0

I'm trying to ssh into a Solaris 10U11 system using a public key in the authorized keys on the system. Does anyone know why I keep getting prompted for my password?

I think it has to do with an error message as follows:

send_pubkey_test: no mutual signature algorithm

Here are some notes I followed to ensure algorithms work and file permissions are correct:

I added following to client .ssh/config, otherwise can't negotiate exchange with MacOS v13.7 ssh version:

 HostKeyAlgorithms=+ssh-dss
 KexAlgorithms +diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Checked that client .ssh/key.pub is in server .ssh/authorized_keys.

Checked permissions are correct.

$ ld -ld ~
700
$ ls -ld ~/.ssh
700
$ ls -ld ~/.ssh/authorized_keys
600

$ grep "PubKeyAuthentication" /etc/ssh/sshd_config PubKeyAuthentication yes

Here is the log from the client:

$ ssh -v sol10
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/USER/.ssh/config
debug1: /Users/USER/.ssh/config line 9: Applying options for *
debug1: /Users/USER/.ssh/config line 36: Applying options for sol10
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.56.21 [192.168.56.21] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /Users/USER/.ssh/id_rsa type 0
debug1: identity file /Users/USER/.ssh/id_rsa-cert type -1
debug1: identity file /Users/USER/.ssh/id_rsa-lin type 0
debug1: identity file /Users/USER/.ssh/id_rsa-lin-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.5
debug1: compat_banner: no match: Sun_SSH_1.1.5
debug1: Authenticating to 192.168.56.21:22 as 'np'
debug1: load_hostkeys: fopen /Users/USER/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-dss SHA256:z1H5tBOkcAOUGKo5aWxufw2E0qsjc/VlYQpNIiZzRaM
debug1: load_hostkeys: fopen /Users/USER/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.56.21' is known and matches the DSA host key.
debug1: Found key in /Users/USER/.ssh/known_hosts:7
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /Users/USER/.ssh/id_rsa-lin RSA SHA256:x explicit agent
debug1: Will attempt key: /Users/USER/.ssh/id_rsa RSA SHA256:x explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/USER/.ssh/id_rsa-lin RSA SHA256:x explicit agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: /Users/USER/.ssh/id_rsa RSA SHA256:x explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Next authentication method: keyboard-interactive
Improve this question
9
  • How did you generate the private and public key pair ? I assume the private key requires a passphrase. Also, provide the output of ssh -v user@server. Commented Jan 26 at 18:51
  • I added the log and error at the top of the post. 'send_pubkey_test: no mutual signature algorithm'. I generated they private and public key on MacOS with ssh-keygen. I did not require use of a password, but yes I should have. I'm just using it to connect to test VMs. Commented Jan 26 at 19:00
  • 1
    Could this apply: confluence.atlassian.com/bitbucketserverkb/… If so, report back and I will write up an answer. You need to either generate a new set of keys with keys with ECDSA and ED25519 algorithms (highly recommended) or specify PubkeyAcceptedKeyTypes +ssh-rsa in your ssh config on your mac. Commented Jan 26 at 19:06
  • 2
    My pub/priv key is generated with RSA/AES128-CBC. Adding PubkeyAcceptedKeyTypes +ssh-rsa into my client ~/.ssh/config solved this. Can you explain more about what's happening? Commented Jan 26 at 19:31
  • Have you try to access Solaris ssh -legacy sol10? Commented Jan 26 at 19:46

2 Answers 2

Reset to default
1

Looking at the error, send_pubkey_test: no mutual signature algorithm usually hints at a more recent OpenSSH client that no longer supports certain algorithms and hence you need to whitelist them.

You can issue:

ssh -Q PubkeyAcceptedAlgorithms

To get a list of allowed algorithms.

I took the solution from atlassian help

Add PubkeyAcceptedKeyTypes +ssh-rsa to your ./ssh/ssh_config

Another solution is

ssh-keygen -t ed25519 -C "[email protected]"

To create a new key, add to .ssh/authorized_keys and you should be good to go.

Improve this answer
2
  • I try ssh -Q PubkeyAcceptedAlgorithms on the server and -Q is not an option for ssh client. Commented Jan 26 at 20:49
  • You need to run that on the client. For the server do man ssh on Solaris to see if they may have an equivalent, no Solaris box available to me now. Commented Jan 26 at 21:23
0

On the client side, add the following to .ssh/config:

HostKeyAlgorithms=+ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedKeyTypes +ssh-rsa

or

HostKeyAlgorithms=+ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedAlgorithms +ssh-rsa

I'm not sure what impact this has on security.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.