SSH without passwords

wdtj · Aug 17, 2022, 6:36 PM

@johnpoz Yea. I just discovered that.

wdtj · Aug 17, 2022, 6:47 PM

@wdtj OK, so the trace question is answered, but it still bugs me that the passphrase less ssh does not work.

I have a user defined via the GUI, it is a member of the admins group, and I did copy my public key to the "Authorized SSH Keys" for that user.

Since I can access with the password, this would mean (in my experience) that the server had an issue with the public key or it's file. Normally this is due to the file not having mode 600. Apparently this file is not in the users's .ssh directory on pfSense. Even if I try creating that file, it still does not work.

Normally I would look at the sshd log to diagnose this sort of issue, where is that on pfSense?

johnpoz · Aug 17, 2022, 7:31 PM

@wdtj not sure what your doing exactly.. But I just created a testuser.. put them in admin group.

Added their openssh public key I created in the gui.

and bam login in just fine with public key

And you can see that public key got added in their directory.

you can see in the auth log where it was accepted

jimp · Aug 18, 2022, 2:19 PM

The SSH daemon logs to /var/log/system.log on pfSense software, so look there for errors.

Make sure what you pasted into the authorized keys is the full public key:

% cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCpnbNaB/Ffpwg6B61Sp9fU/Y5y4pHITTZ8gEDR8dakS5uqI7HbkoXxO+vwRoJZ4/RPEVfGa22cp5KKOdzXdJpJyFqWNK2u228yBCNATATHSNoYOvwxvk3zsTESR6V0B/j8uT+tjJBKOcEd8rq0NLOLsw4bsGIwQQ6pvvIpAyrDCBczZj8yY8bvhwTupJl/OjYLAVU8iqTII9CHPygTlFe0TswMUyjyvFYVgvwP9yY5JYICMAES4tK1tplvA1WWxSYx96xXov9Df5VYKLxWaOyUL7MsXNHErlDqe7PZ6BIkVSCDw39Za8+p92W9IvlhJ/Blbv7odc04nOiZK0Vk9HktTSE4WzElcKzzURhgv6KNVn6E876S25HUHD7iiUGK/zC4lG5/1igpfZ6m8eVhzuW68Feor4A/6SIZRjcDyBp1s7vg9c+b/dnCcYqDc5zhQ7LOQGhNrz8rO41NafRy3tpCtFdHcQZG5hDLOagbHiSo8E3aYaQpj7UGJUH3z9JYU0k= jimp@fbsd-current

You copy in that whole block from ssh-rsa and include the comment at the end. The result must be on a SINGLE line if you copy/paste out of the cygwin terminal it may insert line breaks where it wraps lines so you will have to reassemble it into a single line. I suggest copying and pasting into an editor such as Notepad++ on Windows, or even open up the id_rsa.pub file directly in Notepad++.

Also if you are stuck running Windows on there, consider switching away from Cygwin to using WSL2/Ubuntu integration and Windows Terminal (free in the MS Store). It's a lot easier to work with over time than Cygwin, IMO.

wdtj · Aug 18, 2022, 2:14 PM

@johnpoz I just copied the public key over again, and tried to log in. Still getting the same request for password. The log took a while to update but this is what it contains:

Aug 18 09:09:45 	sshd 	90095 	error: PAM: Authentication error for waynej from 192.168.2.77
Aug 18 09:09:45 	sshguard 	54822 	Attack from "192.168.2.77" on service SSH with danger 10.
Aug 18 09:09:49 	sshd 	90095 	Accepted keyboard-interactive/pam for waynej from 192.168.2.77 port 64218 ssh2

First like appears to be from my cert. Second is accepting the password and letting me in.

Since my requirement for passwordless entry in now gone, I';ll just drop the problem. Thanks for your help.

wdtj · Aug 18, 2022, 2:19 PM

@jimp I am aware of the problems with some editors inserting newlines in a copied block and I did check for that. The GUI window makes this difficult because it also wraps the line which looks like a newline was inserted. I tried deleting the wrap points (which ends up deleting the character before the wrap) but everything is on one line.

It would be nice to know where this key is stored so that it can be verified without all the GUI decorations (wrappings).

Since my requirement for passwordless entry in now gone, I';ll just drop the problem. Thanks for your help.

johnpoz · Aug 18, 2022, 2:21 PM

@wdtj might be stupid question but you don't have it set to require both do you?

Where/what are you creating the key pair with?

What client are you trying to access with, with ssh you can up the verbosity and might get some clue to what is going on -vvv vs just -v in the openssh client for example.

dotdash · Aug 18, 2022, 2:24 PM

The file is in /home/username/.ssh
Verify the user owns the .ssh directory and the authorized_keys file within.

johnpoz · Aug 18, 2022, 2:27 PM

@dotdash I hear yeah and is a valid check - just curious how that would get borked, if he just used the gui. Now if he manually was editing those files sure.

jimp · Aug 18, 2022, 2:56 PM

The PAM error is usually from it just not matching the key. Either because the correct key isn't present, or what's in the file isn't valid.

The keys are on disk on the firewall in the expected location for a user, if you login with a password they would be in ~/.ssh/authorized_keys. If you login as admin or root, then use ~<username>/.ssh/authorized_keys, or look under /home/<username>/.ssh/authorized_keys.

The firewall will manage the content of that file and its permissions so those are not likely to be concerns.

These issues almost always boil down to a problem with the formatting of the key, either line breaks in the key, extraneous whitespace, or the wrong string pasted in (For example we've seen people paste in the fingerprint, not the public key)

There is also a slight chance that ssh-keygen in Cygwin is generating a bad key somehow. Using a more modern format like ssh-keygen -t ed25519 may help instead of using RSA format.