Hi everyone and sorry for wasting your time for my non-urgent and non-critical ssh key problem.
So what I actually wanted to do today was preparing my DIR-645 for being SSH-accessed from outside my home with some DynDNS-like service in order to use gitolite as version control for my notetaking (yes, simple notes, I'm not a programmer).
So I thought it's a good idea to replace password authentication with SSH key authentication. And it works when I do this from my Mac. However, when I use my old laptop (plugged-in in the same hub as the Mac), I get that stupid "Permission denied (publickey)" message.
Here is what it says in the LuCi footer.
openwrt-19.07 branch (git-20.341.57626-51f55b5) / OpenWrt 19.07.5 r11257-5090152ae3
My old laptop runs fedora33, I recently upgraded it with an SSD, so it's a pretty fresh install.
What I have tried so far:
-
Did
ssh-keygen -t rsa
several times, as normal user and also usingsudo
. I always made sure that the .pub file that I dragged&dropped in LuCi-System-Administration-SSH-Keys appeared correctly (like when I did the same on my Mac earlier today which worked). -
I always made sure that
~/.ssh/known_hosts
is clean when I created new keys. Using port 26 is intended and works when SSHing into OpenWrt from Mac. -
Authentication with the normal password works fine from Mac and the fedora33 laptop when I tick the boxes in LuCi.
-
I always used
chmod
for/etc/dropbear/authorized_keys
according to several posts to check that there is no issue with permissions. -
I found a post which suggested not to use RSA but ED25519, so I created the fancier keys, still the same problem.
-
Finally, I found a post that suggested to use
ssh
with the-vvvv
flag. And I was hoping to get an error message that helps me to continue my half-witted research of the problem.
I'm not smart enough to decipher the meaning of all of the output and I wish I had a helpful professional background. I learned a shitload of Linux stuff and some networking today. But my problem remains unsolved.
Can someone tell me where to continue researching the problem? To me the output looks like ssh
is doing its thing and and in the last 3 lines it just says f#!k you.
Help, anyone?
[hereandthere@localhost .ssh]$ ssh -vvvv -p 26 -i ~/.ssh/laptop_ed25519_openwrt root@192.168.1.10
OpenSSH_8.4p1, OpenSSL 1.1.1j FIPS 16 Feb 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 192.168.1.10 originally 192.168.1.10
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 192.168.1.10 is address
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 192.168.1.10 originally 192.168.1.10
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/hereandthere/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/hereandthere/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.10 [192.168.1.10] port 26.
debug1: Connection established.
debug1: identity file /home/hereandthere/.ssh/laptop_ed25519_openwrt type 3
debug1: identity file /home/hereandthere/.ssh/laptop_ed25519_openwrt-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: no match: dropbear
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.10:26 as 'root'
debug3: put_host_port: [192.168.1.10]:26
debug3: hostkeys_foreach: reading file "/home/hereandthere/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/hereandthere/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [192.168.1.10]:26
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
debug2: MACs stoc: hmac-sha1,hmac-sha2-256
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:P9tbmwRn2JvrnCQ00Yv2x0GvfiqxNC58Xs5tGk+y3o0
debug3: put_host_port: [192.168.1.10]:26
debug3: put_host_port: [192.168.1.10]:26
debug3: hostkeys_foreach: reading file "/home/hereandthere/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/hereandthere/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [192.168.1.10]:26
debug3: hostkeys_foreach: reading file "/home/hereandthere/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/hereandthere/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [192.168.1.10]:26
debug1: Host '[192.168.1.10]:26' is known and matches the RSA host key.
debug1: Found key in /home/hereandthere/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/hereandthere/.ssh/laptop_ed25519_openwrt ED25519 SHA256:MDynrvvitDQyOUe0cfqI2CB5inQSbLHi3bnqd2f4gwo explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/hereandthere/.ssh/laptop_ed25519_openwrt ED25519 SHA256:MDynrvvitDQyOUe0cfqI2CB5inQSbLHi3bnqd2f4gwo explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@192.168.1.10: Permission denied (publickey).