39 replies to this topic

[Pr2]

i just perform a fresh flash without any restore and the values for dropbear are:
 

root@vuduo4k:~# cat /etc/default/dropbear
# Disallow root logins by default
DROPBEAR_EXTRA_ARGS=""
DROPBEAR_RSAKEY_ARGS="-t ecdsa -s 521"

So this is indeed working.

Edited by Pr2, 27 July 2021 - 17:46.

[eura]

I been trying to add ssh keys but I am not able to get this working any longer :-(
Openpli 8,3 and Ubuntu 22 have try with ed25519 and edit

 

/etc/default/dropbear

DROPBEAR_EXTRA_ARGS=""
DROPBEAR_RSAKEY_ARGS="-t ecdsa -s 521"
DROPBEAR_RSA_SHA2_256=1

And get this from the /var/log/messages
Pubkey auth attempt with unknown algo for 'root' from

From Client side

ssh -Q key -F /dev/null  ( Test my supported keys )
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com

 

ssh -v -i  ~/.ssh/id_ed25519 root@XXX.XXX.XXX.XXX

 

debug1: Host 'XXX.XXX.XXX.XXX' is known and matches the ECDSA host key.
debug1: Found key in /home/ABCDE/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/ABCDE.ssh/id_ed25519 ED25519 SHA256:asdOhLY+FFuh6gxsQTzT3lUEl8AGCjKzUKsPCsgZgdo explicit agent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password

Thankful for help so I get get my Ansible to work




 

 

 

[neo]

The key is generated with an algorithm not supported by dropbear. Current develop supports ed25519, but I don't think 8.x does.

 

Do

ssh -vv root@<box>

and look for "debug2: KEX algorithms" which lists the algorithms supported by the SSH server side.

[gspock]

https://forums.openp...s/#entry1330315

[flozero]

Hello, 

I have the same issue. I can't ssh with authorized_keys from a linux mint to my vu+ zero OpenPli 8.3 (dropbear). 
It seems that the signature algorithm is not the same as my desktop computer. 

Here the message I have with the debug mode (ssh -vv root@zero)

I'm using the last image available for the vu+ zero
 

debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: ~/.ssh/id_rsa RSA SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Trying private key: ~/.ssh/id_ecdsa
debug1: Trying private key: ~/.ssh/id_ecdsa_sk
debug1: Trying private key: ~/.ssh/id_ed25519
debug1: Trying private key: ~/.ssh/id_ed25519_sk
debug1: Trying private key: ~/.ssh/id_xmss
debug1: Trying private key: ~/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

Any idea how to fix that ?
thanks

Edited by flozero, 8 April 2023 - 15:12.

[neo]

Did you restore a backup from an older or other image?

[flozero]

Did you restore a backup from an older or other image?

No, it's a fresh flash 
Do I have to flash with the official vu+ image before installing openpli ?
http://code.vuplus.c...30&model=vuzero

Here my default config file for dropbear : 

/etc/default/dropbear 

DROPBEAR_EXTRA_ARGS=""
DROPBEAR_RSAKEY_ARGS="-t ecdsa -s 521"

path of the public key of my desktop computer : /etc/dropbear/authorized_keys

Edited by flozero, 8 April 2023 - 15:31.

[littlesat]

I also experience it a time ago and gave up… now I have a openvpn tunnel via the router but I can sindsdien to rety and check again. I lost a working key and whe. I created a new key it did not work anymore with the new key generated with puttygen

Edited by littlesat, 8 April 2023 - 17:14.

[neo]

No problem here (my client is an up-to-date fedora):

 ssh -vv root@172.19.12.60
OpenSSH_8.8p1, OpenSSL 3.0.8 7 Feb 2023
debug1: Reading configuration data /home/neo/.ssh/config
debug2: resolve_canonicalize: hostname 172.19.12.60 is address
debug1: Connecting to 172.19.12.60 [172.19.12.60] port 22.
debug1: Connection established.
debug1: identity file /home/neo/.ssh/id_rsa type 0
debug1: identity file /home/neo/.ssh/id_rsa-cert type -1
debug1: identity file /home/neo/.ssh/id_dsa type -1
debug1: identity file /home/neo/.ssh/id_dsa-cert type -1
debug1: identity file /home/neo/.ssh/id_ecdsa type -1
debug1: identity file /home/neo/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/neo/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/neo/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/neo/.ssh/id_ed25519 type -1
debug1: identity file /home/neo/.ssh/id_ed25519-cert type -1
debug1: identity file /home/neo/.ssh/id_ed25519_sk type -1
debug1: identity file /home/neo/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/neo/.ssh/id_xmss type -1
debug1: identity file /home/neo/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version dropbear_2020.81
debug1: compat_banner: no match: dropbear_2020.81
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 172.19.12.60:22 as 'root'
debug1: load_hostkeys: fopen /home/neo/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ecdsa-sha2-nistp521,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
debug2: MACs stoc: hmac-sha1,hmac-sha2-256
debug2: compression ctos: zlib@openssh.com,none
debug2: compression stoc: zlib@openssh.com,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp521 SHA256:ME/nPB889AfDGA+lKayagID4y6mXXMC2E3rq2ejiCZQ
debug1: load_hostkeys: fopen /home/neo/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '172.19.12.60' is known and matches the ECDSA host key.
debug1: Found key in /home/neo/.ssh/known_hosts:135
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/neo/.ssh/id_rsa RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx agent
debug1: Will attempt key: /home/neo/.ssh/id_dsa
debug1: Will attempt key: /home/neo/.ssh/id_ecdsa
debug1: Will attempt key: /home/neo/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/neo/.ssh/id_ed25519
debug1: Will attempt key: /home/neo/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/neo/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,ssh-rsa,ssh-dss>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/neo/.ssh/id_rsa RSA SHA256:vDBB91Vnt5v04XwnX9PsZGGWgpbeyTrjbIjLrak1SXc agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/neo/.ssh/id_dsa
debug1: Trying private key: /home/neo/.ssh/id_ecdsa
debug1: Trying private key: /home/neo/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/neo/.ssh/id_ed25519
debug1: Trying private key: /home/neo/.ssh/id_ed25519_sk
debug1: Trying private key: /home/neo/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

ecdsa-sha2-nistp521 is currently used by dropbear, the must secure that is currently supported.

[flozero]

I flashed 2 vu+ (zero and solo2) last images with the same result. 

What do you have in your /etc/default/dropbear file ?

[neo]

root@sf8008:~# cat /etc/default/dropbear 
DROPBEAR_EXTRA_ARGS=""
DROPBEAR_RSAKEY_ARGS="-t ecdsa -s 521"

But I've never generated new keys on the box, I use the key that is generated when the box is flashed.

 

If your distro doesn't accept the algorithm there are only two things you can do: add it to your distro, or replace dropbear by sshd.

Edited by neo, 8 April 2023 - 20:51.

[flozero]

root@sf8008:~# cat /etc/default/dropbear 
DROPBEAR_EXTRA_ARGS=""
DROPBEAR_RSAKEY_ARGS="-t ecdsa -s 521"

But I've never generated new keys on the box, I use the key that is generated when the box is flashed.

 

If your distro doesn't accept the algorithm there are only two things you can do: add it to your distro, or replace dropbear by sshd.

 

You have the same config file as me. I've also never generated new keys. 
It's weird that it works from your side. 

In my distro I'm using a 4096 sha256 rsa key, what about you ?

(ssh-keygen -l -f <file> to show its size and algorithm.)

ssh-keygen -l -f .ssh/id_rsa 

Edited by flozero, 8 April 2023 - 21:11.

[Trial]

Hi,

I had a similar problem a few weeks ago. On my Linux side I always used ssh-copy-id to copy my public key to my VU box. authorized_keys was created in /etc/dropbear and looked OK but nothing worked. After I copied authorized_keys also to /home/root/.ssh/ I could again sign in without password.

 

Ralf

[flozero]

Hi,

I had a similar problem a few weeks ago. On my Linux side I always used ssh-copy-id to copy my public key to my VU box. authorized_keys was created in /etc/dropbear and looked OK but nothing worked. After I copied authorized_keys also to /home/root/.ssh/ I could again sign in without password.

 

Ralf

Hello, 

I also use ssh-copy-id to copy my public key.  I tried to copy also manually in /home/root/.ssh without success, here what I have : 

 

root@vuzero:~# ls -la /etc/dropbear/
drwxr-xr-x    2 root     root           312 Apr  9 10:21 .
drwxr-xr-x   36 root     root          6528 Apr  8 16:54 ..
-rw-------    1 root     root           742 Apr  9 10:20 authorized_keys
-rw-------    1 root     root           242 Apr  9 10:20 dropbear_rsa_host_key

and 

 

root@vuzero:~# ls -la /home/root/.ssh/
drwxr-xr-x    2 root     root           312 Apr  9 10:19 .
drwx------    4 root     root           584 Apr  9 10:18 ..
-rw-------    1 root     root           742 Apr  8 12:41 authorized_keys
-rw-------    1 root     root           242 Jan  1  1970 dropbear_rsa_host_key

Maybe an issue with permission on files ?
Thx

Edited by flozero, 9 April 2023 - 09:28.

[gspock]

 

Hi,

I had a similar problem a few weeks ago. On my Linux side I always used ssh-copy-id to copy my public key to my VU box. authorized_keys was created in /etc/dropbear and looked OK but nothing worked. After I copied authorized_keys also to /home/root/.ssh/ I could again sign in without password.

 

Ralf

Hello, 

I also use ssh-copy-id to copy my public key.  I tried to copy also manually in /home/root/.ssh without success, here what I have : 

 

root@vuzero:~# ls -la /etc/dropbear/
drwxr-xr-x    2 root     root           312 Apr  9 10:21 .
drwxr-xr-x   36 root     root          6528 Apr  8 16:54 ..
-rw-------    1 root     root           742 Apr  9 10:20 authorized_keys
-rw-------    1 root     root           242 Apr  9 10:20 dropbear_rsa_host_key

and 

 

root@vuzero:~# ls -la /home/root/.ssh/
drwxr-xr-x    2 root     root           312 Apr  9 10:19 .
drwx------    4 root     root           584 Apr  9 10:18 ..
-rw-------    1 root     root           742 Apr  8 12:41 authorized_keys
-rw-------    1 root     root           242 Jan  1  1970 dropbear_rsa_host_key

Maybe an issue with permission on files ?
Thx

 

Hi,

here is mine and it works OK:

root@vuduo4kse:~# ls -la /home/root/.ssh/
drwx------    2 root     root          4096 Feb  3  2022 .
drwx------    4 root     root          4096 Nov 25  2021 ..
-rw-------    1 root     root           398 Jun 30  2021 authorized_keys
root@vuduo4kse:~#

So, there is a slight difference with yours on the "." directory

 

Edited by gspock, 9 April 2023 - 10:32.

[flozero]

 

 

Hi,

I had a similar problem a few weeks ago. On my Linux side I always used ssh-copy-id to copy my public key to my VU box. authorized_keys was created in /etc/dropbear and looked OK but nothing worked. After I copied authorized_keys also to /home/root/.ssh/ I could again sign in without password.

 

Ralf

Hello, 

I also use ssh-copy-id to copy my public key.  I tried to copy also manually in /home/root/.ssh without success, here what I have : 

 

root@vuzero:~# ls -la /etc/dropbear/
drwxr-xr-x    2 root     root           312 Apr  9 10:21 .
drwxr-xr-x   36 root     root          6528 Apr  8 16:54 ..
-rw-------    1 root     root           742 Apr  9 10:20 authorized_keys
-rw-------    1 root     root           242 Apr  9 10:20 dropbear_rsa_host_key

and 

 

root@vuzero:~# ls -la /home/root/.ssh/
drwxr-xr-x    2 root     root           312 Apr  9 10:19 .
drwx------    4 root     root           584 Apr  9 10:18 ..
-rw-------    1 root     root           742 Apr  8 12:41 authorized_keys
-rw-------    1 root     root           242 Jan  1  1970 dropbear_rsa_host_key

Maybe an issue with permission on files ?
Thx

 

Hi,

here is mine and it works OK:

root@vuduo4kse:~# ls -la /home/root/.ssh/
drwx------    2 root     root          4096 Feb  3  2022 .
drwx------    4 root     root          4096 Nov 25  2021 ..
-rw-------    1 root     root           398 Jun 30  2021 authorized_keys
root@vuduo4kse:~#

So, there is a slight difference with yours on the "." directory

 

 

I have now the same as you, but no success. 

root@vuzero:~# ls -la /home/root/.ssh/
drwx------    2 root     root           232 Apr  9 11:42 .
drwx------    4 root     root           584 Apr  9 10:18 ..
-rw-------    1 root     root           742 Apr  8 12:41 authorized_keys

What kind of rsa key do you have on your PC ?
 

Mine is : 
flozero@desktop-PC  ~  ssh-keygen -l -f .ssh/id_rsa 
4096 SHA256:Qbe5118ujhf+zeu56i1jIEUI+Oj5454515 flozero@desktop-PC (RSA)

 

Edited by flozero, 9 April 2023 - 10:52.

[neo]

In my distro I'm using a 4096 sha256 rsa key, what about you ?
 

(ssh-keygen -l -f <file> to show its size and algorithm.)

ssh-keygen -l -f .ssh/id_rsa 

 

2048.
 

[eura]

I must also say I fail with the ssh keys, using a few distros with the new crypto polices but I use the legacy mode. but still failing so can someone how have this working wright a small tutorial how to do this. Thanks in advance!    

[gspock]

 

 

 

Hi,

I had a similar problem a few weeks ago. On my Linux side I always used ssh-copy-id to copy my public key to my VU box. authorized_keys was created in /etc/dropbear and looked OK but nothing worked. After I copied authorized_keys also to /home/root/.ssh/ I could again sign in without password.

 

Ralf

Hello, 

I also use ssh-copy-id to copy my public key.  I tried to copy also manually in /home/root/.ssh without success, here what I have : 

 

root@vuzero:~# ls -la /etc/dropbear/
drwxr-xr-x    2 root     root           312 Apr  9 10:21 .
drwxr-xr-x   36 root     root          6528 Apr  8 16:54 ..
-rw-------    1 root     root           742 Apr  9 10:20 authorized_keys
-rw-------    1 root     root           242 Apr  9 10:20 dropbear_rsa_host_key

and 

 

root@vuzero:~# ls -la /home/root/.ssh/
drwxr-xr-x    2 root     root           312 Apr  9 10:19 .
drwx------    4 root     root           584 Apr  9 10:18 ..
-rw-------    1 root     root           742 Apr  8 12:41 authorized_keys
-rw-------    1 root     root           242 Jan  1  1970 dropbear_rsa_host_key

Maybe an issue with permission on files ?
Thx

 

Hi,

here is mine and it works OK:

root@vuduo4kse:~# ls -la /home/root/.ssh/
drwx------    2 root     root          4096 Feb  3  2022 .
drwx------    4 root     root          4096 Nov 25  2021 ..
-rw-------    1 root     root           398 Jun 30  2021 authorized_keys
root@vuduo4kse:~#

So, there is a slight difference with yours on the "." directory

 

 

I have now the same as you, but no success. 

root@vuzero:~# ls -la /home/root/.ssh/
drwx------    2 root     root           232 Apr  9 11:42 .
drwx------    4 root     root           584 Apr  9 10:18 ..
-rw-------    1 root     root           742 Apr  8 12:41 authorized_keys

What kind of rsa key do you have on your PC ?
 

Mine is : 
flozero@desktop-PC  ~  ssh-keygen -l -f .ssh/id_rsa 
4096 SHA256:Qbe5118ujhf+zeu56i1jIEUI+Oj5454515 flozero@desktop-PC (RSA)

 

 

2048

[gspock]

I must also say I fail with the ssh keys, using a few distros with the new crypto polices but I use the legacy mode. but still failing so can someone how have this working wright a small tutorial how to do this. Thanks in advance!    

https://forums.openp...s/#entry1367610