Web lists-archives.com

Re: ssh




Alan:

Let's keep this on-list.  I am subscribed.


So, you have installed the Debian package 'backuppc' on host 'sirius', and intend to use it as a BackupPC server?


The package created the group 'backuppc' and the user 'backuppc', with home directory '/usr/local/BackupPC'?


How were the contents of your /etc/ssh created? The permissions don't match mine -- my *_key files are 0600 and everything else is 0644.


The metadata for your /usr/local/BackupPC/.ssh looks okay.


How were the contents of your /usr/local/BackupPC/.ssh created? The permissions don't match mine -- my *.pub files are 0644 and everything else is 0600.


My client .ssh directory has 1 hard link.  Do you know why yours has 2?


There are some lines in your login attempt that look suspicious -- I have noted them with asterisks (*):

debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_ed25519 type 4
*   debug1: key_load_public: No such file or directory


    debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_rsa type 1
*   debug1: key_load_public: No such file or directory


Doing the same test on my network produces the same messages, but the login works correctly. So, I think we can ignore "key_load_public: No such file or directory" (?).


Comparing your 'ssh -v sirius' to testing on my network, the output diverges after the line:

    Server accepts key: pkalg ssh-rsa blen 535

Mine then says:

    debug1: Authentication succeeded (publickey).
    Authenticated to cvs ([192.168.1.25]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@xxxxxxxxxxx
    debug1: Entering interactive session.
    debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@xxxxxxxxxxx want_reply 0
    debug1: Sending environment.
    debug1: Sending env LANG = C


Localization and UTF-8 have caused me problems in the past, so I have the following line in my .profile. This may or may not help you:

    export LANG=C


The entries in your authorized_keys file look different than mine -- yours contain ' Generated on 181113.1203 for' near the end of both matching entries. Do your *.pub files have this phrase? How was your authorized_keys created?


After a successful login, my auth.log says:

Nov 12 22:49:36 dipsy sshd[3395]: Accepted publickey for dpchrist from 192.168.1.142 port 39164 ssh2: RSA SHA256:BAg+ZqGUnRYXU0QssQkuaBqzjxsgyjIKJeoZ8H5SG9E Nov 12 22:49:36 dipsy sshd[3395]: pam_unix(sshd:session): session opened for user dpchrist by (uid=0)


I would reset the modes of your SSH client files as backuppc@sirius:

    $ cd /usr/local/BackupPC/.ssh

    $ chmod 0600 *

    $ chmod 0644 *.pub


I would reset the modes of your SSH server files as root@sirius:

    # cd /etc/ssh

    # chmod 0644 *

    # chmod 0600 *_key


Then try 'ssh -v sirius' and look at auth.log.


David



On 11/12/18 8:34 PM, Alan Taylor wrote:
Hello,

Output from several suggestions:
------------------------------------------------
Permissions (backuppc is the user having problems) :

