SSH with Public Key in openSUSE 15.6

With Leap 15.6 the ssh signature type ssh-rsa isn’t supported any longer for ssh connections. Therefore every connection using a ssh-rsa signature asks for a password instead of trying a public key authentication.

Nevertheless the command ssh-keygen still produces a ssh-rsa signature if not forced otherwise. So you can set the signature type option like:
ssh-keygen -t ecdsa

Test your supported signature types of the client and of the server with:
ssh -nvv -o NumberOfPasswordPrompts=0 @ 2>&1 | grep ‘debug2: host key’
Both have to match the used signature type.

1 Like

I’m pretty sure that’s wrong.

The actual change is that there is now a minimum length required for RSA keys. I have just successfully logged in (from one 15.6 system to another) using a 3072 bit RSA key.

I have switched to mostly use ed25519 keys in my normal work, but I do have an RSA key for testing purposes.

Please read SLES15 SP6 release notes, chapter 5.7.1:

If you have already a rsa-key that is long enough that works. If you create a key with ssh-keygen without any option the created rsa-key is to short and will not work.

I’m pretty sure that if you create an RSA key without any options, you will get a 3072 bit key. That’s how my key happens to be 3072 bits.

However, if you created an RSA key several years ago, it might well be too short. Prior to installing 15.6, I was using a 1024 bit RSA key and a 2048 bit RSA key. The 1024 bit key is from many years ago. The 2048 bit key did still work with 15.6, but I have since changed my practices, and generated new keys.

Sorry, my command was ssh-keygen -t rsa

which is given in many tutorials.

Creating this key should not be possible, but is!

ssh-keygen without any option creates a key, that is not supported by my server.

I just tested this:

% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/nwr/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/nwr/.ssh/id_rsa
Your public key has been saved in /home/nwr/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:VDNBaK3hEYoAULxv5/mwz9kO/uYVCPII5IsK89vJGF8 nwr@nwrdell
The key's randomart image is:
+---[RSA 3072]----+
|++o .   .=*.     |
|  .+ . .=..o     |
|   .+ ooo+       |
|  .. o =o. .     |
|o ... . S . .    |
|.+  o .      .   |
|. o. oE..   .    |
|   B oo= +..     |
|  o = .o*==      |
+----[SHA256]-----+

As you can see, it generated a 3072 bit RSA key which should be supported by a Leap 15.6 server.

Then it is not the key length. I did the same and got following public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyFdIhFgblAkoK4Tz7DIBE6lEsFFIGcZaveips7WcW6hqNg2TBoT5hvD34LNAA3QeQ5CtKJ6wvMUePo51tgBljBBu4sAyWq/pGnm/hh6fvIN3fOxypjuHeG39fkl9uJ4AMKrj5I3Qg4tuRjCQ5nL5CWEF1u6flCB0GMjki4V9ScWTByB/ePDJebN1rQOC0KkxcTLKttz27gyCDh1vS8AFO3wL/kWZDBR8rRVkINYD+BT7XsojD2CJ/f9F1Ysl0UEyjFhs/trqSPlB3DPYg2l6MgFRrHNn2VBqa28UZFkFt6lrglVtw3LW7q9Db+9IfOzFei5+JCDiZ+heK2jI8zaJRYcH5G1VKL+LUGCwLhjYYKF3l3Go0jmDO7+xFrEi2b8XLIKCb5bu7vM02ukURtw1o5Bn9lFDgUcAItC2dTP+eI3lkYGnNRM366iF3TvTRX63cOCDdg5olu3gQ28IRnPb3BxR+Zs5C5Srwd5KGO4DbFM4KANfuT2tuGKDMqA2K31M= axel@Brahms

It begins with ‘ssh-rsa’. I put this key into ~.ssh/authorized_keys of the server … and it didn’t work!

ssh -nvv -o NumberOfPasswordPrompts=0 @ 2>&1 | grep ‘debug2: host key’

gives following info:

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ssh-ed25
519-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@ope
nssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-
512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp384,ecdsa-s
ha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-2
56
debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256

You see that the client (first) has no ssh-rsa algorithm but the server (second). And both have ecdsa-sha2-nistp256 which works.

Axel

I’m not sure what that is showing.

I repeated my earlier steps.

I first renamed “.ssh” to “.ssh.old” and created a new “.ssh” directory. I then created an RSA key:

% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/nwr/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/nwr/.ssh/id_rsa
Your public key has been saved in /home/nwr/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:xBK9+AbHdVyiEBXoIbW2s+8ubLOsgn/tkUrbtRH06f8 nwr@nwr2
The key's randomart image is:
+---[RSA 3072]----+
|      .o++oo...  |
|      .o+o..o.   |
|      .==+o.     |
|      o+=o . .   |
|       +S . o    |
|        o+ o     |
|   .  .++ o .    |
|  . ...=*+ o .   |
|   ..o++=*=   ..E|
+----[SHA256]-----+
nwr2:nwr 9% ls .ssh
id_rsa  id_rsa.pub
nwr2:nwr 10% cat .ssh/*.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCT3Jpd6Aa6aUbtQA6PC3grcLJlsrVywZz4zGpeDdO51nIQ2i7+A2i+GL/0F5o+kPt5Ycby6VVgVJnT9Qu5MXPOV3hdjZk3pafXlFdSGChHwdOm8P/tSHbxA9zKjr0WtE63mOxK6YW6zI5lHilmeQ46YlbaWsyl4A/t6dDi2UoXNJEClYSoe7pT5oZASZ/jMoHdftC6kOcn4b2PlTxyUYKBksAFcXptlARDN3QOBUemL4i2CkVSgr4bJHvahhWDMXaatmQTmTlB0UBREbzgGFKFjqfj3oLiCRYHEDY3jgG6vdB70QudqvTtU3sj9cL3eqg+HDM4YLJmhUJk8mvNF9nYj8+HxaLufEOcAwfy8xIPKK8T8rSyaevKZPa3LwRWSA8mYt/5XQK/ZMP4VK/jRFqe9KD49RBlXxMMivMAcojhuryA2B4CpJ0E3fVcwSmvpKw9rK2RuEfBGgxExU9OG3u9r1cxria1UZGV+evWIkcBzhYjYQQ6+Z9ev4DlEn78KPU= nwr@nwr2

I next added that public key to “ssh/authorized_keys” on the server. (I did that out-of-line so no output to show).

I then tried to login to the server:

nwr2:nwr 11% ssh nwrdell
Enter passphrase for key '/home/nwr/.ssh/id_rsa': 
Last login: Sun May 19 06:52:53 2024 from 192.168.1.66
nwrdell:nwr 1%

And that worked, without a problem.

Your debug output is showing information about host keys rather than client keys. Maybe you are trying to use host keys to authenticate but your host key is too short or otherwise not suitable.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.