Upgrade 22.12.3.3 to 23.10.1 breaks root SSH public key login

FrankWard

FrankWard

Explorer
Joined
Feb 13, 2023
Messages
71
I just upgraded from 22.12.3.3 to 23.10.1 using the GUI. There have been a few odd things with services not starting and such, but the big issue I am facing is my root login does not work anymore with any keys. I can enable password based login and gain access to the shell, but the public key auth broke on upgrade and I have no idea how to fix it. Any insight would be appreciated!
 
HoneyBadger

HoneyBadger

actually does care
Administrator
Moderator
iXsystems
Joined
Feb 6, 2014
Messages
5,112
Hey @FrankWard

Do you happen to know what algorithm your key is using? It looks like the underlying ssh server in Cobia dropped support for the ssh-rsa algorithm, so you might need to regenerate the key again with one of the supported ones:

Code:
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519


Edit: It might be a little more complex than this; there's a potential interaction between the key and the client/server behavior. This article helps to explain it fairly well, and Bluefin -> Cobia definitely crossed the OpenSSH 8.8 version barrier discussed here (from 8.4 to 9.2)

1703087913041.png


ikarus.sg

RSA keys are not deprecated; SHA-1 signature scheme is!

Debugging "send_pubkey_test: no mutual signature algorithm" errors and demystifying the deprecation of "ssh-rsa" signature scheme in OpenSSH 8.8
ikarus.sg ikarus.sg
 
Last edited:
FrankWard

FrankWard

Explorer
Joined
Feb 13, 2023
Messages
71
HoneyBadger said:
Hey @FrankWard

Do you happen to know what algorithm your key is using? It looks like the underlying ssh server in Cobia dropped support for the ssh-rsa algorithm, so you might need to regenerate the key again with one of the supported ones:

Code:
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
Click to expand...
Thank you. I missed that memo. Adding the 'PubkeyAcceptedAlgorithms +ssh-rsa' fixed the login. I'll look into creating an updated key.
 
Last edited:
You must log in or register to reply here.

Similar threads

I
SSH Public Key not saving
Replies
2
Views
1K
hme
H
D
SSH public key auth broken after upgrade to TrueNAS 13
Replies
6
Views
2K
FrankWard
FrankWard
P
unwanted disconnection web interface when ssh settings private/public key
2
Replies
36
Views
3K
Paul042020
P
P
SOLVED Issue with SSH & Private / Public Key
Replies
1
Views
4K
PontWapiti
P
Arman
SSH into FreeNAS With Key Pairs
Replies
0
Views
1K
Arman
Arman
Top