backuppc@sirius:~$ ls -ld /usr/local/BackupPC
drwxr-xr-x 6 backuppc backuppc 4096 Nov 13 12:12 /usr/local/BackupPC
backuppc@sirius:~$ ls -ld /usr/local/BackupPC/.ssh
drwx------ 2 backuppc backuppc 4096 Nov 13 12:08 /usr/local/BackupPC/.ssh
backuppc@sirius:~$ ls -l /usr/local/BackupPC/.sshtotal 28
-rw------- 1 backuppc backuppc 1790 Nov 13 12:04 authorized_keys
-rw-r----- 1 backuppc backuppc 2240 Nov 13 12:02 config
-rw-r--r-- 1 backuppc backuppc  142 Nov 13 12:08 known_hosts
-rw------- 1 backuppc backuppc  484 Nov 13 12:03 sirius_bpc-id_ed25519
-rw-r----- 1 backuppc backuppc  126 Nov 13 12:03 sirius_bpc-id_ed25519.pub
-rw------- 1 backuppc backuppc 3479 Nov 13 12:04 sirius_bpc-id_rsa
-rw-r----- 1 backuppc backuppc  770 Nov 13 12:04 sirius_bpc-id_rsa.pub
backuppc@sirius:~$
backuppc@sirius:~$ ls -la /etc/ssh
drwxr-xr-x   2 root root   4096 Nov 13 12:04 .
drwxr-xr-x 131 root root  12288 Nov 13 12:05 ..
-rw-r--r--   1 root root 511915 Nov 13 12:02 moduli
-rw-r--r--   1 root root 553122 Aug 21 11:14 moduli.dist
-rw-------   1 root root    888 Nov 13 12:03 sirius_alan-authorized_keys
-rw-rw----   1 root root    896 Nov 13 12:04 sirius_bpc-authorized_keys
-rw-r--r--   1 root root   2830 Nov 13 12:02 ssh_config
-rw-r--r--   1 root root   1723 Aug 21 11:14 ssh_config.dist
-rw-r--r--   1 root root   4239 Nov 13 12:02 sshd_config
-rw-r--r--   1 root root   3298 Aug 21 11:14 sshd_config.dist
-rw-------   1 root root    432 Nov 13 12:03 ssh_host_ed25519_key
-rw-r-----   1 root root    117 Nov 13 12:03 ssh_host_ed25519_key.pub
-rw-------   1 root root   3243 Nov 13 12:03 ssh_host_rsa_key
-rw-r-----   1 root root    761 Nov 13 12:03 ssh_host_rsa_key.pub
backuppc@sirius:~$
These permissions are identical to the user that works.
------------------------------------------------
Output from David's troubleshooting :

As backuppc (problem user):

backuppc@sirius:~$ whoami
backuppc
backuppc@sirius:~$ hostname
sirius
backuppc@sirius:~$ cat /etc/debian_version
9.6
backuppc@sirius:~$ uname -a
Linux sirius 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
GNU/Linux
backuppc@sirius:~$ dpkg-query -W openssh-client
openssh-client    1:7.4p1-10+deb9u4

backuppc@sirius:~$ ls -aFl /usr/local/BackupPC/.ssh
total 36
drwx------ 2 backuppc backuppc 4096 Nov 13 12:08 ./
drwxr-xr-x 6 backuppc backuppc 4096 Nov 13 12:12 ../
-rw------- 1 backuppc backuppc 1790 Nov 13 12:04 authorized_keys
-rw-r----- 1 backuppc backuppc 2240 Nov 13 12:02 config
-rw-r--r-- 1 backuppc backuppc  142 Nov 13 12:08 known_hosts
-rw------- 1 backuppc backuppc  484 Nov 13 12:03 sirius_bpc-id_ed25519
-rw-r----- 1 backuppc backuppc  126 Nov 13 12:03 sirius_bpc-id_ed25519.pub
-rw------- 1 backuppc backuppc 3479 Nov 13 12:04 sirius_bpc-id_rsa
-rw-r----- 1 backuppc backuppc  770 Nov 13 12:04 sirius_bpc-id_rsa.pub

backuppc@sirius:~$ ssh -v sirius
OpenSSH_7.4p1 Debian-10+deb9u4, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /usr/local/BackupPC/.ssh/config
debug1: /usr/local/BackupPC/.ssh/config line 16: Applying options for sirius
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 69: Deprecated option "useroaming"
debug1: Connecting to 192.168.8.3 [192.168.8.3] port 50400.
debug1: Connection established.
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_ed25519-cert
type -1
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /usr/local/BackupPC/.ssh/sirius_bpc-id_rsa-cert type
-1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1
Debian-10+deb9u4
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.8.3:50400 as 'backuppc'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519
SHA256:Qmmw9Hw9F68Lv9vTJTHpbJtwOzxUxod4FFAnA16D5bk
debug1: Host '[192.168.8.3]:50400' is known and matches the ED25519 host
key.
debug1: Found key in /usr/local/BackupPC/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key:
/usr/local/BackupPC/.ssh/sirius_bpc-id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Offering RSA public key: /usr/local/BackupPC/.ssh/sirius_bpc-id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: No more authentication methods to try.
Permission denied (publickey).
backuppc@sirius:~$
____________
as root :

