I wrote in a past article about how I’m setting up Hetzner dedicated servers with full disk encryption even if they miss an ikvm and why Debian 10 machines require a RSA key for this.
But since I switched one of my workstations to Ubuntu 22.04 I was unable to login using this RSA key. Running ssh with debug enabled showed the likely culprit:
debug1: Offering public key: /home/user/.ssh/id_rsa
debug1: send_pubkey_test: no mutual signature algorithm
The message sent me on the right track, Ubuntu 22.04 has disabled RSA keys support by default. I’m not arguing with that, I don’t really like using RSA since better alternatives are around so I don’t want to change this default, but still I would like to be able to reboot my Debian 10 servers. So a command line option later I was able to use RSA keys only when I want them:
ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa firstname.lastname@example.org
As absolutely nobody knows or uses I maintain an ansible role that can setup a Debian or Ubuntu machine with full disk encryption on Hetzner Robot (baremetal dedicated machines).
But wait, you shout, Hetzner usually runs consumer grade stuff without kvm’s – how do you enter your password at bootime. Easy, the role sets up a minimal boot environment with a dropbear ssh server where you can login and do
While developing the role I realised that it was impossible to unlock a Debian 10 machine, even though I was 100% sure ansible was adding the proper key logging in to the boot envirnment was impossible, I kept getting
Permission denied (publickey).
I lost some good hours troubleshooting being sure ansible was somehow not adding the proper key. Until I searched the web and realised the version of dropbear shipped with Debian 10 does not support the ed25519 keys I so cheerfully use for the added security and elegant shortness.
So the fix was, for Debian 10 machines, to maintain a rsa key to use when logging in to boot the machines.