Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] SSH passwordless user authentication fails.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 265
Location: Brisbane, Australia

PostPosted: Fri Apr 12, 2019 5:50 am    Post subject: [SOLVED] SSH passwordless user authentication fails. Reply with quote

After not using ssh passwordless authentication for 3 weeks and a unknown number of updates, ssh passwordless authentication for User stopped working with my 4 systems on my home lan. ssh root@box2.home.lan works O.K. from root@box1.home.lan with /etc/ssh/sshd_config PermitRootLogin yes.

I unmerged openssh, 'emerge --depclean', deleted /etc/ssh and ~/.ssh and 'emerge net-misc/openssh' on box1 and box2. Rebooted box1 and box2. /etc/ssh contained the new keys.

Logged in as User on box1 and followed: https://wiki.gentoo.org/wiki/SSH#Passwordless_authentication (Passwordless authentication)
No success with ssh user@box2/home/lan. ssh root@box2/home.lan works OK.

Then rm /home/user/.ssh* and rm /root/.ssh/*.

Single machine testing with user@box1.home.lan:
Code:

user@box1 ~/Desktop $ cd ..
user@box1 ~ $ cd .ssh
user@box1 ~/.ssh $ ls -l
total 0
# user@box1 ~/.ssh is empty

user@box1 ~/.ssh $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wynqfF2kRIjk3r4ao1kBDsGT4O7vhxnv42EZp+Qbx4I user@box1
The key's randomart image is:
+---[RSA 2048]----+
|= .... .         |
|.= .. . .        |
|..o .  .         |
|.o o . ....      |
| .. ooooSo       |
|.  .++*....      |
| . EXO.+ .       |
|  .O.*B..        |
|  +oB*o          |
+----[SHA256]-----+
user@box1 ~/.ssh $
# Generated RSA Key

user@box1 ~/.ssh $ cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
# Copied id_rsa.pub to authorized_keys

user@box1 ~/.ssh $ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Password: # NOTE: Entered user password to continue.
                 # Should not have request a password!

# Now the 'user' is loged in via SSH into localhost

user@box1 ~ $ exit
logout
Connection to localhost closed.
# user Logged out from SSH localhost

user@box1 ~/.ssh $
# SSH into localhost with -vvv debug flags
user@box1 ~/.ssh $ ssh -vvv localhost
OpenSSH_7.9p1, OpenSSL 1.0.2r  26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9
debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'user'
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y
debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/user/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/user/.ssh/id_rsa RSA SHA256:wynqfF2kRIjk3r4ao1kBDsGT4O7vhxnv42EZp+Qbx4I
debug1: Will attempt key: /home/user/.ssh/id_dsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa
debug1: Will attempt key: /home/user/.ssh/id_ed25519
debug1: Will attempt key: /home/user/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:wynqfF2kRIjk3r4ao1kBDsGT4O7vhxnv42EZp+Qbx4I
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51

#### NOTE: root: debug3: receive packet: type 60

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/user/.ssh/id_dsa
debug3: no such identity: /home/user/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug3: no such identity: /home/user/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug3: no such identity: /home/user/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/user/.ssh/id_xmss
debug3: no such identity: /home/user/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

Password: # NOTE: There should be no request for a password.
          # Entered user password to continue.

debug3: send packet: type 61
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: send packet: type 61
debug3: receive packet: type 52
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to localhost ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/user
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_MENU_PREFIX
debug1: Sending env LANG = en_AU.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env QT_GRAPHICSSYSTEM
debug3: Ignored env LESS
debug3: Ignored env DISPLAY
debug3: Ignored env OPENGL_PROFILE
debug3: Ignored env OLDPWD
debug3: Ignored env CONFIG_PROTECT_MASK
debug3: Ignored env EDITOR
debug1: Sending env COLORTERM = truecolor
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env GCC_SPECS
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env GLADE_CATALOG_PATH
debug3: Ignored env VBOX_APP_HOME
debug3: Ignored env USER
debug3: Ignored env GLADE_MODULE_PATH
debug3: Ignored env PAGER
debug3: Ignored env DESKTOP_SESSION
debug1: Sending env LC_COLLATE = C
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env PWD
debug3: Ignored env MANPAGER
debug3: Ignored env HOME
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env GSETTINGS_BACKEND
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env GLADE_PIXMAP_PATH
debug3: Ignored env GTK_MODULES
debug3: Ignored env MAIL
debug3: Ignored env CONFIG_PROTECT
debug3: Ignored env TERM
debug3: Ignored env VTE_VERSION
debug3: Ignored env SHELL
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env MOZ_GMP_PATH
debug3: Ignored env SHLVL
debug3: Ignored env MANPATH
debug3: Ignored env WINDOWID
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env XSESSION
debug3: Ignored env XAUTHORITY
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env PATH
debug3: Ignored env INFOPATH
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env LESSOPEN
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
user@box1 ~ $
user@box1 ~ $
user@box1 ~ $ exit
logout
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)

debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Connection to localhost closed.
Transferred: sent 3000, received 2816 bytes, in 12.6 seconds
Bytes per second: sent 237.3, received 222.7
debug1: Exit status 0
user@box1 ~/.ssh $
# Logout completed


Single machine testing with root@box1.home.lan:
Code:

box1 ~ #
box1 ~ # cd /root/.ssh
box1 ~/.ssh # ls -l
total 0
# root@box1 ~/.ssh is empty

box1 ~/.ssh # ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A root@box1
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|.         .      |
|..   . + . .o    |
|o .   + S o=...  |
|.o . . * =o+++   |
|E   + O +.=o=.   |
|o    B.O.+o=..   |
| .  . .o= +...   |
+----[SHA256]-----+
box1 ~/.ssh #
# Generated RSA Key
 
box1 ~/.ssh # cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
# Copied id_rsa.pub to authorized_keys
 
box1 ~/.ssh # ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
# NOTE: No password requested

# Now root loged in via SSH into localhost

box1 ~ # exit
logout
Connection to localhost closed.
# root logged out from SSH localhost

box1 ~/.ssh #
# SSH into localhost with -vvv debug flags
box1 ~/.ssh # ssh -vvv localhost
OpenSSH_7.9p1, OpenSSL 1.0.2r  26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9
debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'root'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I+ATkfO/51bluHoN+LYFP7DsRFd4H+WaHB1BEsg0T5Y
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A
debug3: sign_and_send_pubkey: RSA SHA256:+ixXpR0+mreR8CDa+YGi9RDcXH8qThtgqHP2CAAq65A
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_MENU_PREFIX
debug1: Sending env LANG = en_AU.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env QT_GRAPHICSSYSTEM
debug3: Ignored env LESS
debug3: Ignored env DISPLAY
debug3: Ignored env OPENGL_PROFILE
debug3: Ignored env OLDPWD
debug3: Ignored env CONFIG_PROTECT_MASK
debug3: Ignored env EDITOR
debug1: Sending env COLORTERM = truecolor
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env GCC_SPECS
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env GLADE_CATALOG_PATH
debug3: Ignored env VBOX_APP_HOME
debug3: Ignored env USER
debug3: Ignored env GLADE_MODULE_PATH
debug3: Ignored env PAGER
debug3: Ignored env DESKTOP_SESSION
debug1: Sending env LC_COLLATE = C
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env PWD
debug3: Ignored env HOME
debug3: Ignored env MANPAGER
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env GSETTINGS_BACKEND
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env GLADE_PIXMAP_PATH
debug3: Ignored env GTK_MODULES
debug3: Ignored env MAIL
debug3: Ignored env CONFIG_PROTECT
debug3: Ignored env SHELL
debug3: Ignored env VTE_VERSION
debug3: Ignored env TERM
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env MOZ_GMP_PATH
debug3: Ignored env SHLVL
debug3: Ignored env MANPATH
debug3: Ignored env WINDOWID
debug3: Ignored env LOGNAME
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env XSESSION
debug3: Ignored env XAUTHORITY
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env PATH
debug3: Ignored env INFOPATH
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env LESSOPEN
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
box1 ~ #
box1 ~ #
box1 ~ # exit
logout
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)

debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Connection to localhost closed.
Transferred: sent 3312, received 3252 bytes, in 23.8 seconds
Bytes per second: sent 139.2, received 136.6
debug1: Exit status 0
box1 ~/.ssh #


Anyway to fix this?
_________________
Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as C++, C#, Rust and the likes.


