DropbearSSH - ssh client says: Authentication succeeded (public key) but connection closed by remote host

Question

Question

How to setup password-less (key-based) ssh from Ubuntu16.04 client to Dropbear SSH server?

• My private key is not passphrase-protected.
• I am unable to ssh from Ubuntu16.04 to DropbearSSH with key-based authentication but I am able to do it from PeppermintOS 11.
• Same private/public key pair on both clients (generated on Ubuntu16.04, then copied the pair to PeppermintOS 11).
• (Upgrading the Ubuntu16.04 is not possible).
• ssh with passwords works from both clients

Server

Server is an embedded system running Dropbear SSH:

root@server:# uname -a
Linux server 5.10.9-v2.15-rc2 #1 PREEMPT Thu Sep 15 01:16:32 EDT 2022 armv7l GNU/Linux

root@server:# /usr/sbin/dropbear -V
Dropbear v2020.80

Dropbear logs when client1 tries to login:

Sep 19 23:33:23 server authpriv.info dropbear[10329]: Child connection from 192.168.1.101:59206
Sep 19 23:33:23 server authpriv.info dropbear[10329]: Exit before auth from <192.168.1.101:59206>: (user 'root', 0 fails): Non-matching signing type

Dropbear logs when client2 tries to login:

Sep 19 23:36:42 server authpriv.info dropbear[10410]: Child connection from 192.168.1.102:59218
Sep 19 23:36:42 server authpriv.notice dropbear[10410]: Pubkey auth succeeded for 'root' with key sha1!! he:x_:va:lu:es:_r:em:ov:ed:_f:or:se:cu:ri:ty:__:__:__:_:__ from 192.168.1.102:59218

# Successful login

# Now, when client2 logs out:
Sep 19 23:39:25 server authpriv.info dropbear[10410]: Exit (root) from <192.168.1.102:59218>: Disconnect received

Client1

Client1 is Ubuntu16.04:

user@client1:~$ uname -a
Linux client1 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:27:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

user@client1:~$ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g  1 Mar 2016

user@client1:~$ ssh -vvvv user@server

debug1: Authentication succeeded (publickey).
Authenticated to server ([192.168.1.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t3 r-1 i0/0 o0/0 fd 5/6 cc -1)

Connection to server closed by remote host.
Connection to server closed.
Transferred: sent 2536, received 1592 bytes, in 0.0 seconds
Bytes per second: sent 20815567.4, received 13067185.8
debug1: Exit status -1

Client2

Client2 is PeppermintOS 11:

user@client2:~$ uname -a
Linux client2 5.10.0-15-amd64 #1 SMP Debian 5.10.120-1 (2022-06-09) x86_64 GNU/Linux

user@client2:~$ ssh -V
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1n  15 Mar 2022

user@client2 ssh -vvvv user@server

debug1: Authentication succeeded (publickey).
Authenticated to server ([192.168.1.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
...
...
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32759
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
root@server:~# echo Logged in successfully
Logged in successfully

Answer 1

The key to your problem with client 1 is the error Non-matching signing type.

When client 2 connects you are receiving the warning with key sha1.

Client 1 does not support one of the signature signing algorithms that Dropbear supports. Therefore the connection fails.

Client 1 has ssh client version 7.2p2, which is very old. Upgrading the client requires building the client from source code.

The easiest solution is to switch to another SSH Key Type such as Ed25519. Your other options are to upgrade the SSH client which is very difficult on Ubuntu Xenial or enable ssh-rsa in Dropbear (I do not think this is possible).

Note: Client 2 is using ssh version 8.4p1, which is much better but also old. In OpenSSH 8.8, support for ssh-rsa (RSA+SHA1) was disabled. The replacement is rsa-sha2-256 and rsa-sha2-512.

Given the error with Client 1 and the warning with Client 2, both of which require an upgrade to correctly fix the client, I recommend switching to the SSH Key Type Ed25519.