I’ve setup my Nitrokey Start with an ED25519 key and am using it for mostly server administration with SSH.
I currently manage 4 servers and can only access 2 of these with this public key and on the other servers (after setting up the authorized_keys
file properly) I am unable to use it.
On the client I receive the error message:
sign_and_send_pubkey: signing failed for ED25519 "cardno:[redacted]" from agent: agent refused operation
While on the server sshd
logs the following:
Unable to negotiate with [redacted] port [redacted]: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]
And when I turn on DEBUG
level sshd
logs, I get the following two messages (in this order):
Accepted key ED25519 SHA256:[redacted] found at /root/.ssh/authorized_keys:1
[..]
Postponed publickey for root from [redacted] port [redacted] ssh2 [preauth]
I do have root
login permited, for the moment, and am able to login using the password after publickey authentication fails.
I don’t want to keep password authentication enabled much longer, both for security and convenience.
I suspect that this must be an issue with my server configuration, which uses NixOS and is newly setup and is configured thusly:
services.openssh = {
enable = true;
settings.PasswordAuthentication = true;
settings.PubkeyAuthentication = true;
settings.GSSAPIAuthentication = false;
settings.ChallengeResponseAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
settings.LogLevel = "DEBUG";
};
I have also checked the permissions on the /root/.ssh
, but these are set correctly.
I’m at a loss about potential alternative solutions. This same key works on other servers, which run debian and ubuntu, but I’m also having this issue with another ubuntu server.
As a final info I have checked the GPG and SSH versions on my client and the nixos (failing) and debian (working) servers:
Client
OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024
gpg (GnuPG) 2.4.4
nixos(failing)
OpenSSH_9.6p1, OpenSSL 3.0.13 30 Jan 2024
gpg (GnuPG) 2.4.4
debian(working)
OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
gpg (GnuPG) 2.2.27