Last edited by C5ace on Sat Apr 13, 2019 4:58 am; edited 1 time in total
Back to top
View user's profile Send private message
DawgG
l33t
l33t


Joined: 17 Sep 2003
Posts: 808

PostPosted: Fri Apr 12, 2019 11:27 am    Post subject: Reply with quote

you're making it complicated... deleting and reinstalling everything was probably not necessary.
1. pass the ssh-command the username of the taget-system if this is not the same as the local user; eg
Code:
ssh -l root target-system
of course, that user must exist and have a shell on the target system.
2. if you use different keys for different users make sure all the needed ssh-keys.pub (in authorzed_keys) are in the right path(s). if you use more than one key.pub
Code:
cp key.pub authorized_keys
will not work (use
Code:
cat keys.pub >> authorized_keys
)
3. different openssh-server-versions might not accept all key-formats (ecdsa etc.) so you might have to use different ones. but this is probably no problem in a gentoo-only environment.
GOOD LUCK!
_________________
DUMM KLICKT GUT.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 550
Location: France

PostPosted: Fri Apr 12, 2019 12:01 pm    Post subject: Reply with quote

I think authorized_keys file permissions are wrong. So sshd considers it's unsafe, and ignores it.
To be sure all is right, delete authorized_keys and use the ssh-copy-id command.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Apr 12, 2019 1:04 pm    Post subject: Reply with quote

Well, the problem seems to be server-side.
Try "tail -f <log> | grep sshd" on /var/log/syslog or /var/log/everything/current or wherever your logger dumps that stuff and connect with ssh again. Sshd is pretty straight about its problems, there's a good chance it will simply tell you what's wrong.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Fri Apr 12, 2019 5:46 pm    Post subject: Reply with quote

Quote:
Code:
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/user
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13495

PostPosted: Sat Apr 13, 2019 12:51 am    Post subject: Re: SSH passwordless authentication fails for user. root is Reply with quote

C5ace wrote:
with /etc/ssh/sshd_config PermitRootLogin yes.
Did you intend to allow password-based root login? This is generally discouraged. Set PermitRootLogin prohibit-password to allow root to log in via key, but prohibit attempts to log in via password.
C5ace wrote:
I unmerged openssh, 'emerge --depclean', deleted /etc/ssh and ~/.ssh and 'emerge net-misc/openssh' on box1 and box2. Rebooted box1 and box2. /etc/ssh contained the new keys.
This was almost certainly the wrong thing to do. Change your host keys only if they have been breached (or you suspect they were breached). Changing them without prior announcement will lead your clients to believe a MitM is under way.
C5ace wrote:
Password: # NOTE: Entered user password to continue.
# Should not have request a password!
If you set PasswordAuthentication no in your sshd_config, you will not receive a password prompt here.
Back to top
View user's profile Send private message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 265
Location: Brisbane, Australia

PostPosted: Sat Apr 13, 2019 4:53 am    Post subject: Reply with quote

Ant P. wrote:
Quote:
Code:
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /home/user


[SOLVED]
As "Ant P." pointed out this was a permission problem probably caused by a changes or a bug in ssh and/or related software.

After using ssh with password:
Code:

user1@box1 / $ls -la /home/user1/.ssh
drwx------  2 user1 user1 4096 Apr 13 12:48 .
drwxrwxrwx 60 user1 user1 4096 Apr 13 12:49 ..
-rw-r--r--  1 user1 user1  189 Apr 13 12:48 known_hosts

After deleting /home/user1/.ssh and running 'ssh-keygen -t rsa' and 'ssh-copy-id user1@box2.home.lan:
Code:

user@box1 / $ ls -la /home/user1/.ssh
total 20
drwx------  2 user1 user1 4096 Apr 13 12:48 .
drwxrwxrwx 60 user1 user1 4096 Apr 13 12:49 ..
-rw-------  1 user1 user1 1823 Apr 13 10:54 id_rsa
-rw-r--r--  1 user1 user1  396 Apr 13 10:54 id_rsa.pub
-rw-r--r--  1 user1 user1  189 Apr 13 12:48 known_hosts

Requires password to login to user1@box2.home.lan[/code]
Changed /home/user1/.ssh/'..' permissions from 777 to 755 on both box1 and box2. Now passwordless ssh works again.
Code:

user1@proxy-64 / $ ls -la /home/user1/.ssh
total 20
drwx------  2 user1 user1 4096 Apr 13 12:48 .
drwxr-xr-x 60 user1 user1 4096 Apr 13 12:49 ..
-rw-------  1 user1 user1 1823 Apr 13 10:54 id_rsa
-rw-r--r--  1 user1 user1  396 Apr 13 10:54 id_rsa.pub
-rw-r--r--  1 user1 user1  189 Apr 13 12:48 known_hosts
user1@proxy-64 / $


Thanks "Ant P." for pointing me to the right direction.
_________________
Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as C++, C#, Rust and the likes.
Back to top
View user's profile Send private message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 265
Location: Brisbane, Australia

PostPosted: Sat Apr 13, 2019 5:14 am    Post subject: Re: SSH passwordless authentication fails for user. root is Reply with quote

Hu wrote:
C5ace wrote:
with /etc/ssh/sshd_config PermitRootLogin yes.
Did you intend to allow password-based root login? This is generally discouraged. Set PermitRootLogin prohibit-password to allow root to log in via key, but prohibit attempts to log in via password.
C5ace wrote:
I unmerged openssh, 'emerge --depclean', deleted /etc/ssh and ~/.ssh and 'emerge net-misc/openssh' on box1 and box2. Rebooted box1 and box2. /etc/ssh contained the new keys.
This was almost certainly the wrong thing to do. Change your host keys only if they have been breached (or you suspect they were breached). Changing them without prior announcement will lead your clients to believe a MitM is under way.
C5ace wrote:
Password: # NOTE: Entered user password to continue.
# Should not have request a password!
If you set PasswordAuthentication no in your sshd_config, you will not receive a password prompt here.


Thanks for your concern.

Password-based root login is for maintenance. This was never a problem on my 4 systems home lan used by my wife, myself and occasionally my neighbour's 5 year old kid.
_________________
Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as C++, C#, Rust and the likes.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2876
Location: Illinois, USA

PostPosted: Sat Apr 13, 2019 11:35 am    Post subject: Reply with quote

Quote:
'ssh-keygen -t rsa' and 'ssh-copy-id user1@box2.home.lan:

You ran these as user1 on box1, right? And this allows you to logon as user1 on box2 with ssh without password, correct?
Repeat for root?
Last year I tried to set this up using the wiki but got thoroughly confused as to which box was server and which was client because the connection seems peer to peer to me.
Back to top
View user's profile Send private message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 265
Location: Brisbane, Australia

PostPosted: Sat Apr 13, 2019 11:08 pm    Post subject: Reply with quote

Tony0945 wrote:
Quote:
'ssh-keygen -t rsa' and 'ssh-copy-id user1@box2.home.lan:

You ran these as user1 on box1, right? And this allows you to logon as user1 on box2 with ssh without password, correct?
Repeat for root?
Last year I tried to set this up using the wiki but got thoroughly confused as to which box was server and which was client because the connection seems peer to peer to me.


I consider the box in font of me (unit1) the client and the remote box (unit2) the server.

Take care of the permissions of ~/.ssh when you configure passwordless ssh authentication between normal users. User 'root' to 'root' is not critical and works as per Wiki.

Good luck.
_________________
Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as C++, C#, Rust and the likes.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 550
Location: France

PostPosted: Tue Apr 16, 2019 12:47 pm    Post subject: Re: SSH passwordless authentication fails for user. root is Reply with quote

C5ace wrote:
Password-based root login is for maintenance. This was never a problem on my 4 systems home lan used by my wife, myself and occasionally my neighbour's 5 year old kid.

This was not, indeed. Until it will be. Sometimes, OpenSSH vulnerabilities are discovered.

The best is to completely forbid direct root logins. You can add user1 to the wheel group, to be able to log in as user1 and then become root through su or sudo. As the user1 key is allowed, you don't even have to type one more password.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2876
Location: Illinois, USA

PostPosted: Tue Apr 16, 2019 2:06 pm    Post subject: Reply with quote

That won't work well if you use scp in a script. It's also annoying if you use scp in a terminal, unless you use easy passwords like "mycat". If you use hard passwords like "A1F83539184D3F2F8CFCC3AFF7", it's a royal pain. If you set passwords off and require keys, then if the keys get corrupted, you have to physically go to the box and restore it or turn passwords back on.

Years ago I read about keys as a convenience to not having to remember passwords (or write them down). That they were a hard alternative to passwords was never mentioned.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 550
Location: France

PostPosted: Fri Apr 19, 2019 12:36 pm    Post subject: Reply with quote

If "the best" isn't feasible, there are other methods to limit the opening to the strict minimum :

Code:
PermitRootLogin no
Match Address 192.168.X.X
  PermitRootLogin prohibit-password


or
Code:
PermitRootLogin no
Match Address 192.168.X.X
  PermitRootLogin forced-commands-only


with a script containing the appropriate list of allowed commands (let's say /usr/local/sbin/ssh_commands.sh) :
Code:
#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
  "scp ")  $SSH_ORIGINAL_COMMAND ;;
  *)       false ;;
esac


and, into authorized_keys :
Code:
from="192.168.X.X",command="/usr/local/sbin/ssh_commands.sh" ssh-ed25519 AAAA...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum