Solved ssh key authentication not working

  • Thread starter Deleted member 43773
  • Start date
D

Deleted member 43773

Guest
Hi guys,

I'm trying to realize my ssh logins with pubkey authentication.
I did what's in the tutorials:
ssh-keygen (with password)
ssh-copy-id public-key -> other machine

The /etc/ssh/sshd_conf is default (except AllowedUsers and PermitrootLogin are set)

Now when I login to machine A everything is fine,
I'm asked for key-passwd.
Okay.

But when I login to machine B,
key-passwd is only asked when I login as user.
When I login as root (ssh root@....) the normal password is still asked.
So (to me it seems) there is no key-authentication, but still passwd authentication.

I experimented a bit with rm ~/.ssh/* to start all over again,
restarted sshd, modified /etc/ssh/sshd_conf,
which should not make much sense anyway, cause what I set there according to sshd_conf manpage, is default anyway.
And on machine A, where it's working as it should, nothing was modified.

ssh still asks for shell-login password, but not for the ssh-key's passwd, when I login as root.

What could I check? What I have overseen?

Thanks in advance.
 
If you want to "hop" further, using the same key, you need to enable agent forwarding (which is off by default).

ssh -A me@myhost

Code: 
     -A      Enables forwarding of connections from an authentication agent
             such as ssh-agent(1).  This can also be specified on a per-host
             basis in a configuration file.

             Agent forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             agent's UNIX-domain socket) can access the local agent through
             the forwarded connection.  An attacker cannot obtain key material
             from the agent, however they can perform operations on the keys
             that enable them to authenticate using the identities loaded into
             the agent.  A safer alternative may be to use a jump host (see
             -J).
 
..., so either I use different keys for different logins, or use the agent?
 
Yes, if you want to hop from A to B using the same key you will need to enable agent forwarding on the client. So make the connection to A with agent forwarding on (-A), then you can 'hop' from A to B with the same key (assuming you added that key to ~/.ssh/authorized_keys on B too)

I typically use PuTTY and Pageant, and have agent forwarding turned on. Then I can just hop from one server to another.
 
Okay. Thanks.
Well, that's not what I'm doing
from A to B to C, if I understand you correctly,
but A <-> B <-> C,
while connections to C are done with key passwd, but between A & B not.

However I will chek out to generate different keys for every connection ( the more I think of it, the more logical it seems.)

THANKS a lot!

P.S.: Sorry for posting in the wrong forum, and thanks for correcting that.
 
Umm.. this might be a stupid answer, but you definitely want to have PubkeyAuthentication yes and PasswordAuthentication no set in /etc/ssh/sshd_config on the target machines you're ssh'ing to. And of course you need to put your id_rsa.pub into .ssh/authorized_keys in the target boxes home accounts. And restart sshd on the target boxes. I'm assuming you are ssh'ing to both A and B from the same machine.
 
Nah, the answer is not stupid,
since those are the probs I already faced, (checked)
and wished they'd be mentioned in the tutorials (at least the ones I used).

(If someone's writing such a thing,
of course they try to make it fool-proof,
but sometimes they're that into something they simply oversee,
how stupid a noob can really be [e.g. me] 😁)

PubkeyAuthentication yes and PasswordAuthentication no are not need to be set explicitely,
cause according to man sshd_conf that's the default settings anyway.
I also tried it by myself before I opened this thread; that's what I ment with "
experimented a bit with [...] modified /etc/ssh/sshd_conf",
but (of course) it had no effect.

thanks.
 
Make sure you reload/restart sshd after every modification to sshd_config before testing; it is only parsed at startup/reload.

Can you be explicit about what systems are connecting (to/from, and where the private keys and associated authorized_keys entries reside?)

In general, ssh -vv is your friend for debugging why it chose to use a particular authentication.
 
Profighost said:
But when I login to machine B,
key-passwd is only asked when I login as user.
When I login as root (ssh root@....) the normal password is still asked.
So (to me it seems) there is no key-authentication, but still passwd authentication.
Click to expand...
You must have /root/.ssh/authorized_keys in root's home directory.
Doublecheck owner and permissions for /root/.ssh and /root/.ssh/authorized_keys
Owner of the file should be equal to username, and permissions should be -rw------- (600).
Check logs /var/log/auth.log on the target, usually ssh writes info about issues with keys.
On the client machine try to set the full path to the private key using ssh -i /path/to/privatekey
 
Last edited:
Thanks for all your input.
I tried some things.
still not working.

all my machines are within my LAN,
all running FreeBSD 13.1 natively and the same version of OpenSSH

between my laptop and desktop as user to user the passphrase for the key is asked.
but when I login user to root, in both ways, the normal shell passwd is asked
ssh -vv tells me
Code: 
 authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/xxxxxx/.ssh/id_rsa RSA SHA256:9VtdptiLma2L7HuBl4DtGNIzMUrfHxyUsGfkjGeK1XVs
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/xxxxxx/.ssh/id_dsa
debug3: no such identity: /home/xxxxxx/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/xxxxxx/.ssh/id_ecdsa
debug3: no such identity: /home/xxxxxx/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/xxxxxx/.ssh/id_ecdsa_sk
debug3: no such identity: /home/xxxxxx/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/xxxxxx/.ssh/id_ed25519
debug3: no such identity: /home/xxxxxxx/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/xxxxxx/.ssh/id_ed25519_sk
debug3: no such identity: /home/xxxxxx/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/xxxxxx/.ssh/id_xmss
debug3: no such identity: /home/xxxxxx/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive

so for some reasons, the pub_key is not sent/received,
pub_key-authetication aborted, switched to normal password-non-key-authetication

when I set KbdInteractiveAuthetication no
i receive an Permission denied (publickey)
and user to user is still working

So something's rotten with my ssh(d)-root settings.

WAIT!

I still have to check something first, before I continue here.
I just checked /var/log/auth.log
Code: 
sshd[19678]: Authentication refused: bad ownership or modes for directory /root

what im said could be the point - I'll check, and come back.
Thanks
 
I don't get it.

The permissions on all 4 machines are the same:
Code: 
-rw-------  1 root  wheel   755B 30 März 16:52 authorized_keys

All running
OpenSSH_8.8p1, OpenSSL 1.1.1o-freebsd 3 May 2022
difference:
D) 13.1-RELEASE-p7 - pubkey-authentication as user to root nok
L) 13.1-RELEASE-p7 - pubkey-authentication as user to root nok
S) FreeBSD 13.1-RELEASE-p3 - pubkey-authentication as user to root ok
MT) FreeBSD 13.1-RELEASE - pubkey-authentication as user to root ok
 
I don't know anymore.
just getting more and more paranoid....

sorry, and thanks.
 
You must log in or register to reply here.
Back
Top