• [6.10.0-rc8] RSA and DSA SSH keys do not work


    MammothJerk
    • Solved Minor

    i have no issues in 6.9.2 but as soon as i upgraded to 6.10.0-rc4 i started having this issue.

     

    Trying to connect to SSH via Putty gives me this error

    Using username "root".
    Server refused our key
    Keyboard-interactive authentication prompts from server:
    | Password:

     

    I tried twice recreating the private/public key pairs in puttygen, changing the .ssh/authorized_keys file in unraid, and changing the auth in Putty on my PC.

     

    No change.

     

    I've tried to change the authorized keys field in the root user but it always tells me the syntax is incorrect.

    DhdadWC.png

    the key has no line breaks and there is a space between ssh-rsa and AAAA




    User Feedback

    Recommended Comments

    You get invalid key, because your key syntax is not correct.

    It is missing a username@systemname reference, e.g. root@tower, which is added after the key value.

     

    See ssh-keygen for correct generation of ssh keys.

     

    Link to comment

    I tried from scratch 4 times using the rsa algorithm in ssh-keygen with no success

     

    switched to the ed25519 algorithm with ssh-keygen and it worked on the first try.

     

    This is the guide i used couple years ago when i setup my server.

    (i believe it's the one i used since it looks familiar but not 100% if i did something different)

    any reason why this would no longer be working in 6.10.0?

    Edited by MammothJerk
    Link to comment
    On 5/1/2022 at 4:59 AM, MammothJerk said:

    I tried from scratch 4 times using the rsa algorithm in ssh-keygen with no success

     

    Please post the output of the command you are trying

    Link to comment
    On 5/14/2022 at 1:41 PM, bonienl said:

     

    Please post the output of the command you are trying

    C:\Users\MammothJerk>ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (C:\Users\MammothJerk/.ssh/id_rsa): snorlax2_rsa
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in snorlax2_rsa.
    Your public key has been saved in snorlax2_rsa.pub.
    The key fingerprint is:
    SHA256:Lc5lmQK/eWJJeYJ6ozHTK9P9r23DeMx+PWRyi4l3NS0 MammothJerk@PUPITAR
    The key's randomart image is:
    +---[RSA 3072]----+
    |                 |
    |                 |
    |      .          |
    |       + o o     |
    |      . S B     .|
    |     o + @   .E=o|
    |    =.+.O .=. Bo+|
    |    o*.+.o.oB+.+.|
    |    .o.  .o*=o. .|
    +----[SHA256]-----+

     

    i then use PuTTYgen to convert the OPENSSH PRIVATE KEY to a .ppk for use in PuTTY.

     

    in putty

    i add root to username under Connection>Data

    i then add the .ppk to the connection>SSH>Auth>file field

     

    i add the public key to "SSH authorized keys" under user root and hit save.

     

    I was curious so i also tried DSA and ECDSA.

    ECDSA worked, DSA did not. I sanity checked myself and tested DSA again and it did not work.

    and again i created an ED25519 key and it worked on the first try.

     

    ECDSA and ED25519 work, RSA and DSA do not work.

     

    Running rc8

    Edited by MammothJerk
    Link to comment

    I ran into this as well with 6.10.  Unfortunately, my Unifi UDM-Pro doesn't let me use anything but RSA.  You can add "-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa" without the quotes after SSH or SCP commands to go back to prior usage. 

     

    Obviously not as secure as some other algorithms, but Unifi doesn't seem to care...  https://community.ui.com/questions/SSH-Weak-Key-Exchange-Algorithms-diffie-hellman-group1-sha1/7b23bfc9-1482-4b65-bdea-b34968216b29

    Link to comment
    23 hours ago, knaack said:

    I ran into this as well with 6.10.  Unfortunately, my Unifi UDM-Pro doesn't let me use anything but RSA.  You can add "-oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa" without the quotes after SSH or SCP commands to go back to prior usage. 

     

    Obviously not as secure as some other algorithms, but Unifi doesn't seem to care...  https://community.ui.com/questions/SSH-Weak-Key-Exchange-Algorithms-diffie-hellman-group1-sha1/7b23bfc9-1482-4b65-bdea-b34968216b29

     

    Thanks for this solution.  I want to add to release notes.  Can you provide a command example?  Also those settings could be put into sshd_conf file as well correct?

    Link to comment

    You can use PuttyGen. Just add <user>@TOWER to the key comment section. Replace <user> with a valid user on your Unraid box. Or use ssh-keygen like this.

    ssh-keygen -t ed25519 -C "<user>@TOWER"

    Then in PuttyGen, Conversions -> Import key -> Save private key. To generate a ppk file for Putty.

    Link to comment
    2 minutes ago, jsc0 said:

    Replace <user> with a valid user on your Unraid box

    The only valid ssh user on Unraid is root. 

    Link to comment

    Is there a workaround that doesn't involve having to generate a new key? I'd like to continue using the same key I have on the various different machines that I connect from.

     

    I just upgraded from 6.9.2 to 6.10.3 and can no longer ssh into my Unraid server from my MacBook Air  (High Sierra)

    I realize that the algorithm I use is outdated (2048 SHA256). My pub key in the Users->root>SSH authorized keys starts with ssh-rsa. I changed the ending comment to read root@Tower where Tower is the hostname of the Unraid server as the comments above suggested but it still doesn't work.

     

    I tried this: (since -oPubkeyAcceptedAlgorithms was not recognized on my system) (tower is set to my IP address in /etc/hosts)

    ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa root@tower
    ssh_exchange_identification: Connection closed by remote host

     

    I tried changing sshd_config on the server to include these options based on some post I saw online:

     

    RSAAuthentication yes
    PubkeyAuthentication yes
    HostKeyAlgorithms=ssh-rsa,[email protected]
    PubkeyAcceptedAlgorithms=+ssh-rsa,[email protected]

     

    in /boot/config/ssh/sshd_config and restarted the ssh server using /etc/rc.d/rc.sshd restart

    But that didn't work.

     

    I then found that ssh'ing from my modern M1 MacBook Pro (ventura) worked. I then reverted all my server changes including the comment at the end of the public key. ssh still worked from my new MacBok Pro. I also confirmed that it works from my Ubuntu 18 machine.

     

    Is there anything I can do to enable SSH from my old MacBook Air on High Sierra (macOS 10.13.6)?

     

     

    Edited by frakman1
    Link to comment

    In case anyone else sees the above and thinks this is not possible / a dead end, see what I did.

    I am on 6.11.5. I also have keys generated in 2019 that I wanted to continue using. 

     

    1.  Add the block @frakman1 mentioned: 

     

    RSAAuthentication yes 
    PubkeyAuthentication yes 
    HostKeyAlgorithms=ssh-rsa,[email protected] 
    PubkeyAcceptedAlgorithms=+ssh-rsa,[email protected]

     

    to your /etc/ssh/sshd_config 

     

    I added it after line 34 (PermitRootLogin yes) because there's certain blocks in the file, like the end, where it can't be added. You can't just append the above to the file.

     

    2. Restart the sshd. /etc/rc.d/rc.sshd restart

     

    RSA keys should work now. 

     

    If you want this to stay in effect for every boot:

     

    1. First, copy the new config file you generated to somewhere it will stick around (unraid runs in RAM)

    I copied mine to the ssh folder of /boot/config (the USB key) because that should (?) be persistent 

    cp -p /etc/ssh/sshd_config /boot/config/ssh/

    2. Get the Userscripts plugin

    3. Create a new script, use these contents:

    #!/bin/bash
    cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-`date +%d-%m-%Y%H%M%S`
    
    cp -p /boot/config/ssh/sshd_config /etc/ssh/sshd_config
    
    /etc/rc.d/rc.sshd restart

     

    This just copies the file into place and restarts the sshd service.

    4. Set the script to run "on array start". 

    Bing bang boom, should be good to go.. I haven't tested a reboot though. Don't feel like resetting my uptime :)

    • Like 1
    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.