKrCgrPB2Nq45dDzGsbfyplqClHKLP3eytoeq4QW8EEzuJZ3mxFYq7Fo 5T1wCC5NBEN4KZNAGc2SLZaVSSUR7LztDGsW3v1P9mYRXZ0j9p75O6gzLzH5Eq1HVCvQFV 0Gx9M72sJ8vxGarlRANjtve/rWeyE0qukfEtDVxzEjTFgdYjGEfF5QnF0igBrYD282dQAA AMAlpmu0IjtvkcpMXmXlE6pYQLRD9k6U2Os9FpA0Wmk2/UquH/oOspAqu34Dx//9JfC/ds TfhHI+McF88eAX0qqv9TfNXlVF9pmmq5CBHydxItQ+LvmmlfXRxCCfbbPiN4rUcfiNqGyM 4dI9JAx+oGmrCimsf1wYDWCtcRVSm8AmgqmQCO8Iq2kRdSZdAIMdQTH/YNGpvySD4doXxp oP4+BzH463Q3KznKVQjGn6uxPMONUCTt/XL6y/lMZTxvTNH0MAAADBAPtsnxH9qTmlaqPJ 7DfAe3xei6hMh/0lDLl3MR2eoVQD7fLPwZFnaA9EXSCrE1W6Z0K9uhTmUChsLLT5uSExWY YgTq2KIbDZxSff3R0IHlU7MTnFEDifAv84gHIOG/JFPutB8JQJ3YSiaoNb4d/+wXX7SpRa JrjG/m42G8PJYobC6ZT7ARB9C6/uTme67NxsFpxoUXxbUfWufsS4f4H/PJknR4/0QsQrLm Zglhi3kC/NHLZppzz3U0nJDr/1cQmxJwAAAMEA8/L6bxpQZLxui62OpF46wvyA5aa9CYX6 ljjYxxfEdUVLUzASek4BOOtT8slS77+oeRrtAgr0hND1zm9if1AYP4lUb1TaQKi1NgW0eh 9y+vIFLXNsEZANl0TkjuuHqJnIK4td28JI4rl3G1s2RzifAIS+06dOCvkkW8AYRsbA55Zb wrAohJHMCZY60vteRUp2ry3g8PBIjllDPGi28uyHY8PX7F13dsmSOlcH5RhDNDZq6PBrF9 Nb+0+T8KsglEJ7FXdhbHRlckBXMTBXQUxESTAxLVcwMQECAwQF -END OPENSSH PRIVATE KEY- ssh -i id_rsa youruser@fedorahost doesn't work this is quite strange; because the same keyfiles works from another Linux [not Fedora] what's causing this strange behaviour? Walter smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
Hi. On Fri, 14 Jul 2023 16:22:56 +0200 "Walter H. via users" wrote: > I added this inside the Fedora in the sshd_config > HostKeyAlgorithms +ssh-rsa > PubkeyAcceptedKeyTypes ssh-rsa > then the login using the keys from WSL were working again; > but why didn't this help to login using the keys via the Win 10 OpenSSH > commands; Since openssh-8.8p1-7.fc37 there is also a requirement on the length of the rsa keys. Tru to add: RequiredRSASize 1024 Or redo your rsa key with a biger size. -- francis ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Who is the problem kid: Win10 or Fedora?
On Fri, Jul 14, 2023 at 10:23 AM Walter H. via users wrote: > > I've got a Win10 box und a Fedora VM > > both are latest updates / release [Win10 22H2 19045.3086 and Fedora 38] > > I was used to connect to the Fedora VM from the Win10 box > > - with the OpenSSH commands, that are nativly available in Windows > - with WinSCP > - or the ssh commands inside the WSL [Debian Distribution] > > some time ago I noticed that the used keys from the WSL don't work any more; > > I added this inside the Fedora in the sshd_config > > HostKeyAlgorithms +ssh-rsa > > PubkeyAcceptedKeyTypes ssh-rsa > > then the login using the keys from WSL were working again; > > but why didn't this help to login using the keys via the Win 10 OpenSSH > commands; > > there I had to create new keys > > ssh-keygen -t ed25519 > > and then to modify the above addings like this: > > HostKeyAlgorithms +ssh-rsa,ssh-ed25519 > > PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519 > > the same with WinSCP, there I had to gernerate a new key, too; > > the used ssh-rsa keys are refused, even from WSL they work; > > a bit confusing/strange; Personally, I would not worry too much about the key and algorithm gyrations. The weaker keys are the DSA keys, and they were disabled by default around OpenSSH 8.0, iirc. With that said, I have ed25519, ecdsa and rsa keys. I keep rsa keypair in case I get on an old system. My ssh config looks like: $ cat ~/.ssh/config Host *.fsffrance.org fsffrance.org User noloader Host *.opencsw.org opencsw.org User jeff Host *.home.pvt User jwalton Host * User jwalton IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_ecdsa # IdentityFile ~/.ssh/id_dsa IdentityFile ~/.ssh/id_rsa Protocol 2 PreferredAuthentications publickey,password I'm not sure about your other problems, like WinSCP. I don't use it. Jeff ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Who is the problem kid: Win10 or Fedora?
Hello, I've got a Win10 box und a Fedora VM both are latest updates / release [Win10 22H2 19045.3086 and Fedora 38] I was used to connect to the Fedora VM from the Win10 box - with the OpenSSH commands, that are nativly available in Windows - with WinSCP - or the ssh commands inside the WSL [Debian Distribution] some time ago I noticed that the used keys from the WSL don't work any more; I added this inside the Fedora in the sshd_config HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes ssh-rsa then the login using the keys from WSL were working again; but why didn't this help to login using the keys via the Win 10 OpenSSH commands; there I had to create new keys ssh-keygen -t ed25519 and then to modify the above addings like this: HostKeyAlgorithms +ssh-rsa,ssh-ed25519 PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519 the same with WinSCP, there I had to gernerate a new key, too; the used ssh-rsa keys are refused, even from WSL they work; a bit confusing/strange; Walter smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue