Northward Midget Pole to Pole

31Aug/160

ssh asking for password when it shouldn’t

Posted by Quinn

After a recent Ubuntu upgrade, one of my frequented remote servers stopped accepting my public key and was prompting me for my password.  The password is gross and unwieldy and I was most put-out, I must say.  So, I googled the title of this post.  Mostly suggestions to check the permissions of various files.  All of mine were locked tight to user-only, including my home directory.

Of course, I'd already tried ssh -vvv to get all the debugging output.  Unfortunately, I zoomed in on the following message:

debug1: Next authentication method: publickey
debug2: we did not send a packet, disable method

Instead of this one a little further up:

debug1: Skipping ssh-dss key /home/ME/.ssh/keyfiles/ME.key - not in PubkeyAcceptedKeyTypes

Rather than add ssh-dss to the supported types, I just created a new key with ssh-keygen.   An ssh-copy-id later, everything worked.

... except when it didn't.  Adding the following to ~/.ssh/config</tt for the offending host worked:

Host refuses-my-agent-keys.jerkass.com
    PubkeyAcceptedKeyTypes +ssh-dss

Tagged as: , No Comments
28Apr/150

ssh: no matching cipher found

Posted by Quinn

After a recent Ubuntu upgrade on my home machine, ssh attempts to it from the VirtualBox instance at work stopped working.   Here's what ssh spewed back at me:

  no matching cipher found: client blowfish-cbc,arcfour server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

 

Impatient, I just logged in from another machine.  The VM runs CentOS 5.10 so that its environment is comparable with what [used to be] present on the majority of our production servers.   I'm an anti-RedHat bigot in the first place, and didn't want to hunt down repos and upgrade my ssh.

That was not necessary.  The problem was a "Ciphers" line I'd added to my ~/.ssh/config, intended to prefer  ("Googallegedly") faster encryption methods.   Adding all but those that resemble email addresses seems to have fixed the issue.   My "Ciphers" line now looks like this:

  Host *
  Ciphers blowfish-cbc,arcfour,aes128-ctr,aes192-ctr,aes256-ctr

 

The ciphers may be defined in your system /etc/ssh/ssh_config.  Check around.  If you can't find it anywhere, try this:

  sudo find  ~/.[a-z]* /etc -path '*ssh*' -type f | sudo xargs fgrep Cipher

 

Anyway, that was my fix.   Right on in, easy-peasy lemon-squeezy.

 

Tagged as: , , No Comments