James, What I suggested was not to recompile dropbear for the VPS, but download and compile the same version of dropbear *on your computer* (or whatever is the machine you are using to connect to the VPC from). Then use dbclient instead of ssh to connect to the VPS. If you can write on the VPC, another thing you can do is to *cross compile* a newer version of dropbear on your PC using a toolchain for VPS, then install dropbear Regards, Fabrizio
On Tue, Jun 28, 2022 at 12:52 AM James Miller <gajs-f...@dea.spamcon.org> wrote: > Thanks to all for your responses and apologies for the delay in > responding. I decided that perhaps including in this response output from > the ssh -v command might be the best way to proceed since answers to some > of the questions asked will be found there. Thus, the following > slightly-obfuscated and commented output: > > ### below with key-pair authentication enabled > OpenSSH_9.0p1, OpenSSL 1.1.1p 21 Jun 2022 > debug1: Reading configuration data /home/user/.ssh/config > debug1: /home/user/.ssh/config line 6: Applying options for vps > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to 12.34.56.78 [12.34.56.78] port 22222. > debug1: Connection established. > debug1: identity file /home/user/.ssh/MyMachine.id.rsa type 0 > debug1: identity file /home/user/.ssh/MyMachine.id.rsa-cert type -1 > debug1: Local version string SSH-2.0-OpenSSH_9.0 > debug1: Remote protocol version 2.0, remote software version > dropbear_2017.75 > debug1: compat_banner: no match: dropbear_2017.75 > debug1: Authenticating to 12.34.56.78:22222 as 'user' > debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or > directory > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: algorithm: curve25519-sha...@libssh.org > debug1: kex: host key algorithm: ssh-rsa > debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 > compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 > compression: none > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: SSH2_MSG_KEX_ECDH_REPLY received > debug1: Server host key: ssh-rsa SHA256:<alphanumeric string w special > chars here> > debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or > directory > debug1: Host '[12.34.56.78]:22222' is known and matches the RSA host key. > debug1: Found key in /home/user/.ssh/known_hosts:95 > debug1: rekey out after 4294967296 blocks > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: rekey in after 4294967296 blocks > debug1: get_agent_identities: bound agent to hostkey > debug1: get_agent_identities: agent returned 1 keys > debug1: Will attempt key: /home/user/.ssh/MyMachine.id.rsa RSA > SHA256:<long alphanumeric string here> explicit agent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey > debug1: Next authentication method: publickey > debug1: Offering public key: /home/user/.ssh/MyMachine.id.rsa RSA > SHA256:<long alphanumeric sequence here> explicit agent > debug1: send_pubkey_test: no mutual signature algorithm > debug1: No more authentication methods to try. > user@12.34.56.78: Permission denied (publickey). > > ### below with key-pair authentication disabled (no -s switch under > /etc/default/dropbear config file) > OpenSSH_9.0p1, OpenSSL 1.1.1p 21 Jun 2022 > debug1: Reading configuration data /home/user/.ssh/config > debug1: /home/user/.ssh/config line 6: Applying options for vps > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to 12.34.56.78 [12.34.56.78] port 22222. > debug1: Connection established. > debug1: identity file /home/user/.ssh/MyMachine.id.rsa type 0 > debug1: identity file /home/user/.ssh/MyMachine.id.rsa-cert type -1 > debug1: Local version string SSH-2.0-OpenSSH_9.0 > debug1: Remote protocol version 2.0, remote software version > dropbear_2017.75 > debug1: compat_banner: no match: dropbear_2017.75 > debug1: Authenticating to 12.34.56.78:22222 as 'user' > debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or > directory > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: algorithm: curve25519-sha...