root@sirius:~# whoami
root
root@sirius:~# hostname
sirius
root@sirius:~# cat /etc/debian_version
9.6
root@sirius:~# uname -a
Linux sirius 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
GNU/Linux
root@sirius:~# dpkg-query -W openssh-client
openssh-client    1:7.4p1-10+deb9u4

root@sirius:~# ls -aFl /usr/local/BackupPC/.ssh
total 36
drwx------ 2 backuppc backuppc 4096 Nov 13 12:08 ./
drwxr-xr-x 6 backuppc backuppc 4096 Nov 13 12:12 ../
-rw------- 1 backuppc backuppc 1790 Nov 13 12:04 authorized_keys
-rw-r----- 1 backuppc backuppc 2240 Nov 13 12:02 config
-rw-r--r-- 1 backuppc backuppc  142 Nov 13 12:08 known_hosts
-rw------- 1 backuppc backuppc  484 Nov 13 12:03 sirius_bpc-id_ed25519
-rw-r----- 1 backuppc backuppc  126 Nov 13 12:03 sirius_bpc-id_ed25519.pub
-rw------- 1 backuppc backuppc 3479 Nov 13 12:04 sirius_bpc-id_rsa
-rw-r----- 1 backuppc backuppc  770 Nov 13 12:04 sirius_bpc-id_rsa.pub

root@sirius:~# grep backuppc@sirius
/usr/local/BackupPC/.ssh/authorized_keys
ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIBIG1jFCDbjX1AuKEpi3U0rPtxW79kZwcEAzN+shbnni
Generated on 181113.1203 for backuppc@sirius
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQD2fiZLF9Q0+RKERleUw2LnoEXF3FdF/UPPX+khWUVIc+SWG+mTSIlFeEWNeoLpa32Vfb0T8cNooMgR6sodxQZlzC15ByPSotW7AHAdBylzkP0G4GM4zTYlkfuIzeJClNrNuphzbdIa8dH9xhmhqE7FbHcq34LErQX1zBfGcDVyqUABVdXTLqtDKRS2P3hCQ8gR8u0BDesvTUYWPwJXkXaq9UdS9VWsJuyQhnqzFKOm+cPdoqRFtvVAIxlqAyI9ok7d/cve4nIjFPg1n7ralTw4x8D4oxmOpUNqOC4dJYDCbihY3nImq0oB/+zt6uS3t232qjaUGrt0pUB2AywQwULYhGhAsiqGEaoJuuYUonCXT4IHxTIBFJraVSvr53gcM7Jm9kBcLG8x2B5rtiZzBImITv+nZnqTJgBu5q+ZBqm5FK4miBHjinscXxqCLmljXOW7Ui7uhg1NjcYMdaC1BRJoHzsTkIvnoRmONdUbDCK63n9MHikiRrvdme8SUQDjuKHfS5nNMClDfMF69Rgr27QkqOMOYYA2mqvcrjxtXS1n9DA88dnhCKsHfTDXCto710CHzQPh7YuUzlL8uNAE4RwzhOCDxgaI4WV9/qj2J+0C2PE0dkTwFqBuGytyBYFglpIhmnlucukdccZ5i/YpEkITvccB7EO/sPSRzAnm55iGUw==
Generated on 181113.1203 for backuppc@sirius

