Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange SSH issue (keys)

    General pfSense Questions
    3
    19
    4.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      creiss
      last edited by

      Hey,

      yes they are in the passwd file, along with /bin/tcsh.
      No, they can't login even with permissions removed from group and added to users.

      If I enable password-login in sshd they can login (with password) just fine. It's their ssh key that gets denied.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Strange. I just tried the same thing (ssh key on user, user in admin group) and my user can login OK using the key.

        Do you see anything in the system log when the user fails to auth with the key? What about on the client side if you run ssh with "-v"?

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          creiss
          last edited by

          system.log on server on yields a meager

          Jun 22 16:53:38 cerberus sshd[46382]: Connection closed by 84.246.124.42 port 43092 [preauth]

          while the client just can'tย  connect:

          debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key:ย  (0x7fdd02b7c0a0),
[b]debug2: key: /home/chris/.ssh/id_rsa (0x7fdd02b6afd0),[/b]
debug2: key: /home/chris/.ssh/id_dsa ((nil)),
debug2: key: /home/chris/.ssh/id_ecdsa ((nil)),
debug2: key: /home/chris/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: 
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
[b]debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/chris/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply[/b]
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/chris/.ssh/id_dsa
debug3: no such identity: /home/chris/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/chris/.ssh/id_ecdsa
debug3: no such identity: /home/chris/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/chris/.ssh/id_ed25519
debug3: no such identity: /home/chris/.ssh/id_ed25519: No such file or directory
[b]debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).[/b]

          Again: Same key, same account just pasting the key into the admin ssh box will make the login successful.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Is that an older key? It may be too weak for current standards. Though I'm not sure why it would work for root and not a user account.

            Can you try making and using a new key like an ed25519 key and see if that works?

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              creiss
              last edited by

              It's a 4096bit rsa key, but sure.

              1 Reply Last reply Reply Quote 0
              • C
                creiss
                last edited by 

                debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/chris/.ssh/id_dsa
debug3: no such identity: /home/chris/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/chris/.ssh/id_ecdsa
debug3: no such identity: /home/chris/.ssh/id_ecdsa: No such file or directory
debug1: Offering ED25519 public key: /home/chris/.ssh/id_ed25519
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  And nothing in the server log except the connection being closed?

                  An RSA key should still work. My output looks similar but it changes around here:

                  debug1: Offering RSA public key: /home/jim/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg rsa-sha2-512 blen 277

                  Which is why I find it odd that the server is rejecting it without logging exactly why.

                  Are you sure you are hitting this firewall and not getting port forwarded to a different firewall or system?

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    creiss
                    last edited by

                    I'd say, yes:

                    ~/.ssh> ssh -v admin@10.4.0.1
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.4.0.1 [10.4.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/chris/.ssh/id_rsa type 1
debug1: identity file /home/chris/.ssh/id_rsa-cert type -1
debug1: identity file /home/chris/.ssh/id_dsa type -1
debug1: identity file /home/chris/.ssh/id_dsa-cert type -1
debug1: identity file /home/chris/.ssh/id_ecdsa type -1
debug1: identity file /home/chris/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/chris/.ssh/id_ed25519 type 4
debug1: identity file /home/chris/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: kex: server->client aes128-ctr umac-128-etm@openssh.com zlib@openssh.com
debug1: kex: client->server aes128-ctr umac-128-etm@openssh.com zlib@openssh.com
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ED25519 28:c4:e9:25:ad:c2:74:8b:32:99:f9:81:3c:8d:78:d4
debug1: skipped DNS lookup for numerical hostname
debug1: Host '10.4.0.1' is known and matches the ED25519 host key.
debug1: Found key in /home/chris/.ssh/known_hosts:6
debug1: ssh_ed25519_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: 
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).

                    ~/.ssh> ssh -v chris@10.4.0.1
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.4.0.1 [10.4.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/chris/.ssh/id_rsa type 1
debug1: identity file /home/chris/.ssh/id_rsa-cert type -1
debug1: identity file /home/chris/.ssh/id_dsa type -1
debug1: identity file /home/chris/.ssh/id_dsa-cert type -1
debug1: identity file /home/chris/.ssh/id_ecdsa type -1
debug1: identity file /home/chris/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/chris/.ssh/id_ed25519 type 4
debug1: identity file /home/chris/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-128-etm@openssh.com zlib@openssh.com
debug1: kex: client->server aes128-ctr umac-128-etm@openssh.com zlib@openssh.com
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha256@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ED25519 28:c4:e9:25:ad:c2:74:8b:32:99:f9:81:3c:8d:78:d4
debug1: skipped DNS lookup for numerical hostname
debug1: Host '10.4.0.1' is known and matches the ED25519 host key.
debug1: Found key in /home/chris/.ssh/known_hosts:6
debug1: ssh_ed25519_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: 
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/chris/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/chris/.ssh/id_dsa
debug1: Trying private key: /home/chris/.ssh/id_ecdsa
debug1: Offering ED25519 public key: /home/chris/.ssh/id_ed25519
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

                    Same ip (both ends), Same originating account, same SSH Keys, same copy&pasted allowed ssh block for admin & chris. One joy one nay.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Hmm, ok. And I did confirm that a key mismatch only prints the connection closed message in the logs.

