Schroedingers SSH access: Permission denied (publickey)

Hi everyone and sorry for wasting your time for my non-urgent and non-critical ssh key problem.

So what I actually wanted to do today was preparing my DIR-645 for being SSH-accessed from outside my home with some DynDNS-like service in order to use gitolite as version control for my notetaking (yes, simple notes, I'm not a programmer).

So I thought it's a good idea to replace password authentication with SSH key authentication. And it works when I do this from my Mac. However, when I use my old laptop (plugged-in in the same hub as the Mac), I get that stupid "Permission denied (publickey)" message.

Here is what it says in the LuCi footer.
openwrt-19.07 branch (git-20.341.57626-51f55b5) / OpenWrt 19.07.5 r11257-5090152ae3

My old laptop runs fedora33, I recently upgraded it with an SSD, so it's a pretty fresh install.

What I have tried so far:

1. Did ssh-keygen -t rsa several times, as normal user and also using sudo. I always made sure that the .pub file that I dragged&dropped in LuCi-System-Administration-SSH-Keys appeared correctly (like when I did the same on my Mac earlier today which worked).

2. I always made sure that ~/.ssh/known_hosts is clean when I created new keys. Using port 26 is intended and works when SSHing into OpenWrt from Mac.

3. Authentication with the normal password works fine from Mac and the fedora33 laptop when I tick the boxes in LuCi.

4. I always used chmod for /etc/dropbear/authorized_keys according to several posts to check that there is no issue with permissions.

5. I found a post which suggested not to use RSA but ED25519, so I created the fancier keys, still the same problem.

6. Finally, I found a post that suggested to use ssh with the -vvvv flag. And I was hoping to get an error message that helps me to continue my half-witted research of the problem.

I'm not smart enough to decipher the meaning of all of the output and I wish I had a helpful professional background. I learned a shitload of Linux stuff and some networking today. But my problem remains unsolved.

Can someone tell me where to continue researching the problem? To me the output looks like ssh is doing its thing and and in the last 3 lines it just says f#!k you.

Help, anyone?

[hereandthere@localhost .ssh]$ ssh -vvvv -p 26 -i ~/.ssh/laptop_ed25519_openwrt root@192.168.1.10
OpenSSH_8.4p1, OpenSSL 1.1.1j  FIPS 16 Feb 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 192.168.1.10 originally 192.168.1.10
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 192.168.1.10 is address
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 192.168.1.10 originally 192.168.1.10
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/hereandthere/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/hereandthere/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.10 [192.168.1.10] port 26.
debug1: Connection established.
debug1: identity file /home/hereandthere/.ssh/laptop_ed25519_openwrt type 3
debug1: identity file /home/hereandthere/.ssh/laptop_ed25519_openwrt-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: no match: dropbear
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.10:26 as 'root'
debug3: put_host_port: [192.168.1.10]:26
debug3: hostkeys_foreach: reading file "/home/hereandthere/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/hereandthere/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [192.168.1.10]:26
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
debug2: MACs stoc: hmac-sha1,hmac-sha2-256
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:P9tbmwRn2JvrnCQ00Yv2x0GvfiqxNC58Xs5tGk+y3o0
debug3: put_host_port: [192.168.1.10]:26
debug3: put_host_port: [192.168.1.10]:26
debug3: hostkeys_foreach: reading file "/home/hereandthere/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/hereandthere/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [192.168.1.10]:26
debug3: hostkeys_foreach: reading file "/home/hereandthere/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/hereandthere/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from [192.168.1.10]:26
debug1: Host '[192.168.1.10]:26' is known and matches the RSA host key.
debug1: Found key in /home/hereandthere/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/hereandthere/.ssh/laptop_ed25519_openwrt ED25519 SHA256:MDynrvvitDQyOUe0cfqI2CB5inQSbLHi3bnqd2f4gwo explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/hereandthere/.ssh/laptop_ed25519_openwrt ED25519 SHA256:MDynrvvitDQyOUe0cfqI2CB5inQSbLHi3bnqd2f4gwo explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@192.168.1.10: Permission denied (publickey).

Thank you @vgaetera for that link. I will check all the versions that I have. Hope there's no conflict between fedora33 and OpenWrt that forces me to downgrade. Both sides seem to know ed25519 but there seems to be a difference between debug2: local client KEXINIT proposal (that's fedora33 I guess) and debug2: peer server KEXINIT proposal (my OpenWrt SSH host?). Perhaps I should run ssh -vvvv on my Mac as well, just to compare the output with a handshake that worked.

Because of this and this I will look a little closer at the permission thing because I fully ignored permissions on the fedora33 laptop so far.

This Windows dude seems to have solved a similar problem by using the ssh -l flag. Worth a try.

Will keep this thread updated the coming days. I hope this is not just a simple have you already restarted your machine thing....because I didn't when I opened this thread

Interesting thread, sounds like a solution: A few comments below someone suggested to have openssh listen on the desired port.

Well, I need to figure out then how I let openssh do this because I have no idea (yet)

Idiot me didn't grab laptop+router when I left home. Will try all this when I'm back in a few days

Anyway, this works for me while connecting to OpenWrt 19.07 from Fedora 33:

alias ssh="ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa"

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.