DO12.28 vs Ubuntu22.04 rejects public key (20.04 OK)

Description: In windows 11, putty 0.77. Using the existing PPK files to access the SFTP sites.

All sites are Ubuntu Series, those versions below or equal to 20.04 working properly. 22.04 reject public key.

Opening Connection
Server version: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing ECDH key exchange with curve Curve25519 and hash SHA-256
Server also has ecdsa-sha2-nistp256 host key, but we don't know it
Host key fingerprint is:
ssh-ed25519 256 d1:01:d8:05:8e:27:a4:59:14:72:c5:ca:11:19:cf:33
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading key file "C:\Users\sp\.ssh\idrsa.ppk"
Pageant is running. Requesting keys.
Pageant has 2 SSH-2 keys
Pageant key #1 matches configured key file
Using username "root".
Trying Pageant key #1
Server refused our key
Disconnected: No supported authentication methods available (server sent: publickey)
SSH: Fatal: Disconnected: No supported authentication methods available (server sent: publickey)
Connection closed

The same PPK key was tested with fileZilla, to access exactly same sites, and it works like a charm. without any issues.

Both keys with/without passphrase were tested. DO12.18 + DO12.18.1 all not working as expected.

On another forum, I found that the Ubuntu 22.04 has latest open-ssh server respond with:

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms

I tried same key (through Peagent ) using DO12.18 and filezilla (directly using ppk). the server response from server is different

For DO12.18 it says

Jun 27 14:52:28 Matt-Dev sshd[108085]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Jun 27 14:52:43 Matt-Dev sshd[108085]: error: Received disconnect from port 56001:13: Unable to authenticate [preauth]

whereas using Filezilla

Jun 27 14:52:43 Matt-Dev sshd[108085]: Disconnected from authenticating user sp port 56001 [preauth]
Jun 27 14:54:04 Matt-Dev sshd[108093]: Accepted publickey for sp from port 56204 ssh2: RSA SHA256:IGmRd86USDDiLyq8ui2c840LuCOglWP12345UXF6glE
Jun 27 14:54:04 Matt-Dev sshd[108093]: pam_unix(sshd:session): session opened for user sp(uid=1001) by (uid=0)

It is worth to mention that with Peagent Putty can directly login to the site using same ssh-key.

I believe it's the way how DO handles server authentication, and "ssh-rsa" has been deprecated.

As a workround: adding one line in /etc/ssh/sshd_config below

#PubkeyAuthentication yes

Make it read as:

#PubkeyAuthentication yes

and then do a

$ grep Pub /etc/ssh/sshd_config
#PubkeyAuthentication yes
$ sudo systemctl restart sshd

It makes DO12.18 work with SFTP of Ubuntu 22.04 again.

But, it allows deprecated ssh-rsa auth method, which give your server a tiny risk of being attacked in theory.

Opus 12.18 is very old. Try with an up to date version.

Hi Leo,

Sorry for my typo, I was referring to 12.28. How should I change the title of this post? I cannot do it.


Would it be possible for you guys to update the post title somehow?

Ah OK. I assumed it wasn't a typo as the same mistake appeared six times. :slight_smile: I've updated the title.

I thought the key's algorithm was tied to the key itself, so it's strange that the key works from some clients and not others if the problem is the algorithm.

Are you definitely using the same key file with all clients? And it's not authenticating via one of the other keys loaded into Pageant rather than the one you think it's using, is it?

Also note that Opus 12.28 requires keys in PuttyGen's v2 format, not the newer v3 format (and may also not work with keys saved by anything else). PuttyGen can load and convert keys from other formats into the v2 format Opus needs.

Hi Leo,

Thank you for updating the title. I mistakenly assumed the version number was 18. that's why it appeared 6 times. I should have checked the version number before I post.

I was using the same key, and I tried using PPK version 2.

I think the key works with DO, it just the way DO communicate with the server that gets astray. The server complains about:

Jun 27 14:52:28 Matt-Dev sshd[108085]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Jun 27 14:52:43 Matt-Dev sshd[108085]: error: Received disconnect from port 56001:13: Unable to authenticate [preauth]

After I changed the server-side configuration to allow 'ssh-rsa' key Algo, DO can connect to the server without issues. I believe there is a reason why 'ssh-rsa' got deprecated in Ubuntu 22.04.

Other software like Filezilla can use the same PPK file without issue, so I think DO may have a way to work with the same key too.

Which algorithm does PuttyGen say the key is using?

I have the same problem as lawipac. I can connect by SSH to my server from Windows Terminal, WinSCP, but not with DOpus. Key I am using Is the same, no other SSH keys are available on my server. The problem started with Ubuntu Server 22.04 LTS. The reason is:

userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

When using WinSCP I get:

 Accepted publickey for root from ***.***.***.*** port ***** ssh2: RSA SHA256

If you load the key into PuttyGen, which algorithm does it think the key is using?

Key is RSA, 4096-bit.

So no mention of SHA256 in PuttyGen? Even on the key fingerprint line near the top?

It may also be worth checking in PuttyGen's Key menu for settings like SSH-2 RSA key being selected and not the older SSH-1 key (RSA):

(This is all on the limits of my knowledge of SSH public key stuff, so I'm guessing here.)

Key fingerprint is: ssh-rsa 4096 SHA256. In PuttyGen "SSH-2 RSA" selected. PPK file version is set to "2". I can use created PPK file with WinSCP and connect to my server without any problem.

I'm not sure what's happening in that case. The error message doesn't seem to tie up with what's actually in the key.

If anyone has a server they could make us an account + key to test with, that would probably be the quickest way for us to reproduce the problem. If not we can see about building a Ubuntu 22.04 install on something, but that will take us longer.

The problem IS with the OpenSSH deprecation. According to the OpenSSH release notes:

OPus using a deprecated hash algo. Key is OK.

Are you still investigating the possibility to build Ubuntu 22.04 and check the problem with the public key rejection? Can create an Ubuntu 22.04 server for you but need a period for server availability (it will cost me money).

It's on our list but we haven't had a chance to set up a test system, as we're busy finishing existing work.

If there's a test system we can try with, we'll give it a go. But otherwise we will set one up ourselves after we've cleared our current set of tasks.