My friend and I are trying to get ssh access on his server working from external networks. He is running Debian 7.1. He can access the server from the internal network but every time I try to access his server (of course from an external network), I get the following error.
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/MyUser/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/MyUser/.ssh/id_dsa
debug3: no such identity: /Users/MyUser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
MyUser#HisServer.com's password:
debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
Permission of ~/.ssh/ is 700 and ~/.ssh/* is 600. He has
RSAAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
included in his sshd_config.
Port checker says that Port 22/tcp is open. Strangest thing is that we can't find any history of access in the log. sudo grep ssh /var/log/* only shows his activity.
Thus, I suspect it's the router's config that's causing the problem, but shouldn't we be able to ssh if the port is open?
You need to configure your router or DSL modem to port forward port 22 to the IP address of your server on port 22.
A simple test to do to check if it is a connectivity issue is to telnet on port 22:
telnet xxx.xxx.xxx.xxx 22
where the x's represent the external IP address of your router.
Maybe this will help.
Try to use your external ip adres find your ex.ip adress on http://www.whatismyip.com/.
I've sit for almost 4 weeks to find out not to use my 192.168.x.xxx adress
but to use the external one 88.67.xx.xxx.
Excuse me for my television english.
The reason why we couldn't ssh from external networks was because my friend had a "nested LAN".
It turns out that his apartment had its own LAN, so even after he port-forwarded tcp/22 to his server's private IP address (within his home's LAN), external access got stuck at the apartment's LAN.
He could have paid around $30 per port to open ports with numbers larger than 1000, if I remember correctly, but he figured it wasn't worth it, so we basically gave up.
You can use Corkscrew to tunnel ssh traffic through HTTP. No need to pay that ridiculous $30.
Related
I'm trying since hours to get the ssh login working.
The Server is on Debian 10 and the clients are on Linux Mint and Windows 10.
This is the error trying to login with:
ssh -Tvvv git#dev.example.io
debug1: Will attempt key: /home/herbert/.ssh/pubkey RSASHA256:LygJtb4xx3RHfaMr1wM3sgSjTnj59nNUFgnQZO/0xoo explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/herbert/.ssh/pubkey RSA SHA256:LygJtb4xx3RHfaMr1qM3sgSjTnj59nNUFgnQZO/0xoo explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git#dev.example.io: Permission denied (publickey).
This is the ssh config file:
Host dev.example.io
HostName dev.example.io
PreferredAuthentications publickey
IdentityFile ~/.ssh/pubkey
PubkeyAcceptedKeyTypes +ssh-rsa
I have also tried "Fast lookup of authorized SSH keys in the database" to get things working, but they don't.
Maybe someone has an idea how to debug what is going wrong, for the moment I have no idea > it's a fresh gitlab installation and I have never had this problem before with an installation.
Thank you.
PS: Of cause > the rsa keys are correct on gitlab and they are also correct saved in the autohorized_keys file.
Whenever the SSH looks OK on client side, and yet is refused by the server side, assuming you have access to the server, you can consider debugging there.
On that Debian server:
stop the SSH daemon
relaunch it manually (using its full path)
make one connection from the client
look on the server stdout the output from the daemon
That is, on Debian server side:
sudo systemctl stop ssh.service
/usr/sbin/sshd -dd
I am trying to ssh in to a google compute engine using gcloud and this used to work fine. But for some reason I have been hitting a wall for a while now. It works fine from the console. The instance is box-standard default instance.
I keep getting
google compute ssh test
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).
and more verbosely
google compute ssh test -vvv
...
bug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mike/.ssh/google_compute_engine
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fpSHA256:bW6Bpi2N67+MIGbRkfLRcdl5ghxQWOAtiRiYazy1JXU
debug3: sign_and_send_pubkey: RSA SHA256:bW6Bpi2N67+MIGbRkfLRcdl5ghxQWOAtiRiYazy1JXU
sign_and_send_pubkey: signing failed: agent refused operation
I have tried with a fresh project, but the same result. Re-installed google cloud sdk, same result. I must be missing some setting value, but I have no idea what I am missing. I have ssh keys (the standard ones created by gcloud, called google_compute_engine(.pub) in my .ssh directory.
