View previous topic :: View next topic |
Author |
Message |
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Sun Oct 27, 2024 3:12 am Post subject: Key pair auth issue with Windows 11 [SOLVED] |
|
|
I have both a desktop (192.168.1.139) and laptop (192.168.1.13) trying to connect to server (192.168.1.4). I've tried a few methods and seem to get the same results. For the sake of consistency I'll use putty for the example. I use putty's key-gen to create an ecdsa pub/priv keypair. I copy the pub into authorized_keys and set the private key to load when loading putty. I've done this for both the desktop and laptop (laptop first and desktop second). I find that using this method I can login just fine on the laptop (which I setup first) but it fails with the desktop (which I setup second) and requires a username/password to be set explicitly. Now, I had cleared the authorized_keys file and redid all this in the manner described, but previously I had done it in reverse (desktop setup first and laptop second) and in that scenario the desktop loaded fine, but the laptop required the username/password.
My /var/messages mentions:
Code: | Oct 26 23:02:26 devolved sshd[14067]: debug2: server_accept_loop: child 7668 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:02:26 devolved sshd-session[7668]: Connection from 192.168.1.139 port 54442 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:02:26 devolved sshd-session[7668]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:02:26 devolved sshd-session[7668]: Failed publickey for alienjon from 192.168.1.139 port 54442 ssh2: ECDSA SHA256:K5a8kNpYgcX/lnn3IhvILjwv0sYfb4LMDshFfowUzO8
Oct 26 23:02:26 devolved sshd-session[7668]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54442 ssh2 [preauth]
Oct 26 23:02:29 devolved sshd-session[7668]: Connection closed by authenticating user alienjon 192.168.1.139 port 54442 [preauth]
Oct 26 23:02:29 devolved sshd[14067]: debug1: child_reap: preauth child 7668 for connection from 192.168.1.4 to 192.168.1.139 exited after unsuccessful auth attempt
Oct 26 23:02:29 devolved sshd[14067]: srclimit_penalise: ipv4: new 192.168.1.139/32 deferred penalty of 5 seconds for penalty: failed authentication
Oct 26 23:02:45 devolved sshd[14067]: debug2: server_accept_loop: child 7814 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:02:45 devolved sshd-session[7814]: Connection from 192.168.1.139 port 54452 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:02:45 devolved sshd-session[7814]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:02:45 devolved sshd-session[7814]: Failed publickey for alienjon from 192.168.1.139 port 54452 ssh2: ECDSA SHA256:K5a8kNpYgcX/lnn3IhvILjwv0sYfb4LMDshFfowUzO8
Oct 26 23:02:45 devolved sshd-session[7814]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54452 ssh2 [preauth]
Oct 26 23:02:48 devolved sshd-session[7814]: Connection closed by authenticating user alienjon 192.168.1.139 port 54452 [preauth]
Oct 26 23:02:48 devolved sshd[14067]: debug1: child_reap: preauth child 7814 for connection from 192.168.1.4 to 192.168.1.139 exited after unsuccessful auth attempt
Oct 26 23:02:48 devolved sshd[14067]: srclimit_penalise: ipv4: new 192.168.1.139/32 deferred penalty of 5 seconds for penalty: failed authentication
Oct 26 23:03:01 devolved sshd[14067]: debug2: server_accept_loop: child 7940 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:03:01 devolved sshd-session[7940]: Connection from 192.168.1.139 port 54462 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:03:03 devolved sshd-session[7940]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:03:03 devolved sshd-session[7940]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54462 ssh2 [preauth]
Oct 26 23:03:05 devolved sshd-session[7940]: Postponed keyboard-interactive/pam for alienjon from 192.168.1.139 port 54462 ssh2 [preauth]
Oct 26 23:03:05 devolved sshd-session[7940]: Accepted keyboard-interactive/pam for alienjon from 192.168.1.139 port 54462 ssh2
Oct 26 23:03:05 devolved sshd[14067]: debug2: server_accept_loop: child 7940 for connection from 192.168.1.4 to 192.168.1.139 auth done
Oct 26 23:03:05 devolved sshd-session[7957]: Starting session: shell on pts/0 for alienjon from 192.168.1.139 port 54462 id 0
Oct 26 23:06:50 devolved sshd-session[7957]: Close session: user alienjon from 192.168.1.139 port 54462 id 0
Oct 26 23:06:50 devolved sshd-session[7957]: Received disconnect from 192.168.1.139 port 54462:11: disconnected by user
Oct 26 23:06:50 devolved sshd-session[7957]: Disconnected from user alienjon 192.168.1.139 port 54462
Oct 26 23:06:52 devolved sshd[14067]: debug2: server_accept_loop: child 9555 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:06:52 devolved sshd-session[9555]: Connection from 192.168.1.139 port 54665 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:06:53 devolved sshd-session[9555]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:06:53 devolved sshd-session[9555]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54665 ssh2 [preauth]
Oct 26 23:06:54 devolved sshd-session[9555]: Postponed keyboard-interactive/pam for alienjon from 192.168.1.139 port 54665 ssh2 [preauth]
Oct 26 23:06:54 devolved sshd-session[9555]: Accepted keyboard-interactive/pam for alienjon from 192.168.1.139 port 54665 ssh2
Oct 26 23:06:54 devolved sshd[14067]: debug2: server_accept_loop: child 9555 for connection from 192.168.1.4 to 192.168.1.139 auth done
Oct 26 23:06:54 devolved sshd-session[9572]: Starting session: shell on pts/0 for alienjon from 192.168.1.139 port 54665 id 0 |
I would prefer to disable password authentication completely on the server, but need to be able to have control over which devices have access through the keypairs and this isn't working. Any thoughts what may be causing the issue? Why would it only work for one of the two devices (and the first one setup, at that).
