Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Key pair auth issue with Windows 11 [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Sun Oct 27, 2024 3:12 am    Post subject: Key pair auth issue with Windows 11 [SOLVED] Reply with quote

I have both a desktop (192.168.1.139) and laptop (192.168.1.13) trying to connect to server (192.168.1.4). I've tried a few methods and seem to get the same results. For the sake of consistency I'll use putty for the example. I use putty's key-gen to create an ecdsa pub/priv keypair. I copy the pub into authorized_keys and set the private key to load when loading putty. I've done this for both the desktop and laptop (laptop first and desktop second). I find that using this method I can login just fine on the laptop (which I setup first) but it fails with the desktop (which I setup second) and requires a username/password to be set explicitly. Now, I had cleared the authorized_keys file and redid all this in the manner described, but previously I had done it in reverse (desktop setup first and laptop second) and in that scenario the desktop loaded fine, but the laptop required the username/password.

My /var/messages mentions:
Code:
Oct 26 23:02:26 devolved sshd[14067]: debug2: server_accept_loop: child 7668 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:02:26 devolved sshd-session[7668]: Connection from 192.168.1.139 port 54442 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:02:26 devolved sshd-session[7668]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:02:26 devolved sshd-session[7668]: Failed publickey for alienjon from 192.168.1.139 port 54442 ssh2: ECDSA SHA256:K5a8kNpYgcX/lnn3IhvILjwv0sYfb4LMDshFfowUzO8
Oct 26 23:02:26 devolved sshd-session[7668]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54442 ssh2 [preauth]
Oct 26 23:02:29 devolved sshd-session[7668]: Connection closed by authenticating user alienjon 192.168.1.139 port 54442 [preauth]
Oct 26 23:02:29 devolved sshd[14067]: debug1: child_reap: preauth child 7668 for connection from 192.168.1.4 to 192.168.1.139 exited after unsuccessful auth attempt
Oct 26 23:02:29 devolved sshd[14067]: srclimit_penalise: ipv4: new 192.168.1.139/32 deferred penalty of 5 seconds for penalty: failed authentication
Oct 26 23:02:45 devolved sshd[14067]: debug2: server_accept_loop: child 7814 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:02:45 devolved sshd-session[7814]: Connection from 192.168.1.139 port 54452 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:02:45 devolved sshd-session[7814]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:02:45 devolved sshd-session[7814]: Failed publickey for alienjon from 192.168.1.139 port 54452 ssh2: ECDSA SHA256:K5a8kNpYgcX/lnn3IhvILjwv0sYfb4LMDshFfowUzO8
Oct 26 23:02:45 devolved sshd-session[7814]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54452 ssh2 [preauth]
Oct 26 23:02:48 devolved sshd-session[7814]: Connection closed by authenticating user alienjon 192.168.1.139 port 54452 [preauth]
Oct 26 23:02:48 devolved sshd[14067]: debug1: child_reap: preauth child 7814 for connection from 192.168.1.4 to 192.168.1.139 exited after unsuccessful auth attempt
Oct 26 23:02:48 devolved sshd[14067]: srclimit_penalise: ipv4: new 192.168.1.139/32 deferred penalty of 5 seconds for penalty: failed authentication
Oct 26 23:03:01 devolved sshd[14067]: debug2: server_accept_loop: child 7940 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:03:01 devolved sshd-session[7940]: Connection from 192.168.1.139 port 54462 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:03:03 devolved sshd-session[7940]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:03:03 devolved sshd-session[7940]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54462 ssh2 [preauth]
Oct 26 23:03:05 devolved sshd-session[7940]: Postponed keyboard-interactive/pam for alienjon from 192.168.1.139 port 54462 ssh2 [preauth]
Oct 26 23:03:05 devolved sshd-session[7940]: Accepted keyboard-interactive/pam for alienjon from 192.168.1.139 port 54462 ssh2
Oct 26 23:03:05 devolved sshd[14067]: debug2: server_accept_loop: child 7940 for connection from 192.168.1.4 to 192.168.1.139 auth done
Oct 26 23:03:05 devolved sshd-session[7957]: Starting session: shell on pts/0 for alienjon from 192.168.1.139 port 54462 id 0
Oct 26 23:06:50 devolved sshd-session[7957]: Close session: user alienjon from 192.168.1.139 port 54462 id 0
Oct 26 23:06:50 devolved sshd-session[7957]: Received disconnect from 192.168.1.139 port 54462:11: disconnected by user
Oct 26 23:06:50 devolved sshd-session[7957]: Disconnected from user alienjon 192.168.1.139 port 54462
Oct 26 23:06:52 devolved sshd[14067]: debug2: server_accept_loop: child 9555 for connection from 192.168.1.4 to 192.168.1.139 received config
Oct 26 23:06:52 devolved sshd-session[9555]: Connection from 192.168.1.139 port 54665 on 192.168.1.4 port 22 rdomain ""
Oct 26 23:06:53 devolved sshd-session[9555]: debug1: PAM: setting PAM_RHOST to "192.168.1.139"
Oct 26 23:06:53 devolved sshd-session[9555]: Postponed keyboard-interactive for alienjon from 192.168.1.139 port 54665 ssh2 [preauth]
Oct 26 23:06:54 devolved sshd-session[9555]: Postponed keyboard-interactive/pam for alienjon from 192.168.1.139 port 54665 ssh2 [preauth]
Oct 26 23:06:54 devolved sshd-session[9555]: Accepted keyboard-interactive/pam for alienjon from 192.168.1.139 port 54665 ssh2
Oct 26 23:06:54 devolved sshd[14067]: debug2: server_accept_loop: child 9555 for connection from 192.168.1.4 to 192.168.1.139 auth done
Oct 26 23:06:54 devolved sshd-session[9572]: Starting session: shell on pts/0 for alienjon from 192.168.1.139 port 54665 id 0


I would prefer to disable password authentication completely on the server, but need to be able to have control over which devices have access through the keypairs and this isn't working. Any thoughts what may be causing the issue? Why would it only work for one of the two devices (and the first one setup, at that).


