Giles, Hugh, Thank you all for your feedback .. long story short, there was indeed a firewall added to the network three weeks ago, and that's what was breaking SSH. I asked the network admin to add a rule allowing access to 140.82.112.0/20 from my server and -bingo- access to github started working again.
I'm glad I have this group to fall back on. :) Cheers, Alex On Mon, Nov 30, 2020 at 11:09 AM Giles Orr <[email protected]> wrote: > On Sun, 29 Nov 2020 at 22:59, Alex Beamish <[email protected]> wrote: > > > > On Sat, Nov 28, 2020 at 11:19 PM Giles Orr via talk <[email protected]> > wrote: > >> > >> Hi Alex. > >> > >> On Sat, 28 Nov 2020 at 16:50, Alex Beamish via talk <[email protected]> > wrote: > >> > > >> > Hi All, > >> > > >> > This is probably a blindingly obvious question, but I'm a little > stumped. I've done a little work for local business, setting up a Linux > server (Ubuntu), developing some code and pushing it to github. It's all > worked wonderfully until a few weeks ago, when he had someone in to do > something to the network. Since then, Things Are Broken in ways that I > don't understand. > >> > > >> > When I try to do anything with github, I see the response > >> > > >> > Received disconnect from 140.82.113.3 port 22:2: Connection blocked > because server only allows public key authentication. Please contact your > network administrator. > >> > > >> > Because I was worried I'd borked my account, this afternoon I tried > again, creating a brand-new account and ssh-ing in .. and still got the > same result. > >> > > >> > My github account works fine from my own machine, and also from my > web provider (pair.com), so I'm guessing there's something going on > within my client's network. Suggestions gratefully received. > >> > >> I apologize if this is something you've already looked at, but the #1 > >> Google hit for "Connection blocked because server only allows public > >> key authentication" does look relevant: > >> > >> > https://superuser.com/questions/1466177/connection-blocked-because-server-only-allows-public-key-authentication-putty-f > > > > > > Giles, Hugh, > > > > Thank you both for your responses. I am beginning to suspect that there > is some network thing that's breaking ssh. > > > > From my own machine, the result of ssh -vT [email protected] looks like > this: it works fine. > > > > OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 > > debug1: Reading configuration data /home/tab/.ssh/config > > debug1: /home/tab/.ssh/config line 22: Applying options for * > > debug1: /home/tab/.ssh/config line 338: Applying options for * > > debug1: /home/tab/.ssh/config line 339: Deprecated option "useroaming" > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: /etc/ssh/ssh_config line 19: include > /etc/ssh/ssh_config.d/*.conf matched no files > > debug1: /etc/ssh/ssh_config line 21: Applying options for * > > debug1: Connecting to github.com [140.82.113.3] port 22. > > debug1: Connection established. > > debug1: identity file /home/tab/.ssh/id_rsa type -1 > > debug1: identity file /home/tab/.ssh/id_rsa-cert type -1 > > debug1: identity file /home/tab/.ssh/id_dsa type -1 > > debug1: identity file /home/tab/.ssh/id_dsa-cert type -1 > > debug1: identity file /home/tab/.ssh/id_ecdsa type -1 > > debug1: identity file /home/tab/.ssh/id_ecdsa-cert type -1 > > debug1: identity file /home/tab/.ssh/id_ecdsa_sk type -1 > > debug1: identity file /home/tab/.ssh/id_ecdsa_sk-cert type -1 > > debug1: identity file /home/tab/.ssh/id_ed25519 type -1 > > debug1: identity file /home/tab/.ssh/id_ed25519-cert type -1 > > debug1: identity file /home/tab/.ssh/id_ed25519_sk type -1 > > debug1: identity file /home/tab/.ssh/id_ed25519_sk-cert type -1 > > debug1: identity file /home/tab/.ssh/id_xmss type -1 > > debug1: identity file /home/tab/.ssh/id_xmss-cert type -1 > > debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 > > debug1: Remote protocol version 2.0, remote software version > babeld-b85a2946 > > debug1: no match: babeld-b85a2946 > > debug1: Authenticating to github.com:22 as 'git' > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug1: kex: algorithm: curve25519-sha256 > > debug1: kex: host key algorithm: rsa-sha2-512 > > debug1: kex: server->client cipher: [email protected] MAC: > <implicit> compression: none > > debug1: kex: client->server cipher: [email protected] MAC: > <implicit> compression: none > > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > > debug1: Server host key: ssh-rsa > SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 > > debug1: Host 'github.com' is known and matches the RSA host key. > > debug1: Found key in /home/tab/.ssh/known_hosts:3 > > debug1: rekey out after 134217728 blocks > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: expecting SSH2_MSG_NEWKEYS > > debug1: SSH2_MSG_NEWKEYS received > > debug1: rekey in after 134217728 blocks > > debug1: Will attempt key: /home/tab/.ssh/music2012 RSA > SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent > > debug1: Will attempt key: /home/tab/.ssh/id_rsa > > debug1: Will attempt key: /home/tab/.ssh/id_dsa > > debug1: Will attempt key: /home/tab/.ssh/id_ecdsa > > debug1: Will attempt key: /home/tab/.ssh/id_ecdsa_sk > > debug1: Will attempt key: /home/tab/.ssh/id_ed25519 > > debug1: Will attempt key: /home/tab/.ssh/id_ed25519_sk > > debug1: Will attempt key: /home/tab/.ssh/id_xmss > > debug1: SSH2_MSG_EXT_INFO received > > debug1: kex_input_ext_info: server-sig-algs=< > [email protected],[email protected], > [email protected], > [email protected],[email protected] > ,[email protected],[email protected], > [email protected] > ,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss> > > debug1: