Problem connecting with SSH

My setup has been unchanged (apart from updates) for at least a year and I used to be able to connect via SSH from across the GREEN internal network. I use a key.

However, when I needed to connect today (I haven’t to for ages) I keep getting “server refused key” error.

My config and keys all look OK and SSH is enabled, etc, so I’m a bit puzzled … has something changed ???

BTW i can still log in OK with a password, but I would prefer not to use this for security reasons.



I presume you recently upgraded your IPFire machine after a long time. If so, you may probably be hit by the following upstream change made in OpenSSH 8.8:

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] “SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust” Leurent, G and Peyrin, T

Another possibility might be that you conducted manual changes to /etc/ssh/sshd_config, which now were overwritten by a Core Update. Please grep through /var/log/messages for further details; OpenSSH should log why it does not like your key anymore.

And you are right, login via key is much more secure than passwords. :slight_smile:

Thanks, and best regards,
Peter Müller