driving me mental, remote login to pfsense CLI to shutdown
-
Oh it did send something.
debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg rsa-sha2-512 blen 279 debug2: input_userauth_pk_ok: fp SHA256:9I6DoJ7tHV07ZgZZlNYbiEFHT2BlRHFOp2rhQ+GI8I4 debug3: sign_and_send_pubkey: RSA SHA256:9I6DoJ7tHV07ZgZZlNYbiEFHT2BlRHFOp2rhQ+GI8I4But don't think it liked it ;)
Give me a sec to digest
-
of course it didnt. You need to be a brain surgeon with a degree in rocket science to get this sh1t working. Seriously wheres the nearest cliff so I can throw myself and the machine off it!
-
No you don't need to be a brain surgeon... This pretty basic stuff ;)
RSA - yeah prob no longer even accepted.. that guide is from what 2015...
-
Well its taken me 12hrs and I cant get it working, so its not really basic at all.
Im outta ideas, thanks anyway john -
Public key auth is pretty freaking basic stuff.. But yes you have to understand how it works ;)
Just randomly following some guide from 4 years ago, prob going to have issues.
It doesn't like your OLD sha2 sig for one thing, and there were some known bugs with that for sure
https://bugzilla.mindrot.org/show_bug.cgi?id=2799I would create some current stuff, and redo it... You know say ed25519
If you want I have ubuntu could show you the commands to create current stuff ;)
-
here this took all of 2 minutes to get running.
user@uc:~$ ssh-keygen -o -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/home/user/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_ed25519. Your public key has been saved in /home/user/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:EjqswC3vT2iA0ndVqSdPcljQikuHBl1HMjEp64vRl70 user@uc The key's randomart image is: +--[ED25519 256]--+ | . .B*+. | | . o .*+ | | ..=.= | |o... .*oB + | |++..==ooSX | |..+ooo+.o o | | .+ + o . | | o o . E | | ... | +----[SHA256]-----+ user@uc:~$
login
user@uc:~$ ssh test@192.168.9.253 [2.4.4-RELEASE][test@sg4860.local.lan]/home/test:here is debug info of the public key auth
debug1: Offering ED25519 public key: /home/user/.ssh/id_ed25519 debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-ed25519 blen 51 debug2: input_userauth_pk_ok: fp SHA256:EjqswC3vT2iA0ndVqSdPcljQikuHBl1HMjEp64vRl70 debug3: sign_and_send_pubkey: ED25519 SHA256:EjqswC3vT2iA0ndVqSdPcljQikuHBl1HMjEp64vRl70 debug3: send packet: type 50 debug3: receive packet: type 52 debug1: Authentication succeeded (publickey). Authenticated to 192.168.9.253 ([192.168.9.253]:22). -
yeah so just tried with rsa key, ie the guide you "followed"
debug1: Offering RSA public key: /home/user/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51See the type 51 response - tells you failed...
-
@johnpoz Hello, i did exactly what you've posted. I copied the key to the folder as below:
sudo cp /home/nsautomate/.ssh/id_ed25519.pub /var/lib/openhab2 & to .ssh folderAnd updated the user in the Gui with the new key value.