Last edited by alienjon on Sun Oct 27, 2024 7:16 pm; edited 1 time in total
Back to top
View user's profile Send private message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Sun Oct 27, 2024 3:31 am    Post subject: Reply with quote

So... progress. I had been looking at debug on the server side, but not the client side. When running ssh {host} -vv I noticed:

Code:
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ecdsa_sk
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_ed25519_sk
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_xmss
debug1: Trying private key: C:\\Users\\Jon/.ssh/id_dsa


I had a custom name for the private key, but changed it to the name matching the protocol I'm using and voila. It seems to work now. I didn't see it stated that the private key HAD to match this name, but that appears to be the case. Can someone confirm? Might I be missing something else here?
Back to top
View user's profile Send private message
Banana
Moderator
Moderator


Joined: 21 May 2004
Posts: 1831
Location: Germany

PostPosted: Sun Oct 27, 2024 8:15 am    Post subject: Reply with quote

You can name your key what every you want. If so, you need to specify the file everytime you want to use it. If you do not specify the file the defaults will be used.

Quote:
a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix

_________________
Forum Guidelines

PFL - Portage file list - find which package a file or command belongs to.
My delta-labs.org snippets do expire
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 516

PostPosted: Sun Oct 27, 2024 9:28 am    Post subject: Reply with quote

The default names are what SSH is looking for out of the box. But this is not very comfortable in the long term. There are at least two possibilities to work with keys:

One way is to use an SSH agent such as ssh-agent or pageant (for putty).

The other way is to write a SSH config and specify the identity file (the key) for the different servers (I hope you have different keys for different servers); see also "man 5 ssh_config" for more details.
Back to top
View user's profile Send private message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Sun Oct 27, 2024 7:15 pm    Post subject: Reply with quote

Banana wrote:
You can name your key what every you want. If so, you need to specify the file everytime you want to use it. If you do not specify the file the defaults will be used.

Thanks. I've looked at the Gentoo wiki on SSH several times and done google searches, but details of SSH continues to elude me :-p

sMueggli wrote:
The default names are what SSH is looking for out of the box. But this is not very comfortable in the long term. There are at least two possibilities to work with keys:

One way is to use an SSH agent such as ssh-agent or pageant (for putty).

The other way is to write a SSH config and specify the identity file (the key) for the different servers (I hope you have different keys for different servers); see also "man 5 ssh_config" for more details.

Now this answers a question I hadn't thought to ask. I thought that SSH automatically looked in the .ssh folder, but I now realize this was an assumption. So, to clarify, the SSH agent tells the SSH client where to find keys outside of default ones? Pageant seems to work fine on the Windows 11 device, but I took it the next step into PowerShell (I'm trying to use that more frequently, when able) and ssh-agent is available directly through there.
Back to top
View user's profile Send private message
Banana
Moderator
Moderator


Joined: 21 May 2004
Posts: 1831
Location: Germany

PostPosted: Mon Oct 28, 2024 6:43 am    Post subject: Reply with quote

As default it does work with the .ssh folder and does use the default files.
If you do not want it, as sMueggli already said, you need to specify which. Either with a tool or with custom config, like described here: https://unix.stackexchange.com/questions/494483/specifying-an-identityfile-with-ssh
_________________
Forum Guidelines

PFL - Portage file list - find which package a file or command belongs to.
My delta-labs.org snippets do expire
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 516

PostPosted: Mon Oct 28, 2024 10:09 am    Post subject: Reply with quote

From "man 1 ssh-agent":

Code:
       ssh-agent  is  a  program  to  hold  private  keys  used for public key authentication.
       Through use of environment variables the agent can be located  and  automatically  used
       for authentication when logging in to other machines using ssh(1).


The environment variable is $SSH_AUTH_SOCK.

You can also combine the use of an ssh config and ssh-agent. If you have 20 SSH keys loaded by ssh-agent and the remote server allows only 5 attempts to authenticate, your access may be denied because ssh tried 5 wrong keys from the 20 loaded by ssh-agent. With the custom config you can specifiy which key to use (or use ssh -i path/to/privkey user@server).
Back to top
View user's profile Send private message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Tue Oct 29, 2024 12:40 am    Post subject: Reply with quote

Thanks both! This is exactly what I needed. Is there a benefit to an ssh-agent vs changing the configuration? In Windows the agent seems to be an easier choice.
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 516

PostPosted: Tue Oct 29, 2024 9:49 am    Post subject: Reply with quote

Hard to tell. And you can combine both together. So the usage of one or the other is not mutually exclusive.

If you have a static setup you could use the config. That way you just "ssh foobar" and it works. It is easier to debug: ssh client works? if yes, is config correct? if yes, the fun begins...
The config is also self-documenting. If you read the config you will know, where default values are used and where you set specific values.

On the other hand I just start the ssh-agent with a systemd user unit at login. And whenever I need access to a server I load the key (and need to figure out the specific password) and start working. In case of failure you need to check more parts.

And on Windows I like MobaXterm for SSH and RDP.
Back to top
View user's profile Send private message
alienjon
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1726

PostPosted: Tue Oct 29, 2024 11:41 pm    Post subject: Reply with quote

Thanks for the insight! It's just a home network, so pretty small and a config would likely make sense. I'll have to check out those SSH clients as well. Thanks for the recommendation!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum