https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160152#M28210 <P>I migrated from a Debian 9 to Ubuntu 22 bastion host this week, and am unable to SSH to CheckPoint R80.40 gateways using public key authentication.&nbsp; &nbsp;Initially I was unable to SSH to the CheckPoints at all, but was able to fix that but adding the following lines to /etc/ssh/ssh_config:</P> <P><FONT face="courier new,courier"> KexAlgorithms +diffie-hellman-group14-sha1</FONT><BR /><FONT face="courier new,courier">HostKeyAlgorithms=+ssh-dss</FONT></P> <P>This fixed the connection, and I can now authenticate via username/password.&nbsp; However, public key auth is failing.&nbsp;&nbsp;</P> <P>It's a bit of a concern since we have multiple R80.40 (and a few R80.30) devices in public cloud, where public ssh key auth is the only way to do initial configuration (username/password only works for GAIA web interface)</P> <P>Server Info:</P> <P><FONT face="courier new,courier">ssh -V</FONT><BR /><FONT face="courier new,courier">OpenSSH_7.8p1, OpenSSL 1.1.1n 15 Mar 2022</FONT></P> <P>Client Info:</P> <P><FONT face="courier new,courier">lsb_release -a</FONT><BR /><FONT face="courier new,courier">No LSB modules are available.</FONT><BR /><FONT face="courier new,courier">Distributor ID: Ubuntu</FONT><BR /><FONT face="courier new,courier">Description: Ubuntu 22.04.1 LTS</FONT><BR /><FONT face="courier new,courier">Release: 22.04</FONT><BR /><FONT face="courier new,courier">Codename: jammy</FONT></P> <P><FONT face="courier new,courier">ssh -V<BR />OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022</FONT></P> Sat, 22 Oct 2022 13:58:11 GMT johnnyringo 2022-10-22T13:58:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160152#M28210 <P>I migrated from a Debian 9 to Ubuntu 22 bastion host this week, and am unable to SSH to CheckPoint R80.40 gateways using public key authentication.&nbsp; &nbsp;Initially I was unable to SSH to the CheckPoints at all, but was able to fix that but adding the following lines to /etc/ssh/ssh_config:</P> <P><FONT face="courier new,courier"> KexAlgorithms +diffie-hellman-group14-sha1</FONT><BR /><FONT face="courier new,courier">HostKeyAlgorithms=+ssh-dss</FONT></P> <P>This fixed the connection, and I can now authenticate via username/password.&nbsp; However, public key auth is failing.&nbsp;&nbsp;</P> <P>It's a bit of a concern since we have multiple R80.40 (and a few R80.30) devices in public cloud, where public ssh key auth is the only way to do initial configuration (username/password only works for GAIA web interface)</P> <P>Server Info:</P> <P><FONT face="courier new,courier">ssh -V</FONT><BR /><FONT face="courier new,courier">OpenSSH_7.8p1, OpenSSL 1.1.1n 15 Mar 2022</FONT></P> <P>Client Info:</P> <P><FONT face="courier new,courier">lsb_release -a</FONT><BR /><FONT face="courier new,courier">No LSB modules are available.</FONT><BR /><FONT face="courier new,courier">Distributor ID: Ubuntu</FONT><BR /><FONT face="courier new,courier">Description: Ubuntu 22.04.1 LTS</FONT><BR /><FONT face="courier new,courier">Release: 22.04</FONT><BR /><FONT face="courier new,courier">Codename: jammy</FONT></P> <P><FONT face="courier new,courier">ssh -V<BR />OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022</FONT></P> Sat, 22 Oct 2022 13:58:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160152#M28210 johnnyringo 2022-10-22T13:58:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160154#M28211 <P>What does the client side ssh say if you attempt to connect with the "-vvv" option for full debug output?</P> Sat, 22 Oct 2022 15:30:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160154#M28211 Swiftyyyy 2022-10-22T15:30:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160221#M28220 <P>Just to make sure I understand this correctly, it is the SSH client who is providing the public key to authenticate to Gaia? There is a couple of SKs you may find useful:&nbsp;<SPAN>sk143752 &amp;&nbsp;sk164234<BR /><BR />If anything, please let me know</SPAN></P> Mon, 24 Oct 2022 08:52:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160221#M28220 _Val_ 2022-10-24T08:52:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160280#M28234 <P>Right - just to clarify, the checkpoint gateway (server) has the ssh public key, the client has the private key.&nbsp;&nbsp;</P> <P>I have noticed Ubuntu 22 has been fairly aggressive about dropping support for older ciphers and key lengths, so had assumed it was that.&nbsp; But the funny thing is I can do public key auth to some checkpoints but not others.&nbsp; All of them are running R80.40 Take 173 and seem to have the same openssh version and configuration.&nbsp;&nbsp;</P> <P>&nbsp;</P> Mon, 24 Oct 2022 18:34:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160280#M28234 johnnyringo 2022-10-24T18:34:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160308#M28247 <P>Did you look into the SKs I have provided to you? Also, who is refusing to connect, the GW or your client?</P> Tue, 25 Oct 2022 07:39:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Unable-to-SSH-using-public-key-from-Ubuntu-22-VM/m-p/160308#M28247 _Val_ 2022-10-25T07:39:17Z