2

SSH flat out ignores the identity file I've specified in my .ssh/config file and will not use that key to authenticate with my work server. This is my config file:

Host *
    # This is to fix check_host_cert: certificate signature algorithm ssh-rsa: signature algorithm not supported
    # I tried putting this under *.work but it didn't work, so I put it under *
    CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

Host *.work
    ProxyJump bastion.work.com
    User myusername
    IdentityFile ~/.ssh/work


Compression yes

This exact same configuration works on my Ubuntu 18.04 installation but will not work on on my Ubuntu 20.04 Windows 10 subsystem at all. I ran ssh with -vvv and I can see that it reads the config file and recognises the key but doesn't try it:

debug1: Reading configuration data /home/myusername/.ssh/config
debug1: /home/myusername/.ssh/config line 1: Applying options for *
debug1: /home/myusername/.ssh/config line 4: Applying options for *.work
debug1: Reading configuration data /etc/ssh/ssh_config
...
debug1: identity file /home/myusername/.ssh/work type 0
debug1: identity file /home/myusername/.ssh/work-cert type -1
...
debug1: Next authentication method: publickey
debug1: Trying private key: /home/myusername/.ssh/id_rsa
debug3: no such identity: /home/myusername/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_dsa
debug3: no such identity: /home/myusername/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ecdsa
debug3: no such identity: /home/myusername/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ecdsa_sk
debug3: no such identity: /home/myusername/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ed25519
debug3: no such identity: /home/myusername/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_ed25519_sk
debug3: no such identity: /home/myusername/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/myusername/.ssh/id_xmss
debug3: no such identity: /home/myusername/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
myusername@bastion.work.com: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host

It just never tries /home/myusername/.ssh/work. How can I explicitly ask ssh to use it?

EDIT: From today (01/07/20) the exact same issue has started happening on my Ubuntu 18.04 installation too. Has something changed in OpenSSL?

EDIT (17/06/21): I should mention that sometime after the issue just happened to disappear on its own, but maybe this question would be useful to other people.

Nobilis
  • 211
  • Please, [edit] the question and post the output of ls -lar ~/.ssh. You should have octal permisions 700 (drwx------) for the directories and 600 (-rw-------) for the files. – pa4080 Oct 21 '20 at 21:06

3 Answers3

0

https://help.okta.com/en/prod/Content/Topics/Adv_Server_Access/docs/sftd-ubuntu.htm

For servers running Ubuntu 20.04, you have to allow certificate authorities (CAs) to use the ssh-rsa algorithm to sign certificates. To do this, add the following line to your OpenSSH daemon file (which is either /etc/ssh/sshd_config or a drop-in file under /etc/ssh/sshd_config.d/)

To fix it, add following 2 lines to /etc/ssh/sshd_config

TrustedUserCAKeys /etc/ssh/xxxxxxx

CASignatureAlgorithms +ssh-rsa

Replace xxxxxxx by the public key you can find in /etc/ssh

HopeThisHelps
  • 1
0

You need to also enable IdentitiesOnly yes in your host's configuration file. This will ensure that ssh uses that key, and that key only. Otherwise, it will try other keys and the remote machine will likely reject authorization after a number of failed keys.

See this example for additional information.

You can also enable this for all hosts by putting the following at the bottom of your .ssh/config file:

Host *
IdentitiesOnly yes

If you look at /etc/ssh/ssh_config, which is pulled in and shown in your verbose logs, we can see it has default keys to try:

$ cat /etc/ssh/ssh_config | grep Identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519

You may find more or less, but if any other keys are pulled in, setting IdentitiesOnly for the host will help.

Instead of copying keys to another machine, each machine should generate and use their own keys. Be sure to remove old keys and add new keys on hosts and watch the host's log for debugging.

earthmeLon
  • 11,247
0

For AWS LightSail:

  1. To fix it, add following 2 lines to /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub

CASignatureAlgorithms +ssh-rsa
  1. Restart
/etc/init.d/ssh restart

Problem Log in failed. If this instance has just started up, try again in a minute or two.

CLIENT_UNAUTHORIZED [769]

ziegel
  • 11