Saturday, April 27, 2024
Homepage · ssh
 Popular · Latest · Hot · Upcoming
56
rated 0 times [  56] [ 0]  / answers: 1 / hits: 59440  / 1 Year ago, sat, may 6, 2023, 10:23:15

Up until last week I was running Ubuntu 20.04 happily, and then over the weekend decided to back everything up and install 22.04. I've had a couple of teething issues which I've solver, however I'm having real issues with SSH. I have two first generation WD MyCloud drives which handle all my backups and files both on and away from home. I can still connect to the shares with no problems, however I need to SSH onto both drives in order to run maintenance, backup between cloud drives, etc.


Initially I couldn't gain SSH access at all after upgrading, however the one-fix at this website worked. I can now connect via SSH and entering a password.


However with Ubuntu 20.04 I had set up a passphrase so that various autyomated scripts that I use using rsync could copy between cloud drives and also between Ubuntu and the cloud drive shares. This was working until I upgraded, now the scripts continually ask me for my password and I can't figure out how to stop it.


What I was originally doing was running


ssh-keygen -b 4096

to generate a passphrase and then


ssh-copy-id root@server

to copy the passphrase across


If I then entered


ssh root@server

it simply connected without asking to my password.


I know this is going to be due to my cloud drives only supporting the now insecure SSH, but I cannot upgrade it to a more secure one (unless someone knows how - I would prefer to do this to be honest). My maintenance scripts can make up to 20 connections over a period of hours, and to have to sit and constantly enter the password is becoming a pain.


Can anyone help me get my remote rsync commands working again so they don't keep asking me for my password


The terminal outputs as I run through these are


colin@colin-desktop:~/.ssh$ ssh-keygen -b 4096



Generating public/private rsa key pair.

Enter file in which to save the key (/home/colin/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/colin/.ssh/id_rsa

Your public key has been saved in /home/colin/.ssh/id_rsa.pub

The key fingerprint is:

SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx colin@colin-desktop

The key's randomart image is:

+---[RSA 4096]----+

...

+----[SHA256]-----+



colin@colin-desktop:~/.ssh$ ssh-copy-id [email protected]



/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password: 



Number of key(s) added: 1



Now try logging into the machine, with:   "ssh '[email protected]'"

and check to make sure that only the key(s) you wanted were added.



colin@colin-desktop:~/.ssh$ ssh [email protected]



[email protected]'s password: 



Linux NASServer 3.2.26 #1 SMP Thu Jul 9 11:14:15 PDT 2015 wd-2.4-rel armv7l



The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.



Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.



NASServer:~# cd ~/.ssh



NASSERVER:~/.ssh# ls -al



total 12

drwx------ 2 root root 4096 May 17 23:32 .

drwx------ 7 root root 4096 Apr 28 19:02 ..

-rw------- 1 root root  742 May 17 23:32 authorized_keys



NASServer:~/.ssh# exit



logout

Connection to xxx.xxx.xxx.xxx closed.



colin@colin-desktop:~$ rsync --verbose --archive -e 'ssh -p 22' ~/Files/ [email protected]:/shares/Files/



[email protected]'s password:

How this originally came about was that I needed to be able to rsync to and from a remote location without the need for a human intervention regarding security. The instructions I was given were to use ssh-keygen to generate public/private keys and then ssh-copy-id to copy the public key to the remote host. I've just reinstalled 20.04 on another machine and used this successfully and the rsync is working without the need for a password. However if I clear the keys on the server out, reinstall 22.04 and do the same, it still prompts me for the password. I've updated my question to show the output of the commands as they are being run on Ubuntu 22.04 with the server name obscured for obvious reasons.


The Terminal output of rsync -vvv follows


colin@colin-desktop:~$ ssh -vvv [email protected]

OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022

debug1: Reading configuration data /home/colin/.ssh/config

debug3: kex names ok: [diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,[email protected],[email protected]]

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files

debug1: /etc/ssh/ssh_config line 21: Applying options for *

debug2: resolve_canonicalize: hostname xxx.xxx.xxx.xxx is address

debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/colin/.ssh/known_hosts'

debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/colin/.ssh/known_hosts2'

debug3: ssh_connect_direct: entering

debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.

debug3: set_sock_tos: set socket 3 IP_TOS 0x10

debug1: Connection established.

debug1: identity file /home/colin/.ssh/id_rsa type 0

debug1: identity file /home/colin/.ssh/id_rsa-cert type -1

debug1: identity file /home/colin/.ssh/id_ecdsa type -1

debug1: identity file /home/colin/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/colin/.ssh/id_ecdsa_sk type -1

debug1: identity file /home/colin/.ssh/id_ecdsa_sk-cert type -1

debug1: identity file /home/colin/.ssh/id_ed25519 type -1

debug1: identity file /home/colin/.ssh/id_ed25519-cert type -1

debug1: identity file /home/colin/.ssh/id_ed25519_sk type -1

debug1: identity file /home/colin/.ssh/id_ed25519_sk-cert type -1

debug1: identity file /home/colin/.ssh/id_xmss type -1

debug1: identity file /home/colin/.ssh/id_xmss-cert type -1

debug1: identity file /home/colin/.ssh/id_dsa type -1

debug1: identity file /home/colin/.ssh/id_dsa-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4

debug1: compat_banner: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to xxx.xxx.xxx.xxx:22 as 'root'