                      So somehow it's either not able to read those keys or it believes the accounts are not valid, neither of which make much sense given the context.

                      We don't have any way to increase the sshd logging in the GUI, but you could manually edit the /etc/sshd script and add a line to it so it puts "LogLevel DEBUG2" in the config, and then run /etc/sshd to restart sshd and see what shows up.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • C
                        creiss
                        last edited by

                        Here goes:

                        Jun 22 17:23:55 cerberus sshd[88455]: Connection from XX port 43848 on 10.4.0.1 port 22
Jun 22 17:23:55 cerberus sshd[88455]: Failed publickey for chris from XX port 43848 ssh2: RSA SHA256:/uRgUtSvDjHkSiSPJG1tDjbSzBwhocphMLgm5VvVH/Q
Jun 22 17:23:55 cerberus sshd[88455]: Failed publickey for chris from XX port 43848 ssh2: RSA SHA256:K6/VRlhI/MHe+EwjMx1gT5WphKM/LLDbZe+mQzBQBE4
Jun 22 17:23:55 cerberus sshd[88455]: Failed publickey for chris from XX port 43848 ssh2: ED25519 SHA256:lIR6M20L0fvmWqzapIDz6Q2FcNuSDybJv9NXF8P86hY
Jun 22 17:23:55 cerberus sshd[88455]: Connection closed by XX port 43848 [preauth]

                        cat /home/chris/.ssh/authorized_keys 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHegX2pTGXjLB5YBIVa/x3IfZ6f26idLd5pZ3WIffJni chris@kerberos.alpha-labs.net

                        Humm :/

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          How many entries are in that user's authorized_keys file? Three? It is strange that it is seeing them but deciding they don't match.

                          There must be something even more simple/basic at play here that is getting overlooked. Are you sure the authorized key data was pasted in properly, without newlines in incorrect places?

                          Can you copy and paste it into a text editor and confirm there is one whole key per line?

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • C
                            creiss
                            last edited by

                            Hey,

                            Yeah. I wiped, redid, saved, copied the block out again into a text editor: One key per line.
                            If i take the old key block of the user and copy&paste it as admin I can log in as admin easily.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              I can not duplicate this.. I use the same key for my user as my root/admin account.ย  I create a new user, copy the key in and bam in like flint.

                              
> ssh -v testssh@pfsense.local.lan
OpenSSH_7.5p1, OpenSSL 1.0.2kย  26 Jan 2017
debug1: Reading configuration data /home/jpoz/.ssh/config
debug1: Connecting to pfsense.local.lan [192.168.9.253] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/jpoz/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jpoz/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jpoz/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jpoz/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jpoz/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/jpoz/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/jpoz/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/jpoz/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to pfsense.local.lan:22 as 'testssh'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:I0WQR9Eyjlcgf/vNFHQ7sm290r/MV+3tQ8QZfxEk9pw
debug1: Host 'pfsense.local.lan' is known and matches the ED25519 host key.
debug1: Found key in /home/jpoz/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs= <rsa-sha2-256,rsa-sha2-512>debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/jpoz/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/jpoz/.ssh/id_dsa
debug1: Trying private key: /home/jpoz/.ssh/id_ecdsa
debug1: Offering ED25519 public key: /home/jpoz/.ssh/id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).
Authenticated to pfsense.local.lan ([192.168.9.253]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
[2.4.0-BETA][testssh@pfsense.local.lan]/home/testssh:</rsa-sha2-256,rsa-sha2-512></implicit></implicit>

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • C
                                creiss
                                last edited by

                                Hey folks,

                                I found the root cause. I initially installed pfsense then restored a configuration. I can only assume that this created the user home dirs in the first place. During the adjustments needed I decided to start over, so I reset the configuarion and re-did everything.

                                The home directories are owned by the other users, for example:

                                user1 is owned by user2
                                user2 is owned by user3
                                user3 is owned by user1

                                I can only assume that the uid mapping changed due to re-creating the users while not wiping the home directories. Seems like the revert option does not wipe /home.

                                Ah well, another mystery solved.

                                1 Reply Last reply Reply Quote 1
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.