Login with public key not working

Rocky Linux General
1

HI

i make fresh instal of RL9 non graphical
i can log with new user by password, but not with ssh_key.
for toher syssme like centos it is working.

chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_key

was done …

I`m connectig with putty.

the key is 4096 RSA generated by PuttyGen

/etc/ssh/sshd_config is deffault

this is from secuirty log
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

thansk

2

Good day @Stefan_CNC,

I’ve had no experience with this issue and my public keys not working. However, take a look at this link (near the bottom of the discussion (June 20, 2022) and see if maybe that is your issue as well. The example is for Red Hat 8.6, but it may still be relevant.

If time allows today, I’ll do some testing of your issue as well.

3

You should have file: /etc/ssh/sshd_config.d/50-redhat.conf
that contains line:

Include /etc/crypto-policies/back-ends/opensshserver.config

Do you get any output with:

grep ssh-rsa /etc/crypto-policies/back-ends/opensshserver.config | cut -d' ' -f1

While update-crypto-policies --show displays: DEFAULT

I’d presume that the ‘ssh-rsa’ does use SHA1 and I do know that the default policy does not.

That gives two options:

  1. Generate keys with some other algorithm than RSA. Can putty use ed25519 keys?
  2. Decrease security and allow SHA1 with: update-crypto-policies --set DEFAULT:SHA1
4

thanks

with ed25519 it is woking.
but also i must change ssh-rsa to ssh-ed25519 in authorized_keys

grep ssh-rsa /etc/crypto-policies/back-ends/opensshserver.config | cut -d' ' -f1

no outpot… i look manualy and on the end for PubkeyAcceptedAlgorithms is just rsa-sha2-256,rsa-sha2-512

adding `ssh-rsa,ssh-rsa-cert-v01@openssh.com ’ in PubkeyAcceptedKeyTypes" in /etc/ssh/sshd_config not working …

5

Exactly. The default policy does not allow SHA1 and therefore it omits ssh-rsa from the opensshserver.config

First, do not edit the /etc/ssh/sshd_config

Second, if you want to allow the less secure SHA1, then the update-crypto-policies command is the way.
See System-wide cryptographic policies in RHEL - Red Hat Customer Portal and Chapter 3. Using system-wide cryptographic policies Red Hat Enterprise Linux 9 | Red Hat Customer Portal

The first option in /etc/ssh/sshd_config is:

Include /etc/ssh/sshd_config.d/*.conf

You probably did add your settings to the end of /etc/ssh/sshd_config and first occurrence wins.

You can override sshd options by creating new *.conf file (e.g. 00-my.conf), just like installation has added /etc/ssh/sshd_config.d/50-redhat.conf