[solved] Re: No login with Debian 12 ssh client, ssh-rsa key, Debian 8 sshd
Hi,
Jeffrey Walton wrote:
> If I am not mistaken, the problem you are experiencing is due to using
> RSA/SHA-1 on the old machine.
Max Nikulin wrote:
> My reading of /usr/share/doc/openssh-client/NEWS.Debian.gz is that ssh-rsa
> means SHA1 while clients offers SHA256 for the same id_rsa key.
Indeed NEWS.Debian.gz links
PubkeyAcceptedAlgorithms +ssh-rsa
to RSA/SHA1.
This is the explanation why the message does not say that ssh-rsa is
disabled and why the web is so unclear about the ssh-rsa hash algorithm.
So the Debian 12 client really offered the RSA key but not in a way the
Debian 8 server could handle.
The ssh -v messages have a line
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5
(I wonder what the string "Debian-5" may mean. The Debian 12 machine has
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
So "-5" is not the Debian version.
)
NEWS.Debian.gz says
OpenSSH has supported RFC8332 RSA/SHA-256/512
signatures since release 7.2 and existing ssh-rsa keys will
automatically use the stronger algorithm where possible.
So the Debian 8 sshd is too old for a better ssh-rsa handshake and the
connection might have been highjacked since 2022 "for <USD$50K".
------------------------------------------------------------------------
To my luck, this all is just for technical curiosity.
Since the better reputed ssh-ed25519 key of the Debian 12 machine is
accepted by the Debian 8 sshd, i will not use the ssh-rsa key anyways.
After my experiments i commented out the line
PubkeyAcceptedAlgorithms +ssh-rsa
in ~/.ssh/config of the Debian 12 machine and verified that id_rsa now
again is rejected with
debug1: send_pubkey_test: no mutual signature algorithm
Have a nice day :)
Thomas
Reply to: