From nobody Sat Feb 10 06:18:16 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TX0sF73vkz591Mn for ; Sat, 10 Feb 2024 06:18:25 +0000 (UTC) (envelope-from lexi@le-fay.org) Received: from thyme.eden.le-Fay.ORG (THYME.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:107::10]) by mx1.freebsd.org (Postfix) with ESMTP id 4TX0sF54TGz4BYg for ; Sat, 10 Feb 2024 06:18:25 +0000 (UTC) (envelope-from lexi@le-fay.org) Authentication-Results: mx1.freebsd.org; none Received: from iris.eden.le-Fay.ORG (IRIS.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:106:3::6]) by thyme.eden.le-Fay.ORG (Postfix) with ESMTP id 38ABA281AB; Sat, 10 Feb 2024 06:18:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=le-fay.org; s=thyme; t=1707545897; bh=Cwsx0QnAKlLSpLu4tLwp+5DgG7MZBlCI6E3NK7Uq4nk=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=zjE8b1A3SRim0aw0aLIFtzMFXkJ9ymWmACXKEe7yrhAwrUciM8Dj9MY67nfqiRTrM Doy+F68RPRjFxO0b322Qqgz8RINjSlPCSUWKf/68Fv3BLPWKvZ2Yd+0STJ6hRcTxhJ /UoUUCLM8INm/i6cInNNcMKWOWiqlnyXgLUcbItk= Received: from ilythia.eden.le-fay.org (ILYTHIA.EDEN.LE-FAY.ORG [IPv6:2001:8b0:aab5:106:3::10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by iris.eden.le-Fay.ORG (Postfix) with ESMTPSA id 25F422C0412; Sat, 10 Feb 2024 06:18:17 +0000 (GMT) Date: Sat, 10 Feb 2024 06:18:16 +0000 From: Lexi Winter To: Graham Menhennitt Cc: freebsd-questions@freebsd.org Subject: Re: putty from Windows to FreeBSD 14.0 says "Server refused our key" Message-ID: Mail-Followup-To: Graham Menhennitt , freebsd-questions@freebsd.org References: <296848ac-9121-4b9b-a514-6da8ed2d3af1@menhennitt.com.au> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/FqP1f1L0EtyLIGY" Content-Disposition: inline In-Reply-To: <296848ac-9121-4b9b-a514-6da8ed2d3af1@menhennitt.com.au> X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/32, country:GB] X-Rspamd-Queue-Id: 4TX0sF54TGz4BYg X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --/FqP1f1L0EtyLIGY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Graham Menhennitt: > I have a box that I recently upgraded to FreeBSD 14.0. It all appears to = be > working ok except for one thing. When I attempt to use Putty on Windows to > connect to it using SSH, I get an error "Server refused our key" and it > drops back to password authentication. I have not modified sshd_config fr= om > the default. =20 > I've used this same key for many years from Putty and from other FreeBSD > boxes. It still works successfully from FreeBSD 13 to FreeBSD 14, but not > from Putty to FreeBSD 14. =20 > In auth.log on the FreeBSD 14 box, I can see that it says "userauth_pubke= y: > signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]". S= o, > I guess that I could fix this by modifying sshd_config, but I don't > understand why it works from FreeBSD 13 but not Putty. according to its documentation, PuTTY does not support RFC8332 RSA/SHA-2 key authentication: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rsa-sha2.html support for RSA/SHA-1 was removed by default in FreeBSD 14.0, so you would need to manually re-enable it to connect via PuTTY (as you discovered). alternatively, and more securely, you could see if PuTTY can generate and use ECDSA or ED25519 keys instead, which don't require SHA-1. --/FqP1f1L0EtyLIGY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmXHFSYACgkQDHqbqZ41 x5mncQv9Gju0A+VFRcq9SPZfaG0QpGc0pRizHERgDZNvrATMb0c6zni6CPfb8kHQ ngVmjDkShp+5FbhsxrMvj3mrGFrhwntBRYPGqwoleKyWajQN2dk36cGq05wIs1oU /0k9J+kIzu1AE1IuNKfCR4OlIp6okj0DIhcfJjKVT5HfwP2/2AjHxgGQFwNlYIRB B36liQshe/+WQi2z/wB7Fn6EKuVIDtnA+o9sJzCu52w0yAtTrh2rrX96YFxkJSh0 DofCgo4VD4tNIIdZPJMCsVg8W3xrjgIwq9m9KLjxv7wBkoJ5SyJh50y4+wPFyyBw CzB+yaEql2R3GzLOA2psAimn9tLTTFLMA8NIPhOtZNysgTrCZJGo/TilcGooKn7M q24GmTTIUhfKWJEYIeQUvPjGwQ2WcUFE+W2qJVKJrQPA4GrCzOcjvA6S9A1ZpqNZ 8OJ+CuDj4JXPgfvl69dX+PaieSGIqpadwqyg/iAdrVGg6k2LvpV6IJQZxBrArvAw H1FgX7oM =Vij/ -----END PGP SIGNATURE----- --/FqP1f1L0EtyLIGY--