Last edited by alienjon on Sun Oct 27, 2024 7:16 pm; edited 1 time in total |
|
Back to top |
|
|
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Sun Oct 27, 2024 3:31 am Post subject: |
|
|
So... progress. I had been looking at debug on the server side, but not the client side. When running ssh {host} -vv I noticed:
Code: | debug1: Trying private key: C:\\Users\\Jon/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ecdsa_sk
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ed25519_sk
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_xmss
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_dsa |
I had a custom name for the private key, but changed it to the name matching the protocol I'm using and voila. It seems to work now. I didn't see it stated that the private key HAD to match this name, but that appears to be the case. Can someone confirm? Might I be missing something else here? |
|
Back to top |
|
|
Banana Moderator
Joined: 21 May 2004 Posts: 1798 Location: Germany
|
Posted: Sun Oct 27, 2024 8:15 am Post subject: |
|
|
You can name your key what every you want. If so, you need to specify the file everytime you want to use it. If you do not specify the file the defaults will be used.
Quote: | a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix |
_________________ Forum Guidelines
PFL - Portage file list - find which package a file or command belongs to.
My delta-labs.org snippets do expire |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 513
|
Posted: Sun Oct 27, 2024 9:28 am Post subject: |
|
|
The default names are what SSH is looking for out of the box. But this is not very comfortable in the long term. There are at least two possibilities to work with keys:
One way is to use an SSH agent such as ssh-agent or pageant (for putty).
The other way is to write a SSH config and specify the identity file (the key) for the different servers (I hope you have different keys for different servers); see also "man 5 ssh_config" for more details. |
|
Back to top |
|
|
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Sun Oct 27, 2024 7:15 pm Post subject: |
|
|
Banana wrote: | You can name your key what every you want. If so, you need to specify the file everytime you want to use it. If you do not specify the file the defaults will be used. |
Thanks. I've looked at the Gentoo wiki on SSH several times and done google searches, but details of SSH continues to elude me :-p
sMueggli wrote: | The default names are what SSH is looking for out of the box. But this is not very comfortable in the long term. There are at least two possibilities to work with keys:
One way is to use an SSH agent such as ssh-agent or pageant (for putty).
The other way is to write a SSH config and specify the identity file (the key) for the different servers (I hope you have different keys for different servers); see also "man 5 ssh_config" for more details. |
Now this answers a question I hadn't thought to ask. I thought that SSH automatically looked in the .ssh folder, but I now realize this was an assumption. So, to clarify, the SSH agent tells the SSH client where to find keys outside of default ones? Pageant seems to work fine on the Windows 11 device, but I took it the next step into PowerShell (I'm trying to use that more frequently, when able) and ssh-agent is available directly through there. |
|
Back to top |
|
|
Banana Moderator
Joined: 21 May 2004 Posts: 1798 Location: Germany
|
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 513
|
Posted: Mon Oct 28, 2024 10:09 am Post subject: |
|
|
From "man 1 ssh-agent":
Code: | ssh-agent is a program to hold private keys used for public key authentication.
Through use of environment variables the agent can be located and automatically used
for authentication when logging in to other machines using ssh(1). |
The environment variable is $SSH_AUTH_SOCK.
You can also combine the use of an ssh config and ssh-agent. If you have 20 SSH keys loaded by ssh-agent and the remote server allows only 5 attempts to authenticate, your access may be denied because ssh tried 5 wrong keys from the 20 loaded by ssh-agent. With the custom config you can specifiy which key to use (or use ssh -i path/to/privkey user@server). |
|
Back to top |
|
|
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Tue Oct 29, 2024 12:40 am Post subject: |
|
|
Thanks both! This is exactly what I needed. Is there a benefit to an ssh-agent vs changing the configuration? In Windows the agent seems to be an easier choice. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 513
|
Posted: Tue Oct 29, 2024 9:49 am Post subject: |
|
|
Hard to tell. And you can combine both together. So the usage of one or the other is not mutually exclusive.
If you have a static setup you could use the config. That way you just "ssh foobar" and it works. It is easier to debug: ssh client works? if yes, is config correct? if yes, the fun begins...
The config is also self-documenting. If you read the config you will know, where default values are used and where you set specific values.
On the other hand I just start the ssh-agent with a systemd user unit at login. And whenever I need access to a server I load the key (and need to figure out the specific password) and start working. In case of failure you need to check more parts.
And on Windows I like MobaXterm for SSH and RDP. |
|
Back to top |
|
|
alienjon Veteran
Joined: 09 Feb 2005 Posts: 1726
|
Posted: Tue Oct 29, 2024 11:41 pm Post subject: |
|
|
Thanks for the insight! It's just a home network, so pretty small and a config would likely make sense. I'll have to check out those SSH clients as well. Thanks for the recommendation! |
|
Back to top |
|
|
|