I have a playbook that is launched from AWX with machine credentials, ie. with ssh_user_A. In this playbook, i need to perform a couple of tasks with another SSH user, ie. ssh_user_B.
In terms of credentials, I have:
machine credentials for ssh_user_A that are OK, I can do whatever I need
a public/private keys couple for ssh_user_B:
the public key is present on the remote host in the ~ssh_user_B/.ssh/authorized_keys file
if I test this public/private key with a temp machine credentials (not possible in final target) and a dummy playbook or an ad-hoc module call, it works I can do whatever I need
I change the SSH user in the playbook with these instructions:
- name: Switch to ssh_user_B user
ansible.builtin.set_fact:
ansible_user: "ssh_user_B"
ansible_ssh_pass: "{{ssh_user_B_passphrase}}"
ansible_ssh_private_key_file: "{{file_that_contains_the_private_key}}"
delegate_to: localhost
And the user change is triggered by a simple wait_for_connection:
- name: Just here to validate the user change
ansible.builtin.wait_for_connection:
timeout: 10
But unfortunately, the only thing that I get is a behavior that I do not understand:
with valid public/private keys, the task that is supposed to trigger the user change seems frozen at the first SSH connection attempt, nothing more happens, and nothing in the target remote host SSH logs (in these logs, I have the connection for the ssh_user_A, but absolutely nothing for the ssh_user_B one)
AWX output:
PLAYBOOK: test.yml *************************************************************
Positional arguments: test.yml
verbosity: 4
remote_user: ssh_user_A
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/tmp/awx_14019_pqypcw0i/tmpm_98ffss',)
subset: target_remote_host
extra_vars: ('#/tmp/awx_14019_pqypcw0i/tmp7493qmoq', '#/tmp/awx_14019_pqypcw0i/env/extravars')
forks: 5
1 plays in test.yml
Read vars_file './vars/main.yml'
Read vars_file './vars/main.yml'
Read vars_file './vars/main.yml'
PLAY [MultiUserTest] ***********************************************************
Read vars_file './vars/main.yml'
TASK [Gathering Facts] *********************************************************
task path: /tmp/awx_14019_pqypcw0i/project/test.yml:2
<target_remote_host> ESTABLISH SSH CONNECTION FOR USER: ssh_user_A
... Connection OK
TASK [Another task OK] ***************************************************
...
TASK [Task done on localhost] ********************
task path: /tmp/awx_14019_pqypcw0i/project/test.yml:57
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
... Connection OK
TASK [Another locahost task OK] ***************************************************
...
TASK [switch to ssh_user_B user] *****************************************************
task path: /tmp/awx_14019_pqypcw0i/project/test.yml:83
ok: [s4850ads -> localhost] => {
"ansible_facts": {
"ansible_ssh_pass": "dummy_passphrase",
"ansible_ssh_private_key_file": ".dummy_pk_random_name",
"ansible_user": "ssh_user_B"
},
"changed": false
}
Read vars_file './vars/main.yml'
TASK [Wait 300 seconds, but only start checking after 60 seconds] **************
task path: /tmp/awx_14019_pqypcw0i/project/test.yml:91
wait_for_connection: attempting ping module test
<target_remote_host> ESTABLISH SSH CONNECTION FOR USER: ssh_user_B
<target_remote_host> SSH: EXEC sshpass -d12 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile=".dummy_pk_random_name"' -o 'User="ssh_user_B"' -o ConnectTimeout=10 -o ControlPath=/tmp/awx_14019_pqypcw0i/cp/bc63f1e109 target_remote_host '/bin/sh -c '"'"'echo ~ssh_user_B && sleep 0'"'"''
... Here it's frozen, nothing more in the AWX output, nothing in the remote host SSH logs...
with an invalid public/private keys (ie. with additional characters, no LF at the end of the private key file, etc.), the task that is supposed to trigger the user works and ends in error. I can see that every SSH connection method is tested, and it ends in error:
TASK [switch to ssh_user_B user] *****************************************************
task path: /tmp/awx_14019_pqypcw0i/project/test.yml:83
ok: [s4850ads -> localhost] => {
"ansible_facts": {
"ansible_ssh_pass": "dummy_passphrase",
"ansible_ssh_private_key_file": ".dummy_pk_random_name",
"ansible_user": "ssh_user_B"
},
"changed": false
}
Read vars_file './vars/main.yml'
TASK [Wait 300 seconds, but only start checking after 60 seconds] **************
task path: /tmp/awx_14021_ypwngn_h/project/test.yml:91
wait_for_connection: attempting ping module test
<target_remote_host> ESTABLISH SSH CONNECTION FOR USER: ssh_user_B
<target_remote_host> SSH: EXEC sshpass -d12 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile=".dummy_pk_random_name"' -o 'User="ssh_user_B"' -o ConnectTimeout=10 -o ControlPath=/tmp/awx_14021_ypwngn_h/cp/bc63f1e109 target_remote_host '/bin/sh -c '"'"'echo ~ssh_user_B && sleep 0'"'"''
<target_remote_host> (5, b'', b'OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021\
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for \\'final all\\' host target_remote_host originally target_remote_host
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched \\'final\\'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug2: checking match for \\'final all\\' host target_remote_host originally target_remote_host
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched \\'final\\'
debug2: match found
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1]
debug1: auto-mux: Trying existing master
debug1: Control socket "/tmp/awx_14021_ypwngn_h/cp/bc63f1e109" does not exist
debug2: resolving "target_remote_host" port 22
debug2: ssh_connect_direct
debug1: Connecting to target_remote_host [<IP>] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 9984 ms remain after connect
debug1: identity file .dummy_pk_random_name type -1
debug1: identity file .dummy_pk_random_name-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to target_remote_host:22 as \\'ssh_user_B\\'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from target_remote_host
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01#openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01#openssh.com,ecdsa-sha2-nistp384-cert-v01#openssh.com,ecdsa-sha2-nistp521-cert-v01#openssh.com,ssh-ed25519-cert-v01#openssh.com,rsa-sha2-512-cert-v01#openssh.com,rsa-sha2-256-cert-v01#openssh.com,ssh-rsa-cert-v01#openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes256-ctr,aes256-cbc,aes128-gcm#openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes256-ctr,aes256-cbc,aes128-gcm#openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha2-256,hmac-sha1,umac-128#openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha2-256,hmac-sha1,umac-128#openssh.com,hmac-sha2-512
debug2: compression ctos: zlib#openssh.com,zlib,none
debug2: compression stoc: zlib#openssh.com,zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes256-ctr,aes256-cbc,aes128-gcm#openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes256-ctr,aes256-cbc,aes128-gcm#openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha2-256,hmac-sha1,umac-128#openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha2-256,hmac-sha1,umac-128#openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib#openssh.com
debug2: compression stoc: none,zlib#openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm#openssh.com MAC: <implicit> compression: zlib#openssh.com
debug1: kex: client->server cipher: aes256-gcm#openssh.com MAC: <implicit> compression: zlib#openssh.com
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YYY/ZZZ
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from target_remote_host
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from <IP>
debug1: Host \\'target_remote_host\\' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /tmp/awx_14021_ypwngn_h/artifacts/14021/ssh_key_data RSA SHA256:XXX agent
debug1: Will attempt key: .dummy_pk_random_name explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
###################################################################
# SERVER MESSAGE. #
###################################################################
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /tmp/awx_14021_ypwngn_h/artifacts/14021/ssh_key_data RSA SHA256:XXX agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: .dummy_pk_random_name
Load key ".dummy_pk_random_name": invalid format
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can\\'t open /dev/tty: No such device or address
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
ssh_user_B#target_remote_host: Permission denied (publickey,password).
')
... Other SSH connection method attempt
I also see the connection attempts in the remote host SSH logs, they all look like this:
Feb 28 14:25:10 target_remote_host sshd[4108095]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<IP> user=ssh_user_B
Feb 28 14:25:12 target_remote_host sshd[4108095]: Failed password for ssh_user_B from <IP> port 12345 ssh2
Feb 28 14:25:12 target_remote_host sshd[4108095]: Failed password for ssh_user_B from <IP> port 12345 ssh2
Feb 28 14:25:12 target_remote_host sshd[4108095]: Failed password for ssh_user_B from <IP> port 12345 ssh2
Feb 28 14:25:12 target_remote_host sshd[4108095]: Connection closed by authenticating user ssh_user_B <IP> port 12345 [preauth]
What I've checked/done/excluded:
as said previously, the public/private key couple is OK, tested though AWX on a separate credentials machine
I've tested to copy the private key file on the remote folder in order to ckeck its content and see if it was well formed, and it is (here $ represent the LF):
-----BEGIN OPENSSH PRIVATE KEY-----$
...
-----END OPENSSH PRIVATE KEY-----$
I've created a new public/private key couple with a passphrase that only contains letters and digits, in order to exlude a problem from a special character in the passphrase (like a `), it does not change anything
If I do not provide a passphrase, I get a no passphrase given error from the remote host as expected
Regarding these elements, I assume that my SSH connection parameters are OK but something stucks the playbook, but I really do not understand what... Any clue/help would be appreciated.
Note that I do not (and won't) have access on the host where AWX is installed and the playbook runs.
