Mailing List Archive

Try to login: permission denied
Hi,

I've some arch linux systems running on two rasp pi's as server.
I've been able to loging always, since a year or so, and since a week
or two this is not the case anymore.

I've enabled public key auth explicit:

PubkeyAcceptedKeyTypes ssh-rsa
PubkeyAuthentication yes

The server is running version 7.9p1

It looks like there has been introduced:
- a new required flag which I did not enable
- a bug

Does thius ring any bells?

Stef
the Netherlands
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Try to login: permission denied [ In reply to ]
When I remove the

PubkeyAcceptedKeyTypes ssh-rsa

setting, I'm able to login. Huhh I've been always able to login this
way. I see a message about the semantics has been changed, but maybe
more has been changed...
I think - but that is a wild guess - that the client asks it can use
the new rsa-sha2-256/512 methods, server cannot support these cause
these are not listed in the PubkeyAcceptedKeyTypes parameter and
disconnects.

My client is also the latest openssh client, no ssh_config

Stef
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Try to login: permission denied [ In reply to ]
On Thu, 2018-11-22 at 04:56 +0100, Stef Bon wrote:
> When I remove the
>
> PubkeyAcceptedKeyTypes ssh-rsa
>
> setting, I'm able to login. Huhh I've been always able to login this
> way. I see a message about the semantics has been changed, but maybe
> more has been changed...
> I think - but that is a wild guess - that the client asks it can use
> the new rsa-sha2-256/512 methods, server cannot support these cause
> these are not listed in the PubkeyAcceptedKeyTypes parameter and
> disconnects.

Yes, you are right. If you specify this option, the server will reject
all the other public key algorithms, but RSA keys are using the SHA2
signatures for some time already and they use different "signature
type", but only recent update made this enforced (see the release notes
for OpenSSH 7.8 [1]).

[1] http://www.openssh.com/txt/release-7.8

Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Try to login: permission denied [ In reply to ]
Thank you for your quick reply. For me to be frank the documentation
should describe this big change much more explicit. Use of bold
characters, excamation marks etc
should point to this big change.

Stef Bon
the Netherlands
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev