Remote ssh connection not working with Solaris 11.4.29 with "-o PreferredAuthentications=password" argument, while the same works fine without it.
ssh -2 -vvv -l - works
ssh -2 -vvv -l -o PreferredAuthentications=password - doesn't work
From any Linux server when below command is executed to remote Solaris 11.4.29 :
ssh -2 -vvv -l -o PreferredAuthentications=password - doesn't work
Verbose messages -
debug1: PAM: setting PAM_TTY to "ssh"
debug1: PAM: password authentication failed for : Authentication failed
I want to write an Ansible playbook (using Ansible 2.7.5) that will jump through two hosts before reaching the intended server to do things such as install docker and python, etc.
I'm able to get Ansible to jump through one host into server1 by adding this to my hosts file:
[server1:vars]
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion"'
I have also updated my ~/.ssh/config file:
Host bastion
Hostname YY.YY.YY.YY
User user
IdentityFile ~/.ssh/bastion_private_key
Host server1
Hostname XX.XX.XX.XX
User user
IdentityFile ~/.ssh/private_key
ProxyJump bastion
However, I now also need to do this through two hosts. I've added the following to ~/.ssh/config:
Host server2
Hostname ZZ.ZZ.ZZ.ZZ
User user
IdentityFile ~/.ssh/private_key_3
ProxyJump server1
This allows me to type ssh server2 and open a shell inside server2. So that seems to be working.
But, I do not know how to change the hosts file to jump through both of these hosts. I've tried:
ansible_ssh_common_args='-o ProxyCommand="ssh -J bastion,server1"'
and
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion ssh -W %h:%p -q server1"'
Neither work, and both result in a timeout. What should I do to make Ansible jump through bastion and then server1 so that it can reach server2?
This is the result when I run -vvvv (with some path and names obfuscated):
ansible-playbook 2.7.5
config file = /path/to/dir/ansible.cfg
configured module search path = [u'/home/user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0]
Using /path/to/dir/ansible.cfg as config file
setting up inventory plugins
/path/to/dir/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
/path/to/dir/hosts did not meet script requirements, check plugin documentation if this is unexpected
/path/to/dir/hosts inventory source with ini plugin
[WARNING]: Found both group and host with same name: server2
statically imported: /path/to/dir/tasks/ansible.yml
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc
PLAYBOOK: enable-ansible.yml *********************************************************************************************************************************
1 plays in enable-ansible.yml
PLAY [server2] ****************************************************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************************************************************
task path: /path/to/dir/enable-ansible.yml:2
<server2> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<server2> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o 'ProxyCommand=ssh -W %h:%p -q bastion ssh -W %h:%p -q server1' -o ControlPath=/home/user/.ansible/cp/460e3f86d3 server2 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /tmp/ansible-tmp-1546192323.33-48994637286535 `" && echo ansible-tmp-1546192323.33-48994637286535="` echo /tmp/ansible-tmp-1546192323.33-48994637286535 `" ) && sleep 0'"'"''
<server2> (255, '', 'OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n 7 Dec 2017\r\ndebug1: Reading configuration data /home/user/.ssh/config\r\ndebug1: /home/user/.ssh/config line 70: Applying options for server2\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket "/home/user/.ansible/cp/460e3f86d3" does not exist\r\ndebug1: Executing proxy command: exec ssh -W SERVER2_IP_ADDRESS:22 -q bastion ssh -W SERVER2_IP_ADDRESS:22 -q server1\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion-cert type -1\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1\r\ndebug1: permanently_drop_suid: 1000\r\nConnection timed out during banner exchange\r\n')
fatal: [server2]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n 7 Dec 2017\r\ndebug1: Reading configuration data /home/user/.ssh/config\r\ndebug1: /home/user/.ssh/config line 70: Applying options for server2\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/home/user/.ansible/cp/460e3f86d3\" does not exist\r\ndebug1: Executing proxy command: exec ssh -W SERVER2_IP_ADDRESS:22 -q bastion ssh -W SERVER2_IP_ADDRESS:22 -q server1\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/user/.ssh/bastion-cert type -1\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1\r\ndebug1: permanently_drop_suid: 1000\r\nConnection timed out during banner exchange\r\n",
"unreachable": true
}
to retry, use: --limit #/home/user/Documents/repos/cloud-devops/enable-ansible.retry
PLAY RECAP ***************************************************************************************************************************************************
server2 : ok=0 changed=0 unreachable=1 failed=0
For some added context, this playbook is logging into the remote server as a non-root account and creating the ansible user in it. And to reiterate, this playbook works when I am only jumping through one host.