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,[email protected],[email protected],ext-info-c

debug2: host key algorithms: ssh-ed25519,[email protected],[email protected],[email protected],ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]

debug2: ciphers ctos: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]

debug2: ciphers stoc: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]

debug2: MACs ctos: hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]

debug2: MACs stoc: hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]

debug2: compression ctos: none,[email protected],zlib

debug2: compression stoc: none,[email protected],zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: MACs ctos: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: compression ctos: none,[email protected]

debug2: compression stoc: none,[email protected]

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: diffie-hellman-group1-sha1

debug1: kex: host key algorithm: ssh-rsa

debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none

debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none

debug2: bits set: 515/1024

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: SSH2_MSG_KEX_ECDH_REPLY received

debug1: Server host key: ssh-rsa SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

debug3: record_hostkey: found key type RSA in file /home/colin/.ssh/known_hosts:1

debug3: load_hostkeys_file: loaded 1 keys from xxx.xxx.xxx.xxx

debug1: load_hostkeys: fopen /home/colin/.ssh/known_hosts2: No such file or directory

debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory

debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory

debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.

debug1: Found key in /home/colin/.ssh/known_hosts:1

debug2: bits set: 495/1024

debug3: send packet: type 21

debug2: ssh_set_newkeys: mode 1

debug1: rekey out after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: ssh_set_newkeys: mode 0

debug1: rekey in after 134217728 blocks

debug1: get_agent_identities: bound agent to hostkey

debug1: get_agent_identities: agent returned 1 keys

debug1: Will attempt key: /home/colin/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent

debug1: Will attempt key: /home/colin/.ssh/id_ecdsa 

debug1: Will attempt key: /home/colin/.ssh/id_ecdsa_sk 

debug1: Will attempt key: /home/colin/.ssh/id_ed25519 

debug1: Will attempt key: /home/colin/.ssh/id_ed25519_sk 

debug1: Will attempt key: /home/colin/.ssh/id_xmss 

debug1: Will attempt key: /home/colin/.ssh/id_dsa 

debug2: pubkey_prepare: done

debug3: send packet: type 5

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password

debug3: start over, passed a different list publickey,password

debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering public key: /home/colin/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX agent

debug1: send_pubkey_test: no mutual signature algorithm

debug1: Trying private key: /home/colin/.ssh/id_ecdsa

debug3: no such identity: /home/colin/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /home/colin/.ssh/id_ecdsa_sk

debug3: no such identity: /home/colin/.ssh/id_ecdsa_sk: No such file or directory

debug1: Trying private key: /home/colin/.ssh/id_ed25519

debug3: no such identity: /home/colin/.ssh/id_ed25519: No such file or directory

debug1: Trying private key: /home/colin/.ssh/id_ed25519_sk

debug3: no such identity: /home/colin/.ssh/id_ed25519_sk: No such file or directory

debug1: Trying private key: /home/colin/.ssh/id_xmss

debug3: no such identity: /home/colin/.ssh/id_xmss: No such file or directory

debug1: Trying private key: /home/colin/.ssh/id_dsa

debug3: no such identity: /home/colin/.ssh/id_dsa: No such file or directory

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred: ,password

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

[email protected]'s password:

More From » ssh
 Answers
0

Cause


The RSA SHA-1 hash algorithm is being quickly deprecated across operating systems and SSH clients because of various security vulnerabilities, with many of these technologies now outright denying the use of this algorithm.


It seems this has happened for the ssh client in Ubuntu 22.04. The RSA public-private key pair is considered not safe any more.


Solution


Use a more modern and secure type of key such as ed25519. Generate a new key pair in your Ubuntu 22.04 computer with this command:


ssh-keygen -t ed25519 -C "colin@colin-desktop"

Note: the string after -C is a comment it is customary to put your email address here. Since you may only be using this key within your home, putting the email address may not make sense. I would put something like "colin@colin-desktop" so that you know which user and computer the key belongs to within your household.


Alternately you may create a new RSA key with SHA2 hashing like so:


ssh-keygen -t rsa-sha2-512 -b 4096

Either way you will need to use the ssh-copy-id command again:


ssh-copy-id [email protected]

This command will recognize there is a new public key and copy the new key to the /root/.ssh/authorized_keys file.


It should work now.


A Remote Server Workaround


If you can't change anything on the local computer, or don't want to use a new key, and want to re-enable RSA on the local computer, edit the file /etc/ssh/sshd_config on the remote computer and add this line:


HostKeyAlgorithms +ssh-rsa

PubkeyAcceptedKeyTypes +ssh-rsa

This will allow the use of unsafe RSA key you already have.


Remember to restart the sshd service by:


sudo systemctl restart sshd

Otherwise you will have to restart your computer to make the change take effect.


References



Hope this helps


[#492] Sunday, May 7, 2023, 1 Year  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
ntlesslving
Add To Favorites
Follow
Total Points: 123
Total Questions: 109
Total Answers: 113
Location: South Korea
Member since Fri, Sep 11, 2020
4 Years ago
ntlesslving questions
Mon, Feb 28, 22, 13:55, 2 Years ago
Fri, Jul 30, 21, 12:16, 3 Years ago
Wed, Sep 1, 21, 08:55, 3 Years ago
Fri, Jul 8, 22, 01:43, 2 Years ago
Fri, Dec 23, 22, 08:01, 1 Year ago
View All
;