Ubuntu client cannot connect to ubuntu server since update but windows client can

Asked by sam on 2018-10-05

I'm the administrator of 3 small ubuntu servers used in our scientific group and I have ubuntu 18.04 on my personal laptop.
For the past two weeks I've been unable to access the servers remotely (I'm pretty sure this occurred after an update on the servers), but other clients using Windows (Putty and WinSCP) still have normal access. I can log into the server on site but when I try remotely those are the error messages I get:

================================
On the client side (ssh -vvv hostname): (I replaced the actual server name by "hostname", the IP address by xxx.xxx.xxx.xxx, and my username by username)
-------------------------------------

OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: /home/user/.ssh/config line 5: Applying options for hostname
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "hostname" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to hostname [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/keys/username-key type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/keys/username-key-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8p1
debug1: match: OpenSSH_7.8p1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to hostname:22 as 'sysadmin'
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from hostname
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,<email address hidden>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: <email address hidden>,rsa-sha2-512,rsa-sha2-256,ssh-rsa,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: <email address hidden>,aes128-ctr,aes192-ctr,aes256-ctr,<email address hidden>,<email address hidden>
debug2: ciphers stoc: <email address hidden>,aes128-ctr,aes192-ctr,aes256-ctr,<email address hidden>,<email address hidden>
debug2: MACs ctos: <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,<email address hidden>,zlib
debug2: compression stoc: none,<email address hidden>,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: <email address hidden>,<email address hidden>,aes256-ctr,aes128-ctr
debug2: ciphers stoc: <email address hidden>,<email address hidden>,aes256-ctr,aes128-ctr
debug2: MACs ctos: <email address hidden>,<email address hidden>,hmac-sha2-512,hmac-sha2-256
debug2: MACs stoc: <email address hidden>,<email address hidden>,hmac-sha2-512,hmac-sha2-256
debug2: compression ctos: none,<email address hidden>
debug2: compression stoc: none,<email address hidden>
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: <email address hidden> compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: <email address hidden> compression: none
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug3: receive packet: type 31
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 4084/8192
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug3: receive packet: type 33
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:YSLg0oZAaFNNu9oaU3U0KnSkTxNaUw7Al1sd4H2CBdI
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from hostname
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/user/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from xxx.xxx.xxx.xxx
debug1: Host 'hostname' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug2: bits set: 4097/8192
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /home/user/.ssh/keys/username-key (0x55c03837fb80), explicit
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:yL4cGGev35QrTpg2W7S07PZP460pJXJuFusUuyn4jSQ /home/user/.ssh/keys/username-key
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
sysadmin@hostname: Permission denied (publickey).

==================================
On the server side (var/log/auth.log): only showed the relevant lines
---------------------------------------------------
Oct 5 12:27:16 hostname sshd[9957]: error: Could not load host certificate "/etc/ssh/ssh_host_rsa_key-cert.pub": No such file or directory
Oct 5 12:27:16 hostname sshd[9957]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
Oct 5 12:27:16 hostname sshd[9957]: Connection closed by authenticating user sysadmin xxx.xxx.xxx.xxx port 54356 [preauth]

=========================
My config file (on my laptop):
----------------------------------------
Host *
        ForwardX11 yes
        IdentityFile ~/.ssh/keys/username-key

Host hostname
        User sysadmin

Host user
        User user
        ProxyJump hostname

=========================
Ssh_config (on the server):
------------------------------------
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
    GSSAPIAuthentication yes
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_ed25519
    PubkeyAcceptedKeyTypes <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
# Port 22
# Protocol 2
    HostKeyAlgorithms <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    Ciphers <email address hidden>,<email address hidden>,aes256-ctr,aes128-ctr
    KexAlgorithms curve25519-sha256,<email address hidden>,diffie-hellman-group-exchange-sha256
    MACs <email address hidden>,<email address hidden>,hmac-sha2-512,hmac-sha2-256
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    VerifyHostKeyDNS ask

======================================
sshd_config (on the server):
--------------------------------------
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
HostKeyAlgorithms <email address hidden>,ssh-rsa

# Ciphers and keying
#RekeyLimit default none
Ciphers <email address hidden>,<email address hidden>,aes256-ctr,aes128-ctr
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs <email address hidden>,<email address hidden>,hmac-sha2-512,hmac-sha2-256

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes
PubkeyAcceptedKeyTypes <email address hidden>,ssh-rsa

AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys
#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none
DebianBanner no

# Allow client to pass locale environment variables
AcceptEnv

# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-group basis
Match Group sftp-only
 AuthorizedKeysFile /etc/ssh/authorized_keys/%u
 ChrootDirectory /home
 DisableForwarding yes
 ForceCommand internal-sftp -d %u
 PermitTTY no

=======================================
Both my private (user-key) and public key (user-key.pub) are in my .ssh/keys folder and I compared the public key with the one on the server and they match. I even regenerated the public key from the private one to make sure it wasn't corrupted.
If you need any additional information please ask and you shall receive.

Many thanks in advance for any information!

Question information

Language:
English Edit question
Status:
Open
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
2018-10-05
Last reply:

Can you help with this problem?

Provide an answer of your own, or ask sam for more information if necessary.

To post a message you must log in.