Web lists-archives.com

Re: ssh




Hello,

Output from several suggestions:
------------------------------------------------
Permissions (backuppc is the user having problems) :

backuppc@sirius:~$ ls -ld /usr/local/BackupPC
drwxr-xr-x 6 backuppc backuppc 4096 Nov 13 12:12 /usr/local/BackupPC
backuppc@sirius:~$ ls -ld /usr/local/BackupPC/.ssh
drwx------ 2 backuppc backuppc 4096 Nov 13 12:08 /usr/local/BackupPC/.ssh
backuppc@sirius:~$ ls -l /usr/local/BackupPC/.sshtotal 28
-rw------- 1 backuppc backuppc 1790 Nov 13 12:04 authorized_keys
-rw-r----- 1 backuppc backuppc 2240 Nov 13 12:02 config
-rw-r--r-- 1 backuppc backuppc  142 Nov 13 12:08 known_hosts
-rw------- 1 backuppc backuppc  484 Nov 13 12:03 sirius_bpc-id_ed25519
-rw-r----- 1 backuppc backuppc  126 Nov 13 12:03 sirius_bpc-id_ed25519.pub
-rw------- 1 backuppc backuppc 3479 Nov 13 12:04 sirius_bpc-id_rsa
-rw-r----- 1 backuppc backuppc  770 Nov 13 12:04 sirius_bpc-id_rsa.pub
backuppc@sirius:~$
backuppc@sirius:~$ ls -la /etc/ssh
drwxr-xr-x   2 root root   4096 Nov 13 12:04 .
drwxr-xr-x 131 root root  12288 Nov 13 12:05 ..
-rw-r--r--   1 root root 511915 Nov 13 12:02 moduli
-rw-r--r--   1 root root 553122 Aug 21 11:14 moduli.dist
-rw-------   1 root root    888 Nov 13 12:03 sirius_alan-authorized_keys
-rw-rw----   1 root root    896 Nov 13 12:04 sirius_bpc-authorized_keys
-rw-r--r--   1 root root   2830 Nov 13 12:02 ssh_config
-rw-r--r--   1 root root   1723 Aug 21 11:14 ssh_config.dist
-rw-r--r--   1 root root   4239 Nov 13 12:02 sshd_config
-rw-r--r--   1 root root   3298 Aug 21 11:14 sshd_config.dist
-rw-------   1 root root    432 Nov 13 12:03 ssh_host_ed25519_key
-rw-r-----   1 root root    117 Nov 13 12:03 ssh_host_ed25519_key.pub
-rw-------   1 root root   3243 Nov 13 12:03 ssh_host_rsa_key
-rw-r-----   1 root root    761 Nov 13 12:03 ssh_host_rsa_key.pub
backuppc@sirius:~$
These permissions are identical to the user that works.
------------------------------------------------
Output from David's troubleshooting :

As backuppc (problem user):

backuppc@sirius:~$ whoami
backuppc
backuppc@sirius:~$ hostname
sirius
backuppc@sirius:~$ cat /etc/debian_version
9.6
backuppc@sirius:~$ uname -a
Linux sirius 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
backuppc@sirius:~$ dpkg-query -W openssh-client
openssh-client    1:7.4p1-10+deb9u4

backuppc@sirius:~$ ls -aFl /usr/local/BackupPC/.ssh
total 36
drwx------ 2 backuppc backuppc 4096 Nov 13 12:08 ./
drwxr-xr-x 6 backuppc backuppc 4096 Nov 13 12:12 ../
-rw------- 1 backuppc backuppc 1790 Nov 13 12:04 authorized_keys
-rw-r----- 1 backuppc backuppc 2240 Nov 13 12:02 config
-rw-r--r-- 1 backuppc backuppc  142 Nov 13 12:08 known_hosts
-rw------- 1 backuppc backuppc  484 Nov 13 12:03 sirius_bpc-id_ed25519
-rw-r----- 1 backuppc backuppc  126 Nov 13 12:03 sirius_bpc-id_ed25519.pub
-rw------- 1 backuppc backuppc 3479 Nov 13 12:04 sirius_bpc-id_rsa
-rw-r----- 1 backuppc backuppc  770 Nov 13 12:04 sirius_bpc-id_rsa.pub

