Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 04-06-2020, 10:58 PM
etalkishere etalkishere is offline
Registered User
 
Join Date: Sep 2015
Posts: 12
Public key ssh into a Debian container fails for non-root user

Hi,

I have a Debian linux 10 container (docker host is oracle linux 7), which is setup for public key authentication. I couldn't figure why it's not working for non-root users (ie, abc). I got it working for root user. So frustrating, since I already tried so many ways from googling. Here is current setting, and the secureCRT trace log. Again, the abc user is within the container. I also got public key authentication working for non-root user 123 on the docker host itself, along with root. So, not sure what's causing the issue. Somehow, the /home/abc/.ssh/authorized_keys file isn't read correctly. I also got the .ssh and .ssh/authorized_keys permissions correct with chmod 700 (i also tried 744), also .ssh and .ssh/authorized_keys is owned by abc user. I also checked very carefully the keys in the authorized_key files, the public key (opened in notepad, copied, then pasted into the container authorized_key file) matched. Can you help? I ran out of ideas.

Thank you.

Peter

- /etc/ssh/sshd_config

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PermitRootLogin yes
UsePAM no
AuthorizedKeysFile .ssh/authorized_keys /home/abc/.ssh/authorized_keys

- trace log for user abc (not working). Only the log difference (from the root's trace) is shown

[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-2 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-1 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (MD5 hash): ...]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (SHA-2 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (SHA-1 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (MD5 hash): ]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey]
[LOCAL] : SEND: Disconnect packet: The user canceled authentication.
[LOCAL] : Changing state from STATE_CONNECTION to STATE_SEND_DISCONNECT
[LOCAL] : Changing state from STATE_SEND_DISCONNECT to STATE_CLOSED
[LOCAL] : Connected for 3 seconds, 2698 bytes sent, 2233 bytes received


- trace log for user root (working). Only the log difference (from the user abc's trace) is shown

[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-2 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-1 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (MD5 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - signed,May 2000 Standard]
[LOCAL] : RECV : AUTH_SUCCESS
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[FROM REMOTE] : /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
[FROM REMOTE] : /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
[LOCAL] : SEND[0]: Pty Request (rows: 68, cols: 189)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded

- the rest of the trace log, which is the same for root and abc user. this is the 1st part of the trace log, followed by the root/user abc's trace above.

[LOCAL] : SSH2Core version 8.1.0.1362
[LOCAL] : Connecting to xyz:220 ...
[LOCAL] : Resolved hostname to x.x.x.x:220
SecureCRT - Version 8.1.2 (x64 build 1362)
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host@xyz
[LOCAL] : SSPI : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@xyz
[LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@xyz
[LOCAL] : SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos (Group Exchange)] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@xyz
[LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
[LOCAL] : Selected Kex Method = ecdh-sha2-nistp521
[LOCAL] : Available Remote Host Key Algos = rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = chacha20-poly1305@openssh.com,aes128...cm@openssh.com
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = chacha20-poly1305@openssh.com,aes128...cm@openssh.com
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[LOCAL] : Selected Send Mac = hmac-sha2-512
[LOCAL] : Available Remote Recv Macs = umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[LOCAL] : Selected Recv Mac = hmac-sha2-512
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : SSH_MSG_KEX_ECDH_INIT
[LOCAL] : RECV : SSH_MSG_KEX_ECDH_REPLY
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
[LOCAL] : RECV: Remote Hostkey (SHA-2 hash): ...
[LOCAL] : RECV: Remote Hostkey (SHA-1 hash): ...
[LOCAL] : RECV: Remote Hostkey (MD5 hash): ...
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-2 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-1 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (MD5 hash): ...]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (SHA-2 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (SHA-1 hash): ...]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (MD5 hash): ...]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey]
[LOCAL] : SEND: Disconnect packet: The user canceled authentication.
[LOCAL] : Changing state from STATE_CONNECTION to STATE_SEND_DISCONNECT
[LOCAL] : Changing state from STATE_SEND_DISCONNECT to STATE_CLOSED
[LOCAL] : Connected for 3 seconds, 2698 bytes sent, 2233 bytes received

[LOCAL] : Stream has closed [CLOSE_TYPE_NO_AUTO_RECONNECT] : The user canceled authentication.

Last edited by etalkishere; 04-07-2020 at 07:59 AM.
Reply With Quote
  #2  
Old 04-07-2020, 09:43 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,312
Hi Peter,

With all the fingerprints redacted I cannot tell how many different keys we are working with here. Fingerprints are not sensitive data, by the way.

But any time you don't get a line that indicates "signed" in Trace Options output, then the key was not matched on the remote. Period.

So it sounds like you have verified it, but for user abc, has a copy of the public key file that matches to the key file they are using (in SecureCRT) been appended to the user's authorized_keys file?

What is indicated in the remote server debug logs?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 04-07-2020, 03:24 PM
etalkishere etalkishere is offline
Registered User
 
Join Date: Sep 2015
Posts: 12
Thanks Brenda. Guess what, I got it fixed by accident!

So I was desperate, pretty much exhausted trying all options, but still didn't get to work. So I gave up last night, and resorted back to password authentication for the abc user, using the following setting in the sshd_config.

# Example of overriding settings on a per-user basis
Match User abc
PasswordAuthentication yes
PubkeyAuthentication no

Then a voice told me to try disabling (uncomment) those settings and it just worked! Weirdest and most painful issue I ever had, but so happy now!

Do you think it's Debian 10 bug, or secureCRT's bug?

Peter
Reply With Quote
  #4  
Old 04-07-2020, 03:45 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,312
Hi Peter,

That is strange, but I am glad to hear of your success. I can't see how it can be a bug in SecureCRT since you didn't change anything in the client to get it working.

Did you ever look at the server logs?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 04-07-2020, 04:55 PM
etalkishere etalkishere is offline
Registered User
 
Join Date: Sep 2015
Posts: 12
Unfortunately, I lost the logs on the docker host.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 08:50 PM.