Still doesnt work, wants a password
nsautomate@ihp:~$ sudo -u openhab ssh -vvv nsautomate@192.168.1.254 'sudo etc/rc.halt' OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "192.168.1.254" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.1.254 [192.168.1.254] port 22. debug1: Connection established. debug1: identity file /var/lib/openhab2/.ssh/id_rsa type 0 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/openhab2/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/openhab2/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/openhab2/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/openhab2/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/openhab2/.ssh/id_ecdsa-cert type -1 debug1: identity file /var/lib/openhab2/.ssh/id_ed25519 type 3 debug1: key_load_public: No such file or directory debug1: identity file /var/lib/openhab2/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5 debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.1.254:22 as 'nsautomate' debug3: hostkeys_foreach: reading file "/var/lib/openhab2/.ssh/known_hosts" debug3: record_hostkey: found key type ED25519 in file /var/lib/openhab2/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.1.254 debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ssh-ed25519 SHA256:4RCz4gQY4LJRdlMC2Y1ix0IqQp1zR/pQEo8gkSXC0sw debug3: hostkeys_foreach: reading file "/var/lib/openhab2/.ssh/known_hosts" debug3: record_hostkey: found key type ED25519 in file /var/lib/openhab2/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from 192.168.1.254 debug1: Host '192.168.1.254' is known and matches the ED25519 host key. debug1: Found key in /var/lib/openhab2/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key: /var/lib/openhab2/.ssh/id_rsa (0x560090f89480) debug2: key: /var/lib/openhab2/.ssh/id_dsa ((nil)) debug2: key: /var/lib/openhab2/.ssh/id_ecdsa ((nil)) debug2: key: /var/lib/openhab2/.ssh/id_ed25519 (0x560090f88a80) debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:9I6DoJ7tHV07ZgZZlNYbiEFHT2BlRHFOp2rhQ+GI8I4 /var/lib/openhab2/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: /var/lib/openhab2/.ssh/id_dsa debug3: no such identity: /var/lib/openhab2/.ssh/id_dsa: No such file or directory debug1: Trying private key: /var/lib/openhab2/.ssh/id_ecdsa debug3: no such identity: /var/lib/openhab2/.ssh/id_ecdsa: No such file or directory debug1: Offering public key: ED25519 SHA256:2QxvQbZibZUUeRI7j5DwP3LaeCIvPDWJDSrcLw7UX2k /var/lib/openhab2/.ssh/id_ed25519 debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-ed25519 blen 51 debug2: input_userauth_pk_ok: fp SHA256:2QxvQbZibZUUeRI7j5DwP3LaeCIvPDWJDSrcLw7UX2k debug3: sign_and_send_pubkey: ED25519 SHA256:2QxvQbZibZUUeRI7j5DwP3LaeCIvPDWJDSrcLw7UX2k debug3: no such identity: /var/lib/openhab2/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password for nsautomate@pfSense.rkeen.ddns.net: -
@automate said in driving me mental, remote login to pfsense CLI to shutdown:
/var/lib/openhab2/.ssh/id_ed25519
Looks like it doesnt like loading it from that directory
debug2: input_userauth_pk_ok: fp SHA256:2QxvQbZibZUUeRI7j5DwP3LaeCIvPDWJDSrcLw7UX2k
debug3: sign_and_send_pubkey: ED25519 SHA256:2QxvQbZibZUUeRI7j5DwP3LaeCIvPDWJDSrcLw7UX2k
Load key "/var/lib/openhab2/.ssh/id_ed25519": Permission denied -
What are the permissions on the file? Why are you trying to use a different user and then another user to auth with?
-
The linux server has software on it called openhab. That software executes its scripts, or rules, using the openhab user. This is a home automation package.
So, the openhab user executes the command but logs in with 'nsautomate'
nsautomate@ihp:~$ sudo ls -la /var/lib/openhab2/.ssh/id_ed25519 -rw------- 1 root root 411 Aug 5 10:39 /var/lib/openhab2/.ssh/id_ed25519 nsautomate@ihp:~$ -
that seems pointless.. if the user account openhab is going to run the command, just create that user on pfsense and use it to auth with and run the halt cmd.
Only root can access that file, per the permissions on it.
-
Cool, that appears to have worked. However, its shut down pfsense but not powered off the unit, like it does if you select 'halt' from the GUI. I can still ping it but not SSH to it and its still forwarding packets despite a CLI message saying its being shut down??
Is there an alternate command that shuts the whole system down gracefully?
-
What kind of hardware?
You probably want
shutdown -p nowhttps://www.freebsd.org/cgi/man.cgi?query=shutdown&manpath=FreeBSD+11.2-RELEASE
-
He has something running on linux that he wants to ssh into pfsense using public key auth and run the rc.halt
Which works just fine I have tested your old thread, on a VM running 2.4.4p3 - takes all of 30 seconds to setup.
He is having a problem using public key auth in general.
-
Sounds like he got it working but didn't get a power off.
/etc/rc.haltis probably a better option. -
@Derelict it's intel i5 hardware. I'll try that option
-
Thanks, etc/rc.halt does the trick
-
@johnpoz said in driving me mental, remote login to pfsense CLI to shutdown:
ssh-keygen -o -t ed25519
Thanks John & Derelict! all working now :)