backuppc@sirius:~$ ssh -v sirius
OpenSSH_7.4p1 Debian-10+deb9u4, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /usr/local/BackupPC/.ssh/config
debug1: /usr/local/BackupPC/.ssh/config line 16: Applying options for sirius
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 69: Deprecated option "useroaming"
debug1: Connecting to 192.168.8.3 [192.168.8.3] port 50400.
debug1: Connection established.
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_ed25519-cert type -1
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u4
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.8.3:50400 as 'backuppc'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:Qmmw9Hw9F68Lv9vTJTHpbJtwOzxUxod4FFAnA16D5bk
debug1: Host '[192.168.8.3]:50400' is known and matches the ED25519 host key.
debug1: Found key in /usr/local/BackupPC/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: /usr/local/BackupPC/.ssh/sirius_bpc-id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Offering RSA public key: /usr/local/BackupPC/.ssh/sirius_bpc-id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: No more authentication methods to try.
Permission denied (publickey).
backuppc@sirius:~$
____________
as root :

root@sirius:~# whoami
root
root@sirius:~# hostname
sirius
root@sirius:~# cat /etc/debian_version
9.6
root@sirius:~# uname -a
Linux sirius 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
root@sirius:~# dpkg-query -W openssh-client
openssh-client    1:7.4p1-10+deb9u4

root@sirius:~# ls -aFl /usr/local/BackupPC/.ssh
total 36
drwx------ 2 backuppc backuppc 4096 Nov 13 12:08 ./
drwxr-xr-x 6 backuppc backuppc 4096 Nov 13 12:12 ../
-rw------- 1 backuppc backuppc 1790 Nov 13 12:04 authorized_keys
-rw-r----- 1 backuppc backuppc 2240 Nov 13 12:02 config
-rw-r--r-- 1 backuppc backuppc  142 Nov 13 12:08 known_hosts
-rw------- 1 backuppc backuppc  484 Nov 13 12:03 sirius_bpc-id_ed25519
-rw-r----- 1 backuppc backuppc  126 Nov 13 12:03 sirius_bpc-id_ed25519.pub
-rw------- 1 backuppc backuppc 3479 Nov 13 12:04 sirius_bpc-id_rsa
-rw-r----- 1 backuppc backuppc  770 Nov 13 12:04 sirius_bpc-id_rsa.pub

root@sirius:~# grep backuppc@sirius /usr/local/BackupPC/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBIG1jFCDbjX1AuKEpi3U0rPtxW79kZwcEAzN+shbnni Generated on 181113.1203 for backuppc@sirius
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD2fiZLF9Q0+RKERleUw2LnoEXF3FdF/UPPX+khWUVIc+SWG+mTSIlFeEWNeoLpa32Vfb0T8cNooMgR6sodxQZlzC15ByPSotW7AHAdBylzkP0G4GM4zTYlkfuIzeJClNrNuphzbdIa8dH9xhmhqE7FbHcq34LErQX1zBfGcDVyqUABVdXTLqtDKRS2P3hCQ8gR8u0BDesvTUYWPwJXkXaq9UdS9VWsJuyQhnqzFKOm+cPdoqRFtvVAIxlqAyI9ok7d/cve4nIjFPg1n7ralTw4x8D4oxmOpUNqOC4dJYDCbihY3nImq0oB/+zt6uS3t232qjaUGrt0pUB2AywQwULYhGhAsiqGEaoJuuYUonCXT4IHxTIBFJraVSvr53gcM7Jm9kBcLG8x2B5rtiZzBImITv+nZnqTJgBu5q+ZBqm5FK4miBHjinscXxqCLmljXOW7Ui7uhg1NjcYMdaC1BRJoHzsTkIvnoRmONdUbDCK63n9MHikiRrvdme8SUQDjuKHfS5nNMClDfMF69Rgr27QkqOMOYYA2mqvcrjxtXS1n9DA88dnhCKsHfTDXCto710CHzQPh7YuUzlL8uNAE4RwzhOCDxgaI4WV9/qj2J+0C2PE0dkTwFqBuGytyBYFglpIhmnlucukdccZ5i/YpEkITvccB7EO/sPSRzAnm55iGUw== Generated on 181113.1203 for backuppc@sirius