@libssh.org > debug1: kex: host key algorithm: ssh-rsa > debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 > compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 > compression: none > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: SSH2_MSG_KEX_ECDH_REPLY received > debug1: Server host key: ssh-rsa SHA256:<alphanumeric string w special > chars here> > debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or > directory > debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or > directory > debug1: Host '[12.34.56.78]:22222' is known and matches the RSA host key. > debug1: Found key in /home/user/.ssh/known_hosts:95 > debug1: rekey out after 4294967296 blocks > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: rekey in after 4294967296 blocks > debug1: get_agent_identities: bound agent to hostkey > debug1: get_agent_identities: agent returned 1 keys > debug1: Will attempt key: /home/user/.ssh/MyMachine.id.rsa RSA > SHA256:<long alphanumeric string here> explicit agent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password > debug1: Next authentication method: publickey > debug1: Offering public key: /home/user/.ssh/MyMachine.id.rsa RSA > SHA256:<long alphanumeric sequence here> explicit agent > debug1: send_pubkey_test: no mutual signature algorithm > debug1: Next authentication method: password > user@12.34.56.78's password > > I have an ~/.ssh config and I do have stipulated there under the vps entry > HostkeyAlgorithms +ssh-rsa and PubkeyAcceptedAlgorithms +ssh-rsa, as can > be seen below: > > Host vps > Hostname 12.34.56.78 > Port 22222 > KexAlgorithms +diffie-hellman-group1-sha1 > HostKeyAlgorithms +ssh-rsa > IdentityFile /home/user/.ssh/MyMachine.id.rsa > > I did recently install on the client system keychain, since I had > generated a new ecdsa (ed25519) key set on this machine for other > purposes. keychain has not been configured to save that key in memory, > but rather the rsa key stipulated in the config. > > I suppose the quick and sure-fire way to address the issue I'm having > would be to generate new keys, as suggested by Konstantin. I decided I > might first try to gain some understanding of why the issue cropped up > since, if it will happen again in the future, a better understanding of > what's gone wrong could be helpful. But I do need to admit that my > understanding of authentication/encryption is quite limited, so perhaps I > will be unable to retain much of whatever I might learn about the current > issue. > > In response to Fabricio's suggestion of compiling a newer version of > Dropbear, that is precluded by 2 factors: 1) I have no toolchain installed > on the vps and, 2) that is by intention, since system resources are so > paltry that compiling software there would be an iffy proposition. That > said I suppose I could scour the interwebs for a static/standalone > dropbear binary that uses uclibc or something, or perhaps compile my own > on a better-endowed host. > > Further input will be appreciated. > > Thanks > > On Sat, 25 Jun 2022, Matt Johnston wrote: > > > -- Delivered via SpamCon Foundation DEA: http://dea.spamcon.org > > -- Replies will be sent to m...@ucc.asn.au > > -- Additional Info: http://dea.spamcon.org/i/?v=134557338 > > > > On 2022-06-25 7:49 am, James Miller wrote: > >> I set up a small low-resource VPS a few years ago to use mainly as a > >> light-use xmpp server. I got Dropbear operating there so I could admin > >> it. Dropbear seemed a good choice since system resources were so > >> anemic. I recall it being quite challenging to get key-pair > >> authentication to finally work there, though I can't recall many > >> details about how I finally succeeded. > > > > Most likely would be OpenSSH requiring sha2 for RSA signatures. If you > can > > use > > ecdsa keys instead those should work OK. > > > > Alternatively to keep using RSA, set > > > > Host old-host > > HostkeyAlgorithms +ssh-rsa > > PubkeyAcceptedAlgorithms +ssh-rsa > > > > in your .ssh/config for the client which will allow the older sha1 RSA > > signatures. > > Which OpenSSH version is it? https://www.openssh.com/releasenotes.html > has > > details > > of what has been deprecated. > > > > Matt > > > >> The VPS runs Ubuntu 16.04 (EMS), so the version of Dropbear there is a > >> bit outdated (v2017.75). Since that release was made, various changes > >> have happened to openssh that may, I assume, make it incompatible with > >> this version of Dropbear. I am using ssh when I try to connect to the > >> VPS, btw. > > >
