6:27 a.m.
Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without a
password, but with a key-exchange. I generated all the keys and placed them
in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and
did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop
and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with
"systemctl start sshd" ?
regards
Jouk
Pax, vel iniusta, utilior est quam iustissimum bellum.
(free after Marcus Tullius Cicero (106 b.Chr.-46 b.Chr.)
Epistularum ad Atticum 7.1.4.3)
Touch not the cat bot a glove
------------------------------------------------------------------------------<
Jouk Jansen
joukj(a)hrem.nano.tudelft.nl
Technische Universiteit Delft tttttttttt uu uu ddddddd
Kavli Institute of Nanoscience tttttttttt uu uu dd dd
Nationaal centrum voor HREM tt uu uu dd dd
Lorentzweg 1 tt uu uu dd dd
2628 CJ Delft tt uu uu dd dd
Nederland tt uu uu dd dd
tel. 31-15-2782272 tt uuuuuuu ddddddd
------------------------------------------------------------------------------<
6:56 a.m.
Jouk Jansen writes:
Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without a
password, but with a key-exchange. I generated all the keys and placed them
in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and
did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop
and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with
"systemctl start sshd" ?
Perhaps the actual command and set up, from sshd.service, will offer a clue:
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
That's what systemctl start sshd does.
6:59 a.m.
On Tue, 26 Nov 2019 at 08:36, Jouk Jansen <joukj(a)hrem.nano.tudelft.nl>
wrote:
Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without a
password, but with a key-exchange. I generated all the keys and placed them
in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and
did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop
and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with
"systemctl start sshd" ?
When your root ran /usr/sbin/sshd was the very long list of options used
when sshd is started by systemd included? I see:
$ sudo systemctl status sshd |fold
● sshd.service - OpenSSH server daemon
[...]
CGroup: /system.slice/sshd.service
└─994 /usr/sbin/sshd -D -oCiphers=aes256-gcm(a)openssh.com
,chacha20-pol
y1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm(a)openssh.com
,aes128-ctr,aes128
-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm(a)openssh.com
,umac-128-etm
@openssh.com,hmac-sha2-512-etm(a)openssh.com
,hmac-sha2-256,hmac-sha1,umac-128@open
ssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1-
-oKe
xAlgorithms=curve25519-sha256,curve25519-sha256(a)libssh.org
,ecdh-sha2-nistp256,ec
dh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-
hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha5
12,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
-oHostKeyAlgor
ithms=rsa-sha2-256,rsa-sha2-256-cert-v01(a)openssh.com
,ecdsa-sha2-nistp256,ecdsa-s
ha2-nistp256-cert-v01(a)openssh.com
,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v
01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01(a)openssh.com
,ecdsa-sha2-nistp52
1,ecdsa-sha2-nistp521-cert-v01(a)openssh.com
,ssh-ed25519,ssh-ed25519-cert-v01@open
ssh.com,ssh-rsa,ssh-rsa-cert-v01(a)openssh.com
-oPubkeyAcceptedKeyTypes=rsa-sha2-2
56,rsa-sha2-256-cert-v01(a)openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cer
t-v01(a)openssh.com,ecdsa-sha2-nistp384,
ecdsa-sha2-nistp384-cert-v01(a)openssh.com,r
sa-sha2-512,rsa-sha2-512-cert-v01(a)openssh.com
,ecdsa-sha2-nistp521,ecdsa-sha2-nis
tp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01(a)openssh.com
,ssh-rsa,
ssh-rsa-cert-v01(a)openssh.com
-oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nis
tp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
--
George N. White III
7:31 a.m.
On 2019-11-26 20:27, Jouk Jansen wrote:
I'm trying to setup an ssh-server on F31 which logs a user in
without a
password, but with a key-exchange. I generated all the keys and placed them
in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and
did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop
and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with
"systemctl start sshd" ?
One thing you should check is the permissions on the ~/.ssh on the machine you're
trying to connect
to. If it is not 700 you will get the behavior you cite.
--
The key to getting good answers is to ask good questions.
10:27 a.m.
New subject: EXTERNAL: Re: sshd on F31 : strange problem with login with
keys's
On 11/26/19 8:32 AM, Ed Greshko wrote:
--
Roger Wells, P.E.
leidos
221 Third St
Newport, RI 02840
401-847-4210 (voice)
401-849-1585 (fax)
roger.k.wells(a)leidos.com
On 2019-11-26 20:27, Jouk Jansen wrote:
> I'm trying to setup an ssh-server on F31 which logs a user in without a
> password, but with a key-exchange. I generated all the keys and placed them
> in the right locations. It still asks for the password.
>
> Than comes the strange : I stoped the service by "systemctl stop sshd" and
> did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop
> and start with systemctl again made the passwordless login fail again)
>
> Question : why does is work with just running "/usr/sbin/sshd" but not
with
> "systemctl start sshd" ?
One thing you should check is the permissions on the ~/.ssh on the machine you're
trying to connect
to. If it is not 700 you will get the behavior you cite.
I've seen this on
several fedora updates. Something changes permissions
on ~/.ssh and then what you see happens
2:47 a.m.
New subject: EXTERNAL: Re: sshd on F31 : strange problem with login with
keys's
On Thu, 2019-11-28 at 16:27 +0000, Wells, Roger K. via users wrote:
On 11/26/19 8:32 AM, Ed Greshko wrote:
> On 2019-11-26 20:27, Jouk Jansen wrote:
> > I'm trying to setup an ssh-server on F31 which logs a user in
> > without a
> > password, but with a key-exchange. I generated all the keys and
> > placed them
> > in the right locations. It still asks for the password.
> >
> > Than comes the strange : I stoped the service by "systemctl stop
> > sshd" and
> > did run "as root" /usr/sbin/sshd. And than it just worked. (tried
> > to stop
> > and start with systemctl again made the passwordless login fail
> > again)
> >
> > Question : why does is work with just running "/usr/sbin/sshd"
> > but not with
> > "systemctl start sshd" ?
> One thing you should check is the permissions on the ~/.ssh on the
> machine you're trying to connect
> to. If it is not 700 you will get the behavior you cite.
I've seen this on several fedora updates. Something changes
permissions
on ~/.ssh and then what you see happens
Nothing changes permissions on updates on itself. The .ssh directory
was copied from somewhere else and it retained its SELinux context or
wrong modes.
Regards,
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.
6:07 a.m.
On Tue, 2019-11-26 at 13:27 +0100, Jouk Jansen wrote:
Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without
a
password, but with a key-exchange. I generated all the keys and
placed them
in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop
sshd" and
did run "as root" /usr/sbin/sshd. And than it just worked. (tried to
stop
and start with systemctl again made the passwordless login fail
again)
Question : why does is work with just running "/usr/sbin/sshd" but
not with
"systemctl start sshd" ?
This sounds like an issue with selinux permissions on the authorizied
keys file or path to it. Configure sshd to run in debug mode by setting
LogLevel DEBUG3 in sshd_config, restart the service and retry. The logs
will show up in journal and in /var/log/secure pointing the reason why
your key was rejected.
Regards,
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.
1609
days inactive
1612
days old
6 comments
6 participants
participants (6)
-
Ed Greshko -
George N. White III -
Jakub Jelen -
Jouk Jansen -
Sam Varshavchik -
Wells, Roger K.