Just use
ansible_ssh_common_args='-J bastion,server1'
My problem is the following. I wish to configure the .ssh/config as such, that when I write
ssh exampleX
It is the same as if I wrote
ssh -i /path/to/key.pem user#address
Note that the above command works.
Following the answers here I tried to create the file as
Host exampleX
HostName address
User user
IdentityFile /path/to/key.pem
Taken from
ssh -i /path/to/key.pem user#address
Yet when I run
ssh exampleX
I get the error
ssh: Could not resolve hostname exampleX: Name or service not known
But if I manually run the command
ssh -i /path/to/key.pem user#address
everything works. Where am I making the mistake in creating the file?
Edit
If I run
sudo ssh exampleX -v
I get the output
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
ssh: Could not resolve hostname exampleX: Name or service not known
but if I run it without sudo i get a longer stream, that ends with
debug1: Authentications that can continue: publickey
debug1: Trying private key: /path/to/key.pem
Load key "/path/to/key.pem": Permission denied
debug1: No more authentication methods to try.
Permission denied (publickey).
Edit 2
Due to some confusion , I restate my question
What does the config file has to look like, so that running
ssh exampleX
will work the same as running
ssh -i /path/to/key.pem user#address
When you run your command through sudo, you are using the .ssh/config file that corresponds to the user that sudo runs as. If you really need to run this ssh command as root, you need the configuration added to ~root/.ssh/config instead of ~/.ssh/config.
If possible, run your ssh as a normal user, not as root.
(Since the question was edited, I edited accordingly my answer)
Check the permissions of the file ~/.ssh/config: it must have strict permissions: read/write for the user, and not accessible by others, as explained in the man page.
Check also you have read access (as a user) to the file /path/to/key.pem. The debug option you used with ssh suggests you don't have.
I have tried to setup public key connection between AIX to AIX and that's working and I am facing problem while I setup same public key connection between AIX and DataPower appliance.
I could see in logs that's connection established but while using public I am not able to login and everytime expecting to enter password manually.
Can someone please help on this?
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ./***_rsa.pub
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
There are many, many reasons why client-side debugging (ssh -vvv ...) shows:
debug2: we did not send a packet, disable method
Many of these are listed in the answers to SSH public key won't send to server on Unix & Linux, but, unfortunately, the client does not give any indication as to which one applies.
When I was struggling with this, my main problem was getting server-side logging/debugging to show. Of great help was the following (paraphrased) suggestion taken from Ciro Santilli 冠状病毒审查六四事件法轮功's answer to How to check sshd log? on ServerFault:
Start a new SSH Server instance on a new port in debug mode with:
/usr/sbin/sshd -d -p 2222
then connect to it from the client with:
ssh -p 2222 user#host
If you have sudo access to the destination server, check the SSH logs (/var/log/secure), it may give you some clue. For my case it was a bad permission on the home directory.
chmod g-w /home/user
chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys
Reference: https://chemicloud.com/kb/article/ssh-authentication-refused-bad-ownership-or-modes-for-directory/
I solved the same problem
(when I checked in my system there is .ssh/authorized_keys : the filename was wrong)
this way:
cp -p .ssh/authorised_keys .ssh/authorized_keys
Check the ssh configuration on remote server to find if remote system is accepting type of key being passed.
Check the file /etc/ssh/sshd_config and look for property PubkeyAcceptedKeyTypes to confirm that it accepts key type being passed. For instance, here the key type seems to be ssh-rsa, so that should be added to the list of PubkeyAcceptedKeyTypes
(or for maximium compatibility PubkeyAcceptedKeyTypes *)
Once added, restart sshd daemon
EX:
sudo sed -i "/.*PubkeyAcceptedKeyTypes.*/d" /etc/ssh/sshd_config
sudo sed -i "/.*RSAAuthentication.*/d" /etc/ssh/sshd_config
sudo sed -i "/.*PubkeyAuthentication.*/d" /etc/ssh/sshd_config
sudo sed -i "/.*PasswordAuthentication.*/d" /etc/ssh/sshd_config
sudo sed -i "/.*PermitRootLogin.*/d" /etc/ssh/sshd_config
echo "PubkeyAcceptedKeyTypes *" | sudo tee -a /etc/ssh/sshd_config
echo "RSAAuthentication yes" | sudo tee -a /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" | sudo tee -a /etc/ssh/sshd_config
echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config
echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config
sudo systemctl restart sshd.service
sudo systemctl status sshd.service | grep -i success
Refer to this answer SSH public key won't send to server.
