This week is already the second time someone reached out to me regarding SSH connectivity problems using PuTTY with key authentication (using Pageant) and Ubuntu 22.04 as remote SSH server.
The connection seems to work fine before the distribution upgrade, but once the dist-upgrade to Ubuntu 22.04 (Jammy) was completed, the Windows users using PuTTY were unable to connect to the now upgraded Ubuntu server.
Symptoms are that PuTTY falls back to a SSH login prompt, even when using SSH key authentication with Pageant in the background:
An important indicator in this situation is the PuTTY version. Here it is 0.70:
On the server side, the following log entries can be seen in /var/log/auth.log:
Mar 21 10:31:32 ubuntu2204 sshd[3695152]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Mar 21 10:31:34 ubuntu2204 sshd[3695152]: error: Received disconnect from 10.162.210.49 port 64409:13: Unable to authenticate [preauth]
Mar 21 10:31:34 ubuntu2204 sshd[3695152]: Disconnected from authenticating user ck 10.162.210.49 port 64409 [preauth]
As mentioned before, the SSH connection worked fine before the Ubuntu server was upgraded to 22.04/Jammy. On the Windows side nothing was changed.
So what has changed on the Ubuntu server that would cause this?
The Ubuntu distribution upgrade installed a new openssh version and updated the algorithms used in the background for exchanging SSH key authentication information between the SSH server and the SSH client (PuTTY in this case).
The error above would suggest that the used SSH private key is not listed in the PubkeyAcceptedAlgorithms configuration. Let's look at the current configuration of this parameter:
root@ubuntu2204:~# sshd -T | grep -i PubkeyAcceptedAlgorithms
pubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
However when looking at the type of SSH key, the key seems to be fine:
ck@mintp ~ $ ssh-keygen -l -f .ssh/id_rsa
2048 SHA256:3[...] ck@claudiokuenzler.com (RSA)
Key size is 2048 which is OK, the key encryption is using SHA256 and the key type is RSA. This combination is actually listed in the PubkeyAcceptedAlgorithms list as rsa-sha2-256.
The actual problem is that PuTTY (0.70) is not sending this (enhanced) key information, only that this is a ssh-rsa key. Hence the SSHD server, which now requires a more complete information about the used key, refuses to handshake with the key and the connection is cut.
Now luckily there's an easy solution for everyone. There's no need to manually update all the sshd configs on all the upgraded Ubuntu servers - it is enough to use a newer PuTTY version!
PuTTY version 0.78 added the enhanced key information exchange when talking to a SSH server and therefore fixes this problem. The SSH server now receives the full key information (rsa-sha2-256) and therefore accepts the connection.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder