Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
johnnyringo
Advisor

Unable to SSH using public key from Ubuntu 22 VM

I migrated from a Debian 9 to Ubuntu 22 bastion host this week, and am unable to SSH to CheckPoint R80.40 gateways using public key authentication.   Initially I was unable to SSH to the CheckPoints at all, but was able to fix that but adding the following lines to /etc/ssh/ssh_config:

KexAlgorithms +diffie-hellman-group14-sha1
HostKeyAlgorithms=+ssh-dss

This fixed the connection, and I can now authenticate via username/password.  However, public key auth is failing.  

It's a bit of a concern since we have multiple R80.40 (and a few R80.30) devices in public cloud, where public ssh key auth is the only way to do initial configuration (username/password only works for GAIA web interface)

Server Info:

ssh -V
OpenSSH_7.8p1, OpenSSL 1.1.1n 15 Mar 2022

Client Info:

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy

ssh -V
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022

0 Kudos
4 Replies
Swiftyyyy
Advisor

What does the client side ssh say if you attempt to connect with the "-vvv" option for full debug output?

0 Kudos
_Val_
Admin
Admin

Just to make sure I understand this correctly, it is the SSH client who is providing the public key to authenticate to Gaia? There is a couple of SKs you may find useful: sk143752 & sk164234

If anything, please let me know

0 Kudos
johnnyringo
Advisor

Right - just to clarify, the checkpoint gateway (server) has the ssh public key, the client has the private key.  

I have noticed Ubuntu 22 has been fairly aggressive about dropping support for older ciphers and key lengths, so had assumed it was that.  But the funny thing is I can do public key auth to some checkpoints but not others.  All of them are running R80.40 Take 173 and seem to have the same openssh version and configuration.  

 

0 Kudos
_Val_
Admin
Admin

Did you look into the SKs I have provided to you? Also, who is refusing to connect, the GW or your client?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events