Scenario-1 :
We have 2 VM's like Linux Client (RHEL8) and Remote Server-1(Ubuntu22) and SSH keys are generated under naveen user in RHEL8 and when you trying to SSH to Remote server its asking for password
|
Client/Server |
VM Name |
IP Address |
UserName-1 |
UserName-2 |
UserName-3 |
|
Linux Client |
RHEL |
10.10.0.5 |
naveen |
|
|
|
Remote server-1 |
Ubuntu22 |
10.10.0.8 |
naveen |
kumar |
root |
When we try to access the VM with root user from the Linux Client its asking for password , in that case we can enable the debug mode with -v option and check for the issue where it is blocking
Its looking for rsa keys but not found , hence its asking password for next authentication method.
In this case we can give path of the ssh private key while doing SSH with -i option
The keys are existing on /home/naveen/.ssh/id_rsa path , mention the path -i option then we can able to login with key bases authentication.
[root@RHEL8 ~]# ssh -i /home/naveen/.ssh/id_rsa naveen@10.10.0.8 -v
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to 10.10.0.8 [10.10.0.8] port 22.
debug1: Connection established.
debug1: identity file /home/naveen/.ssh/id_rsa type 0
debug1: identity file /home/naveen/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/naveen/.ssh/id_rsa RSA SHA256:OqvmpB/mjq1fmkUnYVRyY9Bbsmb0+TMzX7DvdPaOFAg explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/naveen/.ssh/id_rsa RSA SHA256:OqvmpB/mjq1fmkUnYVRyY9Bbsmb0+TMzX7DvdPaOFAg explicit
debug1: Server accepts key: /home/naveen/.ssh/id_rsa RSA SHA256:OqvmpB/mjq1fmkUnYVRyY9Bbsmb0+TMzX7DvdPaOFAg explicit
debug1: Authentication succeeded (publickey).
Authenticated to 10.10.0.8 ([10.10.0.8]:22).
Scenario-2 :
When you trying to SSH to Remote server its asking for password due to wrong owner ship of the .ssh directory in the remote server
The .ssh is having the naveen:naveen ownership instead of kumar:kumar ownership.
We have enabled the debug mode with -vvv option and found below logs and observed that unable to sent the packet
[root@RHEL8 ~]# ssh -i /home/naveen/.ssh/id_rsa kumar@10.10.0.8 -vvv
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/naveen/.ssh/id_rsa RSA SHA256:OqvmpB/mjq1fmkUnYVRyY9Bbsmb0+TMzX7DvdPaOFAg explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
kumar@10.10.0.8's password:
We have changed the ownership to kumar:kumar for .ssh directory in the remote server and able to access SSH without any issue.
[root@RHEL8 ~]# ssh -i /home/naveen/.ssh/id_rsa kumar@10.10.0.8 -vvv
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-1018-azure x86_64)
Scenario-3 :
When you trying to SSH to Remote server its asking for password due to wrong file permissions of the /home/kumar/.ssh/authorized_keys in the remote server
I have changed to 777 file permission of the authorized_keys and getting below errors.
root@ubuntu22:/home/kumar/.ssh# ls -lrt /home/kumar/.ssh/authorized_keys
-rwxrwxrwx 1 kumar kumar 566 Dec 24 14:06 /home/kumar/.ssh/authorized_keys
[root@RHEL8 ~]# ssh -i /home/naveen/.ssh/id_rsa kumar@10.10.0.8 -vvv
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/naveen/.ssh/id_rsa RSA SHA256:OqvmpB/mjq1fmkUnYVRyY9Bbsmb0+TMzX7DvdPaOFAg explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
kumar@10.10.0.8's password:
Solution : The file should have 600 file permissions /home/kumar/.ssh/authorized_keys, we have changed to correct permission and then tried to login we are able to access without any issue.
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-1018-azure x86_64)
Scenario-4: Disabled the Password Authentication in SSHD configuration file but still able to login with Password
If you have set PasswordAuthentication no in your
SSH configuration but are still able to log in with a password, there could be
several reasons why this is happening. Here are some possibilities and
troubleshooting steps:
1. Configuration File Not Loaded
Check for Multiple Configuration Files: Ensure that there is no other SSH configuration file that might be overriding your settings. The primary configuration file is usually /etc/ssh/sshd_config, but sometimes additional configurations can be included from other files.
2. Verify Configuration: Use sshd to verify the active configuration:
sshd -T | grep -i authentication
root@ubuntu22:~# cat /etc/ssh/sshd_config | grep -i authentication | grep -v "#"
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
root@ubuntu22:~#
I have set PasswordAuthentication no in the /etc/ssh/sshd_config but still I am able to access with password.
Verify the active configuration
root@ubuntu22:~# sshd -T | grep -i authentication
hostbasedauthentication no
pubkeyauthentication yes
kerberosauthentication no
gssapiauthentication no
passwordauthentication yes <== Here its showing Yes , how come ??
kbdinteractiveauthentication no
authenticationmethods any
root@ubuntu22:~#
Check for Overrides: In some cases, there might be command-line options or other configuration management systems (like cloud-init) that override your settings. Ensure that no such overrides are in place.
root@ubuntu22:~# cat /etc/ssh/sshd_config | grep -i include
Include /etc/ssh/sshd_config.d/*.conf
root@ubuntu22:~#
root@ubuntu22:~# cd /etc/ssh/sshd_config.d/
root@ubuntu22:/etc/ssh/sshd_config.d# ls
50-cloud-init.conf 50-cloudimg-settings.conf 60-cloudimg-settings.conf
root@ubuntu22:/etc/ssh/sshd_config.d# grep -i PasswordAuthentication *
50-cloud-init.conf:PasswordAuthentication yes
60-cloudimg-settings.conf:PasswordAuthentication no
root@ubuntu22:/etc/ssh/sshd_config.d#
We can see that there is additional Override file where we can see PasswordAuthentication is set to yes.
That is the reason we are able to SSH even if we put PasswordAuthentication is NO in sshd config file.
Post a Comment