root@sirius:~# tail -n 20 /var/log/auth.log
Nov 13 12:28:07 sirius sshd[2159]: debug1: fd 4 clearing O_NONBLOCK
Nov 13 12:28:07 sirius sshd[2159]: debug2: user_key_allowed: check options:
'ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIBIG1jFCDbjX1AuKEpi3U0rPtxW79kZwcEAzN+shbnni
Generated on 181113.1203 for backuppc@sirius\n'
Nov 13 12:28:07 sirius sshd[2159]: debug2: user_key_allowed: advance:
'AAAAC3NzaC1lZDI1NTE5AAAAIBIG1jFCDbjX1AuKEpi3U0rPtxW79kZwcEAzN+shbnni
Generated on 181113.1203 for backuppc@sirius\n'
Nov 13 12:28:07 sirius sshd[2159]: debug1: matching key found: file
/usr/local/BackupPC/.ssh/authorized_keys, line 2 RSA
SHA256:/TFnCvwpyL6W0Z4I71jw9u3eY4rWqB9lnHVSx3mdYNM
Nov 13 12:28:07 sirius sshd[2159]: debug1: restore_uid: 0/0
Nov 13 12:28:07 sirius sshd[2159]: debug3: mm_answer_keyallowed: key
0x55f0b985d0d0 is allowed
Nov 13 12:28:07 sirius sshd[2159]: debug3: mm_request_send entering: type 23
Nov 13 12:28:07 sirius sshd[2159]: debug3: send packet: type 60 [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug2: userauth_pubkey: authenticated 0
pkalg ssh-rsa [preauth]
Nov 13 12:28:07 sirius sshd[2159]: Postponed publickey for backuppc from
192.168.8.3 port 48708 ssh2 [preauth]
Nov 13 12:28:07 sirius sshd[2159]: Connection closed by 192.168.8.3 port
48708 [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug1: do_cleanup [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug3: PAM: sshpam_thread_cleanup
entering [preauth]
Nov 13 12:28:07 sirius sshd[2159]: debug1: monitor_read_log: child log fd
closed
Nov 13 12:28:07 sirius sshd[2159]: debug3: mm_request_receive entering
Nov 13 12:28:07 sirius sshd[2159]: debug1: do_cleanup
Nov 13 12:28:07 sirius sshd[2159]: debug1: PAM: cleanup
Nov 13 12:28:07 sirius sshd[2159]: debug3: PAM: sshpam_thread_cleanup
entering
Nov 13 12:28:07 sirius sshd[2159]: debug1: Killing privsep child 2160
Nov 13 12:28:07 sirius sshd[2159]: debug1: audit_event: unhandled event 12
root@sirius:~#

On Tue, 13 Nov 2018 at 11:22, David Christensen <dpchrist@xxxxxxxxxxxxxxxx>
wrote:

On 11/12/18 5:49 AM, Alan Taylor wrote:
Greetings,

Hi.  :-)


I have an ssh problem - one user can use it successfully, another
cannot. I have checked and rechecked permissions until I am blue in the
face …
At the moment just trying to ssh into the same machine I am on for the
problem user (the other user can ssh successfully, both to the console
machine and outwards to others).
Agent problem ? The successful user was setup in the installation, the
problem user was added at the command line after initial setup.

Trouble-shooting can be tedious...


Log output follows, appears to fail after the preauth stage …

Any suggestions gratefully accepted

root@sirius/etc/ssh # journalctl | grep sshd | grep "Nov 12 13:45"
<snip>


I would enter the following commands into the indicated accounts and
computers, substituting place holders with actual values (USERNAME,
SSH_CLIENT, SSH_SERVER).  If you still don't see it, cut and paste your
console sessions into a reply:

1.  As the user having problems on the computer having problems:

         $ whoami

         $ hostname

         $ cat /etc/debian_version

         $ uname -a

         $ dpkg-query -W openssh-client

         $ ls -aFl /home/USERNAME/.ssh

         $ ssh -v SSH_SERVER

2.  As root on the SSH server:

         # hostname

         # cat /etc/debian_version

         # uname -a

         # dpkg-query -W openssh-server

         # ls -aFl /home/USERNAME/.ssh

         # grep USERNAME@SSH_CLIENT /home/USERNAME/.ssh/authorized_keys

         # tail /var/log/auth.log


David