Any suggestions would be appreciated.
Cheers, Mike
After trying loads of things, I found that
sudo apt-get autoremove gnome-keyring
ssh-add -D
a reboot resolved this.
I wanted to setup passwordless login from my local machine to this Linux server. When I tried to upload my public key I found that there is no .ssh on the server. So I created one with ssh-keygen on the server. However in the newly generated .ssh directory, there is no authorized_keys or known_hosts. So I made a new authorized_keys and pasted my public key from local machine. However it does not work, still need password for ssh. Can anyone tell me if I am doing it right?
Here is the output of ssh -vvv:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address .
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_198782' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_198782' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_198782' not found
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /rsrch2/rists/djiao/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1477
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /rsrch2/rists/djiao/.ssh/id_dsa
debug3: no such identity: /rsrch2/rists/djiao/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: Wrote 96 bytes for a total of 1573
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Simply create it and copy your key over to it. If you have a key-copy tool then just create the file via
$ touch ~/.ssh/authorized_keys
before using the tool.
It might help to connect using -vvv for verbosity.
On the client and on the server, check that ~/.ssh has permissions 700.
On the server, check that /etc/ssh/sshd_config has:
AuthorizedKeysFile .ssh/authorized_keys
PubkeyAuthentication yes
RSAAuthentication yes
Well, I have 2 computers call 120 and 110. I am trying to configure a ssh connection without password from 110 to 120. This is what i have done in the 120:
1- ssh-keygen -t rsa
2- scp ~/.ssh/id_rsa.pub root#110:.ssh/authorized_keys
and then in the 110:
1- chmod 700 ~/.ssh/authorized_keys
This steps don't work because it keeps asking for the password. So, I tried to do the opposite, from 120 to 110 and doing exactly the same thing it works.
I also change the PermitRootLogin yes in the /etc/ssh/sshd_config file of both computers.
I am out of ideas. Any suggestion?
EDIT:
This is what I got using ssh -vv:
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
root#192.168.1.120's password:
Try running this (after generating the key):
ssh-add
Env:
VM A : the machine I want to access with out password
VM B : I want to access VM A without password from the machine
Problem Description:
As I want to access VM A from VM B without password, I want first inject VM B's public key into VM A, but I still need password if I use ssh-copy, so I try to inject the file by mount.
The steps:
Start VM A from LiveCD
Mount VM A's root disk(contains the OS)
Create an authorized_keys file under ${mount_point}/root/.ssh/
Cat the VM B's public key into the authorized_keys file
Stop the VM A and remove the LiveCD then start the VM A again
Access the VM A from VM B by command
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PasswordAuthentication=no root#9.112.224.130
Results:
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1645
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
But after I did following commands, it works (file mode are all 600 and not difference with diff command)
mv authorized_keys authorized_keys_bak
cp authorized_keys_bak authorized_keys
so I try to inject it again, but for this time, I create an empty authorized_keys file before start from LiveCD, and skip the step 3, other step are all the same, for this time the VM B can access VM A without password
Questions:
The property for authorized_keys and authorized_keys_bak are all the same, why one works, one not works?
I authorized_keys can works only when I create the file not mount from LiveCD?
ssh-copy-id will ask you password one time to inject the keys into remote system.
Logs which you have shown is from ssh client. We would need ssh server logs as well to check why ssh server is not able to verify user credentials.
From client logs, we can say, it has tried for publickey based (without password) authentication but it failed (means rejected by server). So remaining method is "keyboard-interactive" (which is supported by server) but client doesn't support it so no authentication method to try so it failed.
Can you also check following things for working & non-working scenerio
check user's publickey on client and server which is used for authentication
on client -> /users//.ssh/id_rsa.pub
on server -> /etc/ssh/authorized_keys (check entry for your username)