Fedora 33 - unable to SSH into new DigitalOcean droplet

I have created many DigitalOcean Fedora droplets in the past with the same set of SSH keys.
Now that Fedora 33 is available on DO I am unable to log in to a new droplet.
I get error:
No supported authentication methods available (server sent: publickey, gssapi-keyex, gssapi-with-mic)
Days of troubleshooting with DO have not been productive.
What has changed and how do I need to adapt?

Could be related to:

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

More info here:

2 Likes

I checked the links and was not able to determine how to fix this problem.
I have always successfully used putty & puttygen to create SSH-2 RSA 2048 bit keys.

Sounds like a consequence of the new crypto policy in F33. It resulted in me not being able to ssh into my routers.

See this article for an explanation and multiple solutions:

In short, you could

  1. upgrade the server and its openssh or dropbear version
  2. generate new ecdsa or ed25519 keys IF your server supports them (dd-wrt on my routers does not)
  3. create an exception on your client’s .ssh/config file in the form of:
Host [server hostname or IP]
  PubkeyAcceptedKeyTypes +ssh-rsa
  1. downgrade the security policy system-wide (see article for details, but this should probably be left as a last resort)
3 Likes

Thanks.
Good info.
I tried creating a file named config in /root/.ssh and adding the two lines mentioned above but that did not help.
I tried creating ecdsa keys but they did not work.
I got SERVER REFUSED OUR KEY error.
Maybe I did it wrong.
I used puttygen and the resulting key does not look right.
Can anyone please provide instructions on how to generate and deploy and use an ecdsa key in putty?
I think many would benefit from this info since F33 devs decided to increase security to the degree that it is unusable.

It should be done for the machine and user that is SSHing into the server. Not on the server itself.

I am using putty on a windows PC so there is no place to add such a file.

I figured it out.
Turns out this particular fedora 33 package that DigitalOcean uses comes with this file…
/etc/ssh/sshd_config.d/50-redhat.conf
… which contains the following…
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

… I deleted the file which restored the defaults and everything went back to normal.

That file is the defaults for Fedora. By removing it, you are changing more than just the part that’s important here, the line:

Include /etc/crypto-policies/back-ends/opensshserver.config

near the top. Removing the whole file is dangerous and not likely what you want to do. For one thing, it will re-appear on package upgrade. Removing the above line will probably work, but also not the best approach. See the Fedora 33 release notes: Strong Crypto Settings - Phase 2 for the recommended approach:

# sudo update-crypto-policies --set LEGACY
1 Like

This will work in the case where the server is running outdated crypto and you need to connect from a modern Fedora client. Here, we have the reverse situation.

1 Like

I haven’t used Putty in over a decade, but I found this guide Generating SSH Keys | HFC Portal which shows an ed25519 key being generated under putty. This is really the best option.

3 Likes

Mathew Miller … what do you use instead of putty? I’m open to using something better.

I’m afraid I can’t help much with that since I only run Fedora Linux on my own systems, and I’m no longer in a job where I directly support students who might be on other operating systems. It’s a good general question, just one for someone other than me. :slight_smile:

No experience myself with putty but WSL2 is always an option on Windows, isn’t it? Perhaps even with Fedora.

Based on How to Create SSH Keys with PuTTY on Windows :: DigitalOcean Product Documentation

Download puttygen.exe from the Putty website. Start it.

  1. Select ECDSA (I can confirm that the RSA key generated with PuTTY Key Generator doesn’t work)
  2. Generate the key pair
  3. Insert a password (optional)
  4. Save the key in a suitable place
  5. Copy the public key

The public key has to be added to DigitalOcean.

Create a droplet assigning the new SSH key.

Open Putty.

  1. In the Connection -> SSH -> Auth section
  2. Add the file created in the previous steps (point 4)

  1. In the Connection -> Data section
  2. Write root as the Auto-login username

Go back to Session, insert the droplet IP address, save the session, as usual.

2 Likes