Server refused our key - After upgrade to vyos 1.3.0

dave08 · March 11, 2022, 2:25pm

Hello.
I can no longer access via SSH with my previous Putty key after an upgrade from vyos 1.2.8 to 1.3.0.
I get “Server refused our key” on Putty’s logs. So far, it is the only problem with the upgrade.
The key is a 2048 bits RSA key and I have it installed on multiple vyos systems still running version 1.2.8. Can I still use it?
Thanks and regards.

fernando · March 11, 2022, 2:34pm

Hello

Could provide your current configuration ? do you have configure different ciphers on ssh services?

dave08 · March 11, 2022, 2:49pm

Thank you for the reply, but I’m not sure if I understood the question.
my configuration is the following:

host-name my-VyOS
login {
user david {
authentication {
encrypted-password $****************************/
plaintext-password “”
public-keys rsa-key-20120921 {
key *********************************************************EQ==
type ssh-rsa
}
It is still working on my critical non updated VyOS.
I believe it might have something to do with the Debian version currently used, which may not be accepting my RSA 2048 key.

Putty (incomplete) log:
|2022-03-11 15:09:40|Reading key file C:\Program Files (x86)\PuTTY\putty_dave_priv_key.ppk
|2022-03-11 15:09:40|Pageant is running. Requesting keys.|
|2022-03-11 15:09:40|Pageant has 1 SSH-2 keys|
|2022-03-11 15:09:40|Pageant key #0 matches configured key file|
|2022-03-11 15:09:40|Trying Pageant key #0|
|2022-03-11 15:09:40|Server refused our key|
|2022-03-11 15:09:40|Offered public key|
|2022-03-11 15:09:40|Server refused our key|

Thanks!

dave08 · March 11, 2022, 4:24pm

Switching default-boot to 1.2.8 and ssh key authentication works. OS change?

fernando · March 11, 2022, 5:16pm

it’s strange …could you share this command ? show version

dave08 · March 11, 2022, 5:31pm

Version: VyOS 1.3.0
Release train: equuleus

Built by: Sentrium S.L.
Built on: Sun 19 Dec 2021 12:59 UTC
Build UUID: ff458f8a-3ef7-453c-a7f9-4aeb6d03012e
Build commit ID: 2f691bb2f61e96-dirty

Architecture: x86_64
Boot via: installed image
System type: bare metal

Hardware vendor: Hewlett-Packard
Hardware model: HP Compaq dc5100 MT(PW196ET)
Hardware S/N: CZC5340B22
Hardware UUID: a04944c5-ece8-d911-bbda-fe2120f7000f

Copyright: VyOS maintainers and contributors

I know that recent OS versions had introduced some changes in authentication with ssh. Could this be one of those situations?

fernando · March 11, 2022, 7:07pm

Hello Dave

it looks like client issues , I did an upgrade from 1.2.8 to 1.3.0 with rsa-2048 key and after upgrade it works without problems . I could connect with VyOS instances .let me show :

1.2.8

set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$MjV2YvKQ56q$QbL562qhRoyUu8OaqrXagicvcsNpF1HssCY06ZxxghDJkBCfSfTE/4FlFB41xZcd/HqYyVBuRt8Zyq3ozJ0dc.'
set system login user vyos authentication plaintext-password ''
set system login user vyos authentication public-keys testfet key 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDik2DOtB7gQdh+tqtes4aWsFEwIP7FA4MNVwXFWpmfaE5NZA1VIRQTpwT9Cn0ilLLlsszto6Za0TSAaUIU4XaEtU1jgVuvRdctcpdg/DzaHCzfeHAzojFFquwP36j4uIRnNwFcsFIF1ydbS0/A+cEBMdxFd2iKnQVS3gyURqQ4jMYuxsun+y1xGNo6KJbyN1pSBTMh/CGfvX+f+wDy3cstiDWyBnOzZqhyUNnqkK/jl+9rUwdMAm4gJLLYAPSFqqxbn6nPQSkgX5eC7QvPziz7b6eYjrBDrGdYAkboe2xZqBo+3y+tXx82Cti1hDEW6xgFlhSNwOjkW4awQezFencdbxozoZSvW36YK+k8hdMarQ7PjIF35WY5oEJoHuXD8ukRqYPjGC+nyqJ8Lctm1eUrw8KR1xdQr9MnYL/LiLYGOtZ6WdFb2ctahPVesCb//5l5fU2q8jZ9gZ8tWiPAwPv/pdFViXc/ncLZRTvuhv2t6U9xU41Iu2
Vteb5KtnD6Xi4vcsFbcX9MFeb/oxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
set system login user vyos authentication public-keys testfet type 'ssh-rsa'
set system login user vyos level 'admin'

upgrade to 1.3.0


vyos@vyos:~$ show configuration commands | match vyos
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$MjV2YvKQ56q$QbL562qhRoyUu8OaqrXagicvcsNpF1HssCY06ZxxghDJkBCfSfTE/4FlFB41xZcd/HqYyVBuRt8Zyq3ozJ0dc.'
set system login user vyos authentication plaintext-password ''
set system login user vyos authentication public-keys testfet key 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDik2DOtB7gQdh+tqtes4aWsFEwIP7FA4MNVwXFWpmfaE5NZA1VIRQTxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
set system login user vyos authentication public-keys testfet type 'ssh-rsa'
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
vyos@vyos:~$
vyos@vyos:~$
vyos@vyos:~$ show version

Version:          VyOS 1.3.0
Release train:    equuleus

Built by:         Sentrium S.L.
Built on:         Sun 19 Dec 2021 12:59 UTC
Build UUID:       ff458f8a-3ef7-453c-a7f9-4aeb6d03012e
Build commit ID:  2f691bb2f61e96-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    3b755700-b996-48df-ab26-d6b5ab05694e

Copyright:        VyOS maintainers and contributors

when I login with VyOS VM . it works without problems

sh vyos@192.168.122.108
Enter passphrase for key '/Users/XXXXX/.ssh/id_rsa':
Welcome to VyOS!

Check out project news at https://blog.vyos.io
and feel free to report bugs at https://phabricator.vyos.net

Visit https://support.vyos.io to create a support ticket.

You can change this banner using "set system login banner post-login" command.

VyOS is a free software distribution that includes multiple components,
you can check individual component licenses under /usr/share/doc/*/copyright
Use of this pre-built image is governed by the EULA you can find at
/usr/share/vyos/EULA

Last login: Fri Mar 11 18:56:05 2022 from 192.168.0.3
vyos@vyos:~$

dave08 · March 14, 2022, 10:08am

Hello and thank you for the reply.
Did the upgrade on another Vyos 1.2.8 to 1.3.0 and got the same “server refused our key” when using putty. I’ll set up a linux client and check if the problem persists.

dave08 · March 14, 2022, 11:11am

Hello again. Generated a small 1024 bit rsa key with ssh-keygen in a linux box, set this additional key to my existing user and I can access without any trouble. So I also think this must be something related to my client. But why it still works on Vyos 1.2.8?
I’ll continue to investigate.

error: userauth_pubkey: could not parse key: Invalid key length [preauth]

dave08 · March 14, 2022, 12:05pm

Ok, so a Putty generated 1024 bits key (ssh-rsa 1023 SHA256:) no longer works after the update, but a 1024 key generated with ssh-keygen still works from a linux client. Any ideas please?

dave08 · March 14, 2022, 2:13pm

A new 2048 bits generated key with putty works. Why does a 1024 openssh generated key works in a linux client while the Putty stopped working after the update?

fernando · March 16, 2022, 5:11pm

I not idea , I’ve checked it on MAC/Linux on both works without problems .

matthewr · March 17, 2022, 12:29pm

As a wild guess, what version of Putty is being used?

dave08 · March 17, 2022, 2:00pm

Thanks for the reply.
Putty version 0.76.

matthewr · March 17, 2022, 4:12pm

Unlikely to be related then, as that is very recent version

dave08 · March 17, 2022, 4:26pm

thanks for the reply, but I only had the problem with Putty, not with openssh clients, and a 2048 bits now works with Putty.
If I understand, vyos 1.3.0 is now based in debian 10.Some latest linux have been implementing more restrictions for remote access ( in fedora I had this problem of cryptographic policies: default, legacy, future)). so it must be OS related.