In your log
Offering RSA public key: ./***_rsa.pub
...
we did not send a packet, disable method
It means that the client didn't send the key file. So make sure the key file exists.
Check the key file is in your local path
Make sure the public key content is copied into ~/.ssh/authorized_keys in remote server.
I've just had the same problem. Two raspberry Pis on my local network - one connected, one didn't (with the 'debug2: we did not send a packet, disable method' error)
after 4 hours I found the problem
Being used to uk spelling I created the 'authorised_users' file not 'authorized_users'
Doh !!
So what happened for me is that I have 2 VMs to access from my local machine (2 keys id_rsa.pub and id_rsa2.pub). I realized that my ssh connection is using id_rsa.pub by default for any ssh user#xx.xx.xx.xx connection. I solved my issue by adding a config file and specify the identity to be used for every host like the following :
vi ~/.ssh/config
Add both hostnames and their identity file as follows:
Host server1.nixcraft.com
IdentityFile ~/Users/.ssh/id_rsa1
Host server2.nixcraft.com
IdentityFile ~/Users/.ssh/id_rsa2
This happened to me and, after several hours banging my head against the wall, I realized there was a typo in the public key file. Instead of beginning with
ssh-rsa
there was a + sign at the beginning:
+ssh-rsa
I know it's obvious in retrospect, but it doesn't hurt to double check your file.
It looks like there can be a lot of things causing this problem. In my case I forgot to specified the User name in my ~/.ssh/config file. Apparently, it depends on your current login name.
Host dev
HostName 1.2.3.4
IdentityFile ~/.ssh/id_rsa
User John
This can happen if in your /etc/ssh/sshd_config you have the following entry
PubkeyAcceptedKeyTypes=+ssh-dss
as opposed to
PubkeyAcceptedKeyTypes +ssh-dss #this is the correct entry
After updating this, be sure to issue a
sudo systemctl restart sshd #Ubuntu
Think about selinux, if is enabled,do:
# sudo ausearch -c "sshd" --raw | audit2allow -M my-sshd
# sudo semodule -i my-sshd.pp
I checked and tried every instruction given here and after several hours of troubleshooting, I noticed the SSH server (which is my router) does not have a support for ed25519. Dropbear was spamming the following log: Pubkey auth attempt with unknown algo...
Using an RSA type fixed my issue.
Just for those who have the log "we did not send a packet, disable method" when trying to use a public key.
Check your sshd_config file on the remote server and force "PubkeyAuthentication" to "yes", even if it should be "yes" by default.
For me it solved my connection problem.
In my case the private key must have been added to the agent with:
ssh-add ~/.ssh/private_id_rsa
I'm unsuccessfully trying to use SSH ProxyCommand to connect to a server via a jump box. My config is below, I'm running this command:
ssh 10.0.2.54 -F ssh.config -vv
Host x.x.x.x
User ec2-user
HostName x.x.x.x
ProxyCommand none
IdentityFile /Users/me/.ssh/keys.pem
BatchMode yes
PasswordAuthentication no
Host *
ServerAliveInterval 60
TCPKeepAlive yes
ProxyCommand ssh -W %h:%p -q ec2-user#x.x.x.x
ControlMaster auto
ControlPersist 8h
User ec2-user
IdentityFile /Users/me/.ssh/keys.pem
The result is:
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data ssh.config
debug1: ssh.config line 9: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/me/.ssh/mux-ec2-user#10.0.2.54:22" does not exist
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec ssh -W 10.0.2.54:22 -q ec2-user#x.x.x.x
debug1: identity file /Users/me/.ssh/keys.pem type -1
debug1: identity file /Users/me/.ssh/keys.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: permanently_drop_suid: 501
How can I get this to work/troubleshoot the issue?
Thanks,
ControlPersist in combination with ProxyCommand is not effective and you miss ControlPath option. But it is not a problem here.
First of all, if you are using non-standard config file and you want it to be used even by the proxy command, you need to specify it even there. The -q option makes the connection quiet so you have no idea what is going on under the hood of the proxy command. LogLevel DEBUG3 option is quite useful.
This line:
ProxyCommand ssh -W %h:%p -q ec2-user#x.x.x.x
needs to be (and you don't need the username as it is already specified above):
ProxyCommand ssh -W %h:%p -F ssh.config x.x.x.x
You have also wrong order of parameters in your command:
ssh 10.0.2.54 -F ssh.config -vv
needs to be:
ssh -F ssh.config 10.0.2.54
as you can read from manual page. And -vv is not needed if you use LogLevel option.
Then it should work for you (at least it did for me, otherwise investigate the log).