SSH with key not working

Here’s what I’ve tried:

  • .ssh dir on both my Mac and the Vero are 700
  • key files on the mac at 600
  • authorized_keys file on the vero is 600
  • I’ve created both DSA and RSA keys. 4096
  • error being seen with -v is:
    debug1: Skipping ssh-rsa key /Volumes/home/allan/.ssh/id_rsa - not in PubkeyAcceptedKeyTypes
  • ssh -Q key on both Mac and Vero show “ssh-rsa” in the list
  • sudo journalctl
    Nov 03 12:39:20 vero sshd[2758]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth]
  • I’ve not changed this file: cat /etc/ssh/sshd_config shows:
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile %h/.ssh/authorized_keys

I can ssh to other machines using the same key pair, just not the Vero. Ideas?

First, note that the Vero is complaining about your DSS key, not the RSA key, while the Mac is complaining about an RSA key. Without more log lines for context, it’s hard to tell if the Mac is forwarding an error from the Vero, or complaining itself. Perhaps you should specify the key to use when connecting to help debug better.

I have also sometimes seen issues with line termination and the “name” (optional text after the actual key). Duplicate key names sometimes cause this kind of issue, too.

Good point. I moved the DSA key pair out of the .ssh dir and tried again.

From the Mac:

debug1: Skipping ssh-rsa key /Volumes/home/allan/.ssh/id_rsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Volumes/home/allan/.ssh/id_dsa
debug1: Trying private key: /Volumes/home/allan/.ssh/id_ecdsa
debug1: Trying private key: /Volumes/home/allan/.ssh/id_ed25519
debug1: Next authentication method: password

There is nothing in the journalctl of interest now about authentication. Just that it accepted the password.

Two other thoughts:

How many bits is your RSA key? Perhaps it is too short?

One other issue I had with Debian using newer SSH defaults is that I needed to change the KexAlgorithms to reorder them. diffie-hellman-group-exchange-sha256 was breaking my client. That doesn’t appear to he the issue here, but maybe you could check.

So where are you storing your authorized key?

~/.ssh/authorized_keys

OK, my bad. At some point I created a local .ssh/config and had this is the file:
PubkeyAcceptedKeyTypes ssh-dss

now that should have still allowed the original id_dsa file, but who knows why it didn’t work. I created an id_ecdsa and it works. Ug.

Please provide the full output from the client side with the -v debugging option.

On OSMC, edit file /etc/default/ssh and add -d to the SSHD options and then restart ssh

sudo systemctl restart ssh

Try to logon and then tun grab-logs -J on the Vero4K.

Edit: I see it seems to be ok now.