Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without a password, but with a key-exchange. I generated all the keys and placed them in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with "systemctl start sshd" ?
regards Jouk
Pax, vel iniusta, utilior est quam iustissimum bellum. (free after Marcus Tullius Cicero (106 b.Chr.-46 b.Chr.) Epistularum ad Atticum 7.1.4.3)
Touch not the cat bot a glove
------------------------------------------------------------------------------<
Jouk Jansen joukj@hrem.nano.tudelft.nl
Technische Universiteit Delft tttttttttt uu uu ddddddd Kavli Institute of Nanoscience tttttttttt uu uu dd dd Nationaal centrum voor HREM tt uu uu dd dd Lorentzweg 1 tt uu uu dd dd 2628 CJ Delft tt uu uu dd dd Nederland tt uu uu dd dd tel. 31-15-2782272 tt uuuuuuu ddddddd
------------------------------------------------------------------------------<
Jouk Jansen writes:
Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without a password, but with a key-exchange. I generated all the keys and placed them in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with "systemctl start sshd" ?
Perhaps the actual command and set up, from sshd.service, will offer a clue:
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin EnvironmentFile=-/etc/sysconfig/sshd ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
That's what systemctl start sshd does.
On Tue, 26 Nov 2019 at 08:36, Jouk Jansen joukj@hrem.nano.tudelft.nl wrote:
Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without a password, but with a key-exchange. I generated all the keys and placed them in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with "systemctl start sshd" ?
When your root ran /usr/sbin/sshd was the very long list of options used when sshd is started by systemd included? I see:
$ sudo systemctl status sshd |fold ● sshd.service - OpenSSH server daemon [...] CGroup: /system.slice/sshd.service └─994 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com ,chacha20-pol y1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com ,aes128-ctr,aes128 -cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com ,umac-128-etm @openssh.com,hmac-sha2-512-etm@openssh.com ,hmac-sha2-256,hmac-sha1,umac-128@open ssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKe xAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org ,ecdh-sha2-nistp256,ec dh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie- hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha5 12,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgor ithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com ,ecdsa-sha2-nistp256,ecdsa-s ha2-nistp256-cert-v01@openssh.com ,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v 01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ,ecdsa-sha2-nistp52 1,ecdsa-sha2-nistp521-cert-v01@openssh.com ,ssh-ed25519,ssh-ed25519-cert-v01@open ssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=rsa-sha2-2 56,rsa-sha2-256-cert-v01@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cer t-v01@openssh.com,ecdsa-sha2-nistp384, ecdsa-sha2-nistp384-cert-v01@openssh.com,r sa-sha2-512,rsa-sha2-512-cert-v01@openssh.com ,ecdsa-sha2-nistp521,ecdsa-sha2-nis tp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com ,ssh-rsa, ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nis tp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
On 2019-11-26 20:27, Jouk Jansen wrote:
I'm trying to setup an ssh-server on F31 which logs a user in without a password, but with a key-exchange. I generated all the keys and placed them in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with "systemctl start sshd" ?
One thing you should check is the permissions on the ~/.ssh on the machine you're trying to connect to. If it is not 700 you will get the behavior you cite.
On 11/26/19 8:32 AM, Ed Greshko wrote:
On 2019-11-26 20:27, Jouk Jansen wrote:
I'm trying to setup an ssh-server on F31 which logs a user in without a password, but with a key-exchange. I generated all the keys and placed them in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with "systemctl start sshd" ?
One thing you should check is the permissions on the ~/.ssh on the machine you're trying to connect to. If it is not 700 you will get the behavior you cite.
I've seen this on several fedora updates. Something changes permissions on ~/.ssh and then what you see happens
On Thu, 2019-11-28 at 16:27 +0000, Wells, Roger K. via users wrote:
On 11/26/19 8:32 AM, Ed Greshko wrote:
On 2019-11-26 20:27, Jouk Jansen wrote:
I'm trying to setup an ssh-server on F31 which logs a user in without a password, but with a key-exchange. I generated all the keys and placed them in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with "systemctl start sshd" ?
One thing you should check is the permissions on the ~/.ssh on the machine you're trying to connect to. If it is not 700 you will get the behavior you cite.
I've seen this on several fedora updates. Something changes permissions on ~/.ssh and then what you see happens
Nothing changes permissions on updates on itself. The .ssh directory was copied from somewhere else and it retained its SELinux context or wrong modes.
Regards,
On Tue, 2019-11-26 at 13:27 +0100, Jouk Jansen wrote:
Hi All,
I'm trying to setup an ssh-server on F31 which logs a user in without a password, but with a key-exchange. I generated all the keys and placed them in the right locations. It still asks for the password.
Than comes the strange : I stoped the service by "systemctl stop sshd" and did run "as root" /usr/sbin/sshd. And than it just worked. (tried to stop and start with systemctl again made the passwordless login fail again)
Question : why does is work with just running "/usr/sbin/sshd" but not with "systemctl start sshd" ?
This sounds like an issue with selinux permissions on the authorizied keys file or path to it. Configure sshd to run in debug mode by setting LogLevel DEBUG3 in sshd_config, restart the service and retry. The logs will show up in journal and in /var/log/secure pointing the reason why your key was rejected.
Regards,
-
Ed Greshko -
George N. White III -
Jakub Jelen -
Jouk Jansen -
Sam Varshavchik -
Wells, Roger K.