17.10.2021 15:07, Stuart Henderson пишет:
On 2021-10-17, kasak <ka...@kasakoff.net> wrote:
17.10.2021 13:48, Stuart Henderson пишет:
On 2021-10-17, kasak <ka...@kasakoff.net> wrote:
Hello everybody! I somehow broke authorization with password in 7.0
All this started after update to 7.0.
I have installed default /etc/ssh/sshd_config with sysmerge.
After this, i just wanted to disable password auth, to use
keyboard-interactive
ahh.... What are you expecting keyboard-interactive to do?
It isn't normally used on OpenBSD.
Honestly, I thought that keyboard-interactive is the same as password,
but with bells and wistles.
The only thing i changed in conf is this line:
PasswordAuthentication no
After restart i cannot connect to this host for some reason. It just
don't ask for any password and quit
Here is log:
$ ssh -v host
That's the client-side, but what is logged on the server?
I'm afraid I cannot find out :) Server is not near.
When I just send my first mail, I remembered, that I maybe also set
MaxAuthTries to 3.
Maybe this done the trick? If so, is there any way to force client to
use keyboard-interactive first, and not to try absent pubkeys?
OpenSSH_8.8, LibreSSL 3.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to host [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
Oh, you have no keys, these would show a type other than -1 if you did:
debug1: identity file /home/kasak/.ssh/id_rsa type -1
debug1: identity file /home/kasak/.ssh/id_rsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_dsa type -1
debug1: identity file /home/kasak/.ssh/id_dsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kasak/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519 type -1
debug1: identity file /home/kasak/.ssh/id_ed25519-cert type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk type -1
debug1: identity file /home/kasak/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/kasak/.ssh/id_xmss type -1
debug1: identity file /home/kasak/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to host:22 as 'kasak'
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:CcikFZvpvKUQM1NqPBCkEVGwhkQVszJMb8NVxG1pX9Q
debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'host' is known and matches the ED25519 host key.
debug1: Found key in /home/kasak/.ssh/known_hosts:30
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/kasak/.ssh/id_rsa
debug1: Will attempt key: /home/kasak/.ssh/id_dsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa
debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519
debug1: Will attempt key: /home/kasak/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/kasak/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25...@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,webauthn-sk-ecdsa-sha2-nistp...@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/kasak/.ssh/id_rsa
debug1: Trying private key: /home/kasak/.ssh/id_dsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa
debug1: Trying private key: /home/kasak/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/kasak/.ssh/id_ed25519
debug1: Trying private key: /home/kasak/.ssh/id_ed25519_sk
debug1: Trying private key: /home/kasak/.ssh/id_xmss
And these would show the key fingerprint if keys were present.
So you don't have keys to offer anyway so they aren't tried so I don't
think this is anything to do with MaxAuthTries.
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
kasak@host: Permission denied (publickey,keyboard-interactive).
I think to fix this you will either need to get onto the server via
another methiod and reenable PasswordAuthentication, or generate a
keypair and have the public key copied to the server. It's not super
fun, but an ed25519 key isn't too bad to type by hand if you need to get
somebody remote to do it ..
(General tip for changing sshd config, rcctl restart sshd and
test reconnecting before you close the first connection. If
you use ControlMaster, make sure you don't reuse an existing
already-authenticated connection when testing, in those cases you can rm
the control socket to be sure).
Thank a lot for help. I made stupid mistake.