SSH2_MSG_SERVICE_ACCEPT received > > debug1: Authentications that can continue: publickey > > debug1: Next authentication method: publickey > > debug1: Offering public key: /home/tab/.ssh/music2012 RSA > SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent > > debug1: Server accepts key: /home/tab/.ssh/music2012 RSA > SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent > > debug1: Authentication succeeded (publickey). > > Authenticated to github.com ([140.82.113.3]:22). > > debug1: channel 0: new [client-session] > > debug1: Entering interactive session. > > debug1: pledge: network > > debug1: Requesting authentication agent forwarding. > > debug1: Sending environment. > > debug1: Sending env LANG = en_CA.UTF-8 > > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > > Hi talexb! You've successfully authenticated, but GitHub does not > provide shell access. > > debug1: channel 0: free: client-session, nchannels 1 > > Transferred: sent 2856, received 2468 bytes, in 0.1 seconds > > Bytes per second: sent 26439.1, received 22847.2 > > debug1: Exit status 1 > > > > I have 'ForwardAgent yes' in my ~/.ssh/config, so when I ssh to my > client's machine, my authentication comes with me. But on that machine, the > response to the same test is now different than it was three weeks ago: > > > > OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 > > debug1: Reading configuration data /home/web/.ssh/config > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: /etc/ssh/ssh_config line 19: Applying options for * > > debug1: Connecting to github.com [140.82.112.4] port 22. > > debug1: Connection established. > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_rsa type -1 > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_rsa-cert type -1 > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_dsa type -1 > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_dsa-cert type -1 > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_ecdsa type -1 > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_ecdsa-cert type -1 > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_ed25519 type -1 > > debug1: key_load_public: No such file or directory > > debug1: identity file /home/web/.ssh/id_ed25519-cert type -1 > > debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 > > debug1: Remote protocol version 2.0, remote software version > babeld-b85a2946 > > debug1: no match: babeld-b85a2946 > > debug1: Authenticating to github.com:22 as 'git' > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug1: kex: algorithm: curve25519-sha256 > > debug1: kex: host key algorithm: rsa-sha2-512 > > debug1: kex: server->client cipher: [email protected] MAC: > <implicit> compression: none > > debug1: kex: client->server cipher: [email protected] MAC: > <implicit> compression: none > > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > > debug1: Server host key: ssh-rsa > SHA256:CJ1i1swJd0SjXdfpoh7CCQrmOp04K4zor8rYP1NlegA > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > The RSA host key for github.com has changed, > > and the key for the corresponding IP address 140.82.112.4 > > is unknown. This could either mean that > > DNS SPOOFING is happening or the IP address for the host > > and its host key have changed at the same time. > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > > It is also possible that a host key has just been changed. > > The fingerprint for the RSA key sent by the remote host is > > SHA256:CJ1i1swJd0SjXdfpoh7CCQrmOp04K4zor8rYP1NlegA. > > Please contact your system administrator. > > Add correct host key in /home/web/.ssh/known_hosts to get rid of this > message. > > Offending RSA key in /home/web/.ssh/known_hosts:10 > > remove with: > > ssh-keygen -f "/home/web/.ssh/known_hosts" -R "github.com" > > RSA host key for github.com has changed and you have requested strict > checking. > > Host key verification failed. > > > > To make sure that my account wasn't broken in some other way, this > weekend I created another brand new account on my client's machine and > tried the same test command -- I got the same result. > > > > I also tried ssh'ing to my web provider (pair.com) and then tried the > same test command -- and got pretty much the same good response I got from > my local machine. This tells me that my keys and my github account are > working fine -- it's just something on my client's network that is > interfering with the traffic. > > > > Because I know enough about ssh to get my job done, but not a lot more, > I wanted to confirm I wasn't missing something really obvious, some config > file switch that needed changing. Again, thank you all for your patience > with me on this. > > Hi Alex. > > The first thing that occurs to me - and again, this is blatant > speculation with no research behind it - is that those two big > warnings might indicate that the new network equipment at your > client's place is trying to MITM SSH. Not something I've heard of > before, but corporations want to see inside any encrypted packets > flowing in and out of their networks. If you want to prove/disprove > that (I'd wait for confirmation from someone else that this is a > remotely sane idea), you're going to learn a lot more about both SSH > and network firewalls ... > > > -- > Giles > https://www.gilesorr.com/ > [email protected] > -- Alex Beamish Software Developer / https://ca.linkedin.com/in/alex-beamish-5111ba3 Speaker Wrangler / Toronto Perlmongers / http://to.pm.org/ Chair, Sponsorship Committee, TPF / https://www.perlfoundation.org/ Baritone, Operations Manager / Toronto Northern Lights, 2013 Champions / www.northernlightschorus.com
--- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
