ssh Permission denied (publickey) after upgrade Fedora 33
This could be related to "Changes/StrongCryptoSettings2 in Fedora33"
The changes for default policy are:
- Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols and move the TLS 1.x, x<=1 to legacy level.
- Require finite field parameters (RSA, Diffie-Hellman) of 2048 and more in the default settings
- Disable SHA1 support for use in signatures (X.509 certificates, TLS, IPSEC handshakes)
The "Upgrade/compatibility impact" section of the aforementioned link clearly mentions:
It may be that the new settings break software that connects to servers which utilize weak algorithms.
Compatibility can be obtained by switching the system to Fedora 32 policy level:update-crypto-policies --set DEFAULT:FEDORA32
NOT RECOMMENDED though: if you can use an ed25519, this is better.
As mentioned in Peque's answer, you can add on your ~/.ssh/config an option initially found in sshd_config
PubkeyAcceptedKeyTypes
Specifies the key types that will be accepted for public key
authentication as a list of comma-separated patterns.
So if you cannot use ed25519, you can, for one specific host, allow the use of id_rsa keys with:
Host aHost
Hostname a.hostname.com
PubkeyAcceptedKeyTypes +ssh-rsa
Finally: Double-check your permissions after upgrade:
~/.sshis775drwxrwxr-x.~/.ssh/id_rsais600-rw-------.~/.ssh/id_rsa.pubis644-rw-r--r--.~/.ssh/configis600-rw-------.~/.ssh/authorized_keyson remote server is600-rw-------
But using ssh-keygen -t ed25519 keys seems to be recommended now.
@VonC Is correct, I upgraded to fedora 33 and ran into this permission issue.
running the following command fixed it :
update-crypto-policies --set DEFAULT:FEDORA32
Thank you for sharing that article
Instead of globally changing the crypto policies, it is better to downgrade security per-host.
You can update the configuration for the specific legacy host in your .ssh/config file by adding:
Host legacy.host
PubkeyAcceptedKeyTypes +ssh-rsa
For more details, have a look at this discussion in Bugzilla.