root@sirius:~# tail -n 20 /var/log/auth.log
Nov 13 12:28:07 sirius sshd[2159]: debug1: fd 4 clearing O_NONBLOCK
Nov 13 12:28:07 sirius sshd[2159]: debug2: user_key_allowed: check options: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBIG1jFCDbjX1AuKEpi3U0rPtxW79kZwcEAzN+shbnni Generated on 181113.1203 for backuppc@sirius\n'
Nov 13 12:28:07 sirius sshd[2159]: debug2: user_key_allowed: advance: 'AAAAC3NzaC1lZDI1NTE5AAAAIBIG1jFCDbjX1AuKEpi3U0rPtxW79kZwcEAzN+shbnni Generated on 181113.1203 for backuppc@sirius\n'
Nov 13 12:28:07 sirius sshd[2159]: debug1: matching key found: file /usr/local/BackupPC/.ssh/authorized_keys, line 2 RSA SHA256:/TFnCvwpyL6W0Z4I71jw9u3eY4rWqB9lnHVSx3mdYNM
Nov 13 12:28:07 sirius sshd[2159]: debug1: restore_uid: 0/0
Nov 13 12:28:07 sirius sshd[2159]: debug3: mm_answer_keyallowed: key 0x55f0b985d0d0 is allowed
Nov 13 12:28:07 sirius sshd[2159]: debug3: mm_request_send entering: type 23
Nov 13 12:28:07 sirius sshd[2159]: debug3: send packet: type 60 [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
Nov 13 12:28:07 sirius sshd[2159]: Postponed publickey for backuppc from 192.168.8.3 port 48708 ssh2 [preauth]
Nov 13 12:28:07 sirius sshd[2159]: Connection closed by 192.168.8.3 port 48708 [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug1: do_cleanup [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug1: monitor_read_log: child log fd closed
Nov 13 12:28:07 sirius sshd[2159]: debug3: mm_request_receive entering
Nov 13 12:28:07 sirius sshd[2159]: debug1: do_cleanup
Nov 13 12:28:07 sirius sshd[2159]: debug1: PAM: cleanup
Nov 13 12:28:07 sirius sshd[2159]: debug3: PAM: sshpam_thread_cleanup entering
Nov 13 12:28:07 sirius sshd[2159]: debug1: Killing privsep child 2160
Nov 13 12:28:07 sirius sshd[2159]: debug1: audit_event: unhandled event 12
root@sirius:~#

On Tue, 13 Nov 2018 at 11:22, David Christensen <dpchrist@xxxxxxxxxxxxxxxx> wrote:
On 11/12/18 5:49 AM, Alan Taylor wrote:
> Greetings,

Hi.  :-)


> I have an ssh problem - one user can use it successfully, another cannot. I have checked and rechecked permissions until I am blue in the face …
> At the moment just trying to ssh into the same machine I am on for the problem user (the other user can ssh successfully, both to the console machine and outwards to others).
> Agent problem ? The successful user was setup in the installation, the problem user was added at the command line after initial setup.

Trouble-shooting can be tedious...


> Log output follows, appears to fail after the preauth stage …
>
> Any suggestions gratefully accepted
>
> root@sirius/etc/ssh # journalctl | grep sshd | grep "Nov 12 13:45"
<snip>


I would enter the following commands into the indicated accounts and
computers, substituting place holders with actual values (USERNAME,
SSH_CLIENT, SSH_SERVER).  If you still don't see it, cut and paste your
console sessions into a reply:

1.  As the user having problems on the computer having problems:

        $ whoami

        $ hostname

        $ cat /etc/debian_version

        $ uname -a

        $ dpkg-query -W openssh-client

        $ ls -aFl /home/USERNAME/.ssh

        $ ssh -v SSH_SERVER

2.  As root on the SSH server:

        # hostname

        # cat /etc/debian_version

        # uname -a

        # dpkg-query -W openssh-server

        # ls -aFl /home/USERNAME/.ssh

        # grep USERNAME@SSH_CLIENT /home/USERNAME/.ssh/authorized_keys

        # tail /var/log/auth.log


David