1

I'm using PuTTY on Windows 11 to connect to Ubuntu Server 20.04.4. SSH connection with password works, but when I try to connect to it with a key I get the password prompt again. I turned logging on, turns out my server doesn't accept RSA: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed.

I've found out that OpenSSH 8.8 doesn't allow RSA (SHA-1) keys by default, and while I wasn't sure my keys were SHA-1 (PuTTY has a separate SSH-1 (RSA) key type that I didn't use, I used the default RSA one) I tried a different key type (one of those recommended here).

I tried generating and ECDSA key just to get the result mm_answer_keyallowed: publickey authentication test: ECDSA key is not allowed.

Here is an example with the RSA key:

debug1: trying public key file /home/wintermute/.ssh/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug2: /home/wintermute/.ssh/authorized_keys:1: check options: '---- BEGIN SSH2 PUBLIC KEY ----\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:1: advance: 'BEGIN SSH2 PUBLIC KEY ----\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:2: check options: 'Comment: "rsa-key-20220310"\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:2: advance: '"rsa-key-20220310"\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:3: check options: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCQskShaece0af5fHVTwPu/nFhDGwOoqxhP\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:3: advance: ''
debug2: /home/wintermute/.ssh/authorized_keys:4: check options: 'S/9h4URK6axdsae5Um3EWhiTFlNdukPHtDZ1ZCcO7n4zGB90NyNyszgZ4XGYpuCR\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:4: advance: ''
debug2: /home/wintermute/.ssh/authorized_keys:5: check options: '/JthkwXs9MmhAB+PYXeCnCsOyFtY9VkStvu8OuHmj9QJXAHlvukKHlpEh7yAD3Q6\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:5: advance: ''
debug2: /home/wintermute/.ssh/authorized_keys:6: check options: 'qkyD4LDbw4H+n9el98U4Lgah/xEuKCNFAwsYfZ2+hqFtvdwnARcqYRvQnSrbh6Cg\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:6: advance: ''
debug2: /home/wintermute/.ssh/authorized_keys:7: check options: 'l18vruoGn6oLCmDL5iWkgILJ+5l934p/NtemdJZBnXPvc1Whd1/MsrLzOt0tbStA\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:7: advance: ''
debug2: /home/wintermute/.ssh/authorized_keys:8: check options: 'JlabiywG87OgcaQ/yoIGTKmgjNtRvWscycq1RW+VWdW4wph6PT9L\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:8: advance: ''
debug2: /home/wintermute/.ssh/authorized_keys:9: check options: '---- END SSH2 PUBLIC KEY ----\r\n'
debug2: /home/wintermute/.ssh/authorized_keys:9: advance: 'END SSH2 PUBLIC KEY ----\r\n'
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/wintermute/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/wintermute/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
Failed publickey for wintermute from 192.168.0.130 port 52984 ssh2: RSA SHA256:NhGXwSWgy7fV2KZ2p8B0RcxWr/qBwwG8RNUNo2EXrgc

What am I doing wrong?

wintermute
  • 145

1 Answers1

2

I've found out that OpenSSH 8.8 doesn't allow RSA (SHA-1) keys by default, and while I wasn't sure my keys were SHA-1

No, it doesn't allow signatures made using SHA-1. There is nothing specifically "SHA-1" or "SHA-2" in the actual RSA key itself; the same RSA key can be used to make signatures using both.

The "SSH-1 (RSA)" option is completely unrelated to SHA algorithms. SSHv1 was an old version of the SSH protocol, which has been obsolete for many years. (It's somewhat like SSLv2 versus TLSv1.3.)

debug2: /home/wintermute/.ssh/authorized_keys:1: check options: '---- BEGIN SSH2 PUBLIC KEY ----\r\n'

You've added your keys to the file in the wrong format. It seems you clicked "Save public key" in PuTTYgen and this gave you a key in the SSH.COM (RFC 4716) format, which is used e.g. by Multinet SSH, but not by OpenSSH.

Instead OpenSSH's authorized_keys file expects the "one line" OpenSSH format, which you can get from the PuTTYgen textbox titled, appropriately, "Public key for pasting into OpenSSH authorized_keys file:".

(The actual key inside both formats is exactly the same, it's just formatted differently.)

grawity
  • 501,077