Part of the playbook that contain the credentials change:
- name: Main private key block
block:
- name: Creating temp filenames
ansible.builtin.set_fact:
filename_private_key: ".dummy_pk_random_name"
# Just for testing purposes, target is a key in a Vault
temp_copy_file: "./files/temp_pk_file.txt"
- name: Sub part 1
block:
##########
- name: Creating container file for private key
ansible.builtin.file:
path: "{{filename_private_key}}"
state: touch
mode: '600'
changed_when: false
- name : Putting private key into needed file
ansible.builtin.copy:
src: "{{temp_copy_file}}"
dest: "{{filename_private_key}}"
mode: '600'
changed_when: false
##########
delegate_to: localhost
- name: Sub part 2
block:
##########
- name: Switch to ssh_user_B user
ansible.builtin.set_fact:
ansible_user: "ssh_user_B"
# The passphrase comes from a Vault
ansible_ssh_pass: "{{ssh_user_B_passphrase}}"
ansible_ssh_private_key_file: "{{filename_private_key}}"
delegate_to: localhost
- name: Just here to validate the user change
ansible.builtin.wait_for_connection:
timeout: 10
##########
##########
always:
- name: Ensure private key is not present anymore
file:
path: "{{ filename_private_key }}"
state: absent
changed_when: false
delegate_to: localhost
##########
I've made a lot of tests and found the problem: by default, to connect to the target hosts, Ansible uses the smart connection plugin. In my case, the smart plugin leads to the use of the native OpenSSH.
Forcing manually the use of the paramiko connection plugin solves the problem, everything is OK (paramiko is a Python implementation of OpenSSH). Just need to add the instruction connection: paramiko at the needed level:
---
- name: MultiUserTest part 1
hosts: all
gather_facts: yes
connection: paramiko
Trying to execute command via ssh, but I'm not receiving anything back. The server A is Solaris machine and Server B is SUSE linux with OpenBSD sshd. Checked
ssh remote command does not return
https://www.openbsd.org/papers/auug2002-ssh.pdf
https://superuser.com/questions/792070/commands-over-ssh-not-producing-output
and other sources, but can't resolve it.
The command I'm trying is (in bash):
ssh -v -i .ssh/id_rsa -p1234 user2#abcdefg 'ls'
(tried without quotes and with double quotes as well )
And the debug info I'm receiving is :
Sun_SSH_1.1.6, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to ABCDEFG [100.100.100.100] port 1234.
debug1: Connection established.
debug1: identity file ../../../.ssh/id_rsa type 1
debug1: Logging to host: abcdefg
debug1: Local user: user1 Remote user: user2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.6
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 128/256
debug1: bits set: 1014/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'abcdefg' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:1
debug1: bits set: 1019/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying public key: .ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 80b0320 hint 0
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey)
debug1: SSH receive window size: 198720 B
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Sending command: ls
debug1: channel request 0: exec
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1
The ssh_config file on serverB looks like:
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# Configuration file set-up to meet APG43L needs.
Protocol 2
PasswordAuthentication yes
UsePAM yes
################################################################################
# Access to sftp subsystem is DISABLED #
# Subsystem sftp internal-sftp #
################################################################################
PermitRootLogin no
Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
PrintLastLog no
Port 1234
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
AllowGroups group1 group2 group3
AllowUsers user2
RSAAuthentication yes
PubkeyAuthentication yes4
EDIT:
I tried to execute the commandon the remote machine and redirect its output to remote file, but this doesn't work either. No file is created ( I can write that file in the directory if I'm on remote server). I adapted the question also.
ssh -v -i .ssh/id_rsa -p1234 user2#abcdefg 'ls > output.dat'
Weird, certainly not your command -- similar with single quotes works for me. I get the same debug output to "debug1: Sending command: ls") so everything is authenticating fine, but you're just not getting the output I then get!
Some googling implies this variation on the command gets results
echo 'ls' | ssh -v -i .ssh/id_rsa -p1234 user2#abcdefg
https://superuser.com/questions/792070/commands-over-ssh-not-producing-output
I'm assuming you have executable rights to your home directory (be amazed if you didn't)... but assumption is the mother of all f ups, so do check you can actually ls on the actual client.
