From 6fbd78d4621cdc45017105ae89881cf50417cc8e Mon Sep 17 00:00:00 2001 From: William Carroll Date: Tue, 12 Jul 2022 13:40:41 -0700 Subject: feat(wpcarro/blog): SSH Oddities Another short post about strange encounters in sysadmin-land. Change-Id: Ie71ca36553440d706ff808af91bed8e09008f909 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5944 Tested-by: BuildkiteCI Reviewed-by: wpcarro Autosubmit: wpcarro --- users/wpcarro/website/blog/posts.nix | 7 +++ users/wpcarro/website/blog/posts/ssh-oddities.md | 59 ++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 users/wpcarro/website/blog/posts/ssh-oddities.md diff --git a/users/wpcarro/website/blog/posts.nix b/users/wpcarro/website/blog/posts.nix index 1dd6930a1e..7766dabd60 100644 --- a/users/wpcarro/website/blog/posts.nix +++ b/users/wpcarro/website/blog/posts.nix @@ -50,4 +50,11 @@ content = ./posts/tee-time.md; draft = false; } + { + key = "ssh-oddities"; + title = "SSH Oddities"; + date = 1657647994; + content = ./posts/ssh-oddities.md; + draft = false; + } ] diff --git a/users/wpcarro/website/blog/posts/ssh-oddities.md b/users/wpcarro/website/blog/posts/ssh-oddities.md new file mode 100644 index 0000000000..f6fa603f3e --- /dev/null +++ b/users/wpcarro/website/blog/posts/ssh-oddities.md @@ -0,0 +1,59 @@ +## Background + +I was trying to debug a service over `ssh` that offered password-only +authentication, but I couldn't seem to get the `ssh` client to prompt me for the +password. + +It looked something like this (skip ahead to the conclusion if you're pressed +for time): + +## Troubleshooting + +```shell +λ ssh root@[redacted] +Unable to negotiate with [redacted] port 22: no matching host key type found. Their offer: ssh-rsa +``` + +But the same command was working just fine for my coworker. + +I took a closer look with `ssh -v root@[redacted]`, but nothing jumped-out at +me. Maybe it's something with *my* `ssh` configuration; let's remove that +variable: + +```shell +λ ssh -F /dev/null root@[redacted] +Unable to negotiate with [redacted] port 22: no matching host key type found. Their offer: ssh-rsa +``` + +> Ah it looks like there's a way to set my preferred authentication method... +> -- me + +```shell +λ ssh -F /dev/null -o PreferredAuthentications=password root@[redacted] +Unable to negotiate with [redacted] port 22: no matching host key type found. Their offer: ssh-rsa +``` + +## Conclusion + +Well it turns-out that newer SSH clients disable the `ssh-rsa` public key +signature algorithm because it depends on SHA-1, which is considered insecure. + +```shell +λ ssh -V +OpenSSH_9.0p1, OpenSSL 1.1.1p 21 Jun 2022 +``` + +...and according to the `ssh -v` output, the server is running an pre-COVID(!!!) +version of `ssh`: + +``` +debug1: Remote protocol version 2.0, remote software version dropbear_2018.76 +``` + +So if you don't have time to upgrade the SSH server, and you just want to +connect, the following should work because we're *opting-into* the less secure +option: + +```shell +λ ssh -o HostKeyAlgorithms=+ssh-rsa root@[redacted] +``` -- cgit 1.4.1