send_pubkey_test: no mutual signature algorithm

nagylzs · May 2, 2022, 2:03pm

Hello, I just upgraded my OS from Ubuntu 20.04 LTS to 22.04 LTS. Now I cannot login to my ROS 7.2.1 devices using an ssh agent. If I try this from any 20.04 OS (or Windows 10 + Putty), then it works. I have tried to connect with “-vvvv” option and this is what I see in the debug log:

debug1: Offering public key: /home/my_user/.ssh/id_rsa RSA SHA256:2******************************Y agent
debug1: send_pubkey_test: no mutual signature algorithm

What is causing this problem, and how can I fix it?

mkx · May 2, 2022, 5:22pm

Newer linux distributions are depreciating some older host key and key exchange algorithms. They are still supported by ssh clients, but disabled by default. You can enable them by adding this to ${HOME}/.ssh/config (create file if it doesn’t exist already):

host <router name or IP address>
        KexAlgorithms +diffie-hellman-group1-sha1
        HostKeyAlgorithms +ssh-dss

And keep your RSA key handy, ROS ssh (still) doesn’t support newer ecdsa and ed25519 key types.

nagylzs · May 4, 2022, 7:47am

Thank you

nagylzs · May 9, 2022, 10:06am

Added this into ~/.ssh/config

host r01.eger.magnet
    hostname r01.eger.magnet
    KexAlgorithms +diffie-hellman-group1-sha1
    HostKeyAlgorithms +ssh-dss

But I still see this:

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:2****************************Y agent
debug1: send_pubkey_test: no mutual signature algorithm

Ssh client is on Ubuntu 22.04 LTS, package versions:

libssh-4/jammy,now 0.9.6-2build1
libssh-gcrypt-4/jammy,now 0.9.6-2build1
libssh2-1/jammy,now 1.10.0-3
openssh-client/jammy,now 1:8.9p1-3
ssh-import-id/jammy,jammy,now 5.11-0ubuntu1

eworm · May 9, 2022, 3:04pm

Ignore the options above… What you need is:

PubkeyAcceptedAlgorithms +ssh-rsa

mkx · May 9, 2022, 3:08pm

Gosh … this is a new one. A thing to remember.

eworm · May 9, 2022, 3:10pm

And please complain to support…
The earlier we may have support for ed25519 keys.

nagylzs · May 12, 2022, 7:48am

Thanks, it works!

This is all I needed

KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
PubkeyAcceptedAlgorithms +ssh-rsa

eworm · May 12, 2022, 2:08pm

Just the last line should be sufficient. The others enable legacy things you do not want.

AnrDaemon · May 31, 2022, 12:52pm

Thanks, that worked quite well.

Match host 192.168.1.1,vpn.darkdragon.lan
  PubkeyAcceptedAlgorithms +ssh-rsa

ej2pi · July 11, 2022, 1:47am

Just wanted to say thank you!! This saved me a considerable amount of time.

TerminalAddict · August 24, 2022, 8:44am

not working for me after updating to jammy

Host gulp
        Hostname gulp.bach.redacted.com
        Port 22
        User paul
        KexAlgorithms +diffie-hellman-group1-sha1
        HostKeyAlgorithms +ssh-dss
        PubkeyAcceptedAlgorithms +ssh-rsa

mt99 · September 18, 2022, 4:19am

In my case, a new Ubuntu 22.04 server I migrated to wouldn’t use the identity file even though I was using the proper syntax. The -vv switch argument on the SSH command showed that the signature algorithm wasn’t being accepted. Create a new file in /etc/ssh/ssh_config.d, call it anything.conf, and as previously suggested add this one line: PubkeyAcceptedAlgorithms +ssh-rsa

It’s also possible to test this directly in your SSH command before creating the file by adding -o PubkeyAcceptedKeyTypes=+ssh-rsa as an additional option. Worked for me.

pothi · December 4, 2022, 4:13am

Same issue. Thanks @nagylzs for creating this topic and thanks to @eworm for sharing the solution. @mt99 That’s a nice tip too!

Here’s the one-liner that I did to automate it in Ubuntu 22.04 and in future Ubuntu versions…

echo "PubkeyAcceptedAlgorithms +ssh-rsa" | sudo tee /etc/ssh/ssh_config.d/rsa-support.conf

No need to restart SSH, as it is a client side configuration.

aseques · January 13, 2023, 11:23am

As @eworm mentioned on another thread, from router OS 7.7 the ed25519 keys are supported, from the changelog:

*) ssh - added support for Ed25519 key exchange;
*) ssh - do not allow SHA1 usage with strong crypto enabled;
*) ssh - fixed handling of non standard size RSA keys;

So you could create a new key with this:

ssh-keygen -t ed25519 -b 4096

mkx · January 13, 2023, 12:47pm

Wrong:

as highlited: Ed25519 is currently only supported for key exchange. Which doesn’t mean that Ed25519 public/private keys are supported (they still are not).

eworm · January 13, 2023, 5:14pm

That is not true. I did not write that.

To date only ed25519 key exchange is supported. Let’s hope we will see support for host keys and public key authentication soon.

aseques · February 1, 2023, 9:49am

You’re right, I missunderstood your comments, let’s see if they add the ed25519 for authentication soon…

nagylzs · July 6, 2024, 7:39am

Update on the topic. Today I upgraded my ssh client and these cannot be used anymore:

HostKeyAlgorithms +ssh-dss
PubkeyAcceptedAlgorithms +ssh-rsa

It results in:

/home/user/.ssh/config line 6: Bad key types '+ssh-dss'.
/home/user/.ssh/config: terminating, 1 bad configuration options

It seems to be working with KexAlgorithms +diffie-hellman-group1-sha1 alone on routeros 7.15 but I’m not sure about older versions.

Dude · October 2, 2024, 8:57am

Thanks