I have an issue with Cygwin on one windows server (2008 R2 STD)
it's a first time a saw that:
First, I saw a little bug after the installation of cygwin, when I open a Cygwin terminal the username have the hostname in the name (WANCYFILE3 is the hostname):
WANCYFILE3+BoMBkpAccount#WANCYFILE3 ~
$
and when i create a /etc/passwd with mkpasswd i have the same issue:
WANCYFILE3+BoMBkpAccount#WANCYFILE3 ~
$ mkpasswd
SYSTEM:*:18:18:U-NT AUTHORITY\SYSTEM,S-1-5-18:/home/SYSTEM:/bin/bash
LOCAL SERVICE:*:19:19:U-NT AUTHORITY\LOCAL SERVICE,S-1-5-19:/:/sbin/nologin
NETWORK SERVICE:*:20:20:U-NT AUTHORITY\NETWORK SERVICE,S-1-5-20:/:/sbin/nologin
Administrators:*:544:544:U-BUILTIN\Administrators,S-1-5-32-544:/:/sbin/nologin
NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:/:/sbin/nologin
WANCYFILE3+Administrator:*:197108:197121:U-WANCYFILE3\Administrator,S-1-5-21-1686359761-1676169977-233769372-500:/home/Administrator:/bin/bash
WANCYFILE3+BoMBkpAccount:*:197608:197121:U-WANCYFILE3\BoMBkpAccount,S-1-5-21-1686359761-1676169977-233769372-1000:/home/BoMBkpAccount:/bin/bash
WANCYFILE3+cyg_server:*:197613:197121:U-WANCYFILE3\cyg_server,S-1-5-21-1686359761-1676169977-233769372-1005:/home/cyg_server:/bin/bash
WANCYFILE3+Guest:*:197109:197121:U-WANCYFILE3\Guest,S-1-5-21-1686359761-1676169977-233769372-501:/home/Guest:/bin/bash
WANCYFILE3+sshd:*:197612:197121:U-WANCYFILE3\sshd,S-1-5-21-1686359761-1676169977-233769372-1004:/home/sshd:/bin/bash
for information the home directory is good:
WANCYFILE3+BoMBkpAccount#WANCYFILE3 ~
$ pwd
/home/BoMBkpAccount
now during the installation on ssh with the command "ssh-host-config"
i needed to replace the creation of the automatic user "WANCYFILE3+cyg_server" with "cyg_server"
*** Info: The following privileged accounts were found: 'WANCYFILE3+cyg_server' .
*** Info: This script plans to use 'WANCYFILE3+cyg_server'.
*** Info: 'WANCYFILE3+cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) yes
*** Query: Enter the new user name: cyg_server
*** Query: Reenter: cyg_server
otherwise i have this issue:
*** Info: This script plans to use 'WANCYFILE3+cyg_server'.
*** Info: 'WANCYFILE3+cyg_server' will only be used by registered services.
*** Query: Please enter the password for user 'WANCYFILE3+cyg_server':
*** Query: Reenter:
/usr/bin/cygrunsrv: Error installing a service: CreateService: Win32 error 1057:
The account name is invalid or does not exist, or the password is invalid for the account
*** ERROR: Installing sshd as a service failed!
now the sshd service work with the password:
WANCYFILE3+BoMBkpAccount#WANCYFILE3 ~/.ssh
$ ssh localhost
WANCYFILE3+BoMBkpAccount#localhost's password:
Last login: Tue Apr 21 10:45:46 2015 from ::1
WANCYFILE3+BoMBkpAccount#WANCYFILE3 ~
$
but not if the client have a keyfile:
WANCYFILE3+BoMBkpAccount#WANCYFILE3 ~
$ ssh-keygen.exe
Generating public/private rsa key pair.
....
WANCYFILE3+BoMBkpAccount#WANCYFILE3 ~
$ ssh localhost
Connection closed by ::1
i tryed to add the publickey in the authorized_keys but it's a same issue
for exemple from a another ssh client:
$ ssh-copy-id -i ./backupkey_BOM_Ancy.pub WANCYFILE3+BoMBkpAccount#WANCYFILE3.ancy.societe.com
WANCYFILE3+BoMBkpAccount#wancyfile3.ancy.societe.com's password:
Now try logging into the machine, with "ssh 'WANCYFILE3+BoMBkpAccount#WANCYFILE3.ancy.societe.com'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
$ ssh -i ./backupkey_BOM_Ancy WANCYFILE3+BoMBkpAccount#WANCYFILE3.ancy.societe.com
Connection closed by 10.131.16.34
whith verbose connexion:
$ ssh -v -i ./backupkey_BOM_Ancy WANCYFILE3+BoMBkpAccount#WANCYFILE3.ancy.societe.com
OpenSSH_5.5p1 Debian-6+squeeze3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to WANCYFILE3.ancy.societe.com [10.131.16.34] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file ./backupkey_BOM_Ancy type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file ./backupkey_BOM_Ancy-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8
debug1: match: OpenSSH_6.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'wancyfile3.ancy.societe.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:62
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: ./backupkey_BOM_Ancy
Connection closed by 10.131.16.34
$
After 3 installations of cygwin, I can't find this issue.
do you have any idea?
Thanks for your help (and sorry for my English)
debug1: Offering public key: ./backupkey_BOM_Ancy
Connection closed by 10.131.16.34
$
You need to figure out why the server is closing the connection on you. If this were a unix system, I'd say to check the system logs (usually one of the files in /var/log) for messages from sshd. I don't know what the cygwin equivalent of that is.
My guess is that you're authenticating, and the server is trying to start a login session for you. But the program that it's trying to start as your shell is missing, malfunctioning, or it's exiting as soon as it has started.