Permission denied (publickey) whereas the public key has been inserted into ~/.ssh/authorized_keys: "usePAM no" issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Security vulnerability because I cannot use SSH to connect to my Ubuntu host from a Ubuntu guest. Is Telnet the last option?
However, I can connect through the same port at the same IP address from a Windows 10 guest using the latest WinSCP software.
OpenSSH Server: 4.2.0-19-generic #23-Ubuntu SMP Wed Nov 11 11:39:30 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
with openssh-server 6.9p1-2
OpenSSH client: 4.2.0-19-generic #23-Ubuntu SMP Wed Nov 11 11:39:30 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
with openssh-client 6.9p1-2
Trace of the failed SSH connection:
-------
root@stack:~/.ssh# ssh -v -p xxxx root@172.19.100.1
OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 172.19.100.1 [172.19.100.1] port xxxx.
debug1: Connection established.
debug1: key_load_
debug1: key_load_
debug1: key_load_
debug1: key_load_
debug1: key_load_
debug1: key_load_
debug1: key_load_
debug1: permanently_
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.
debug1: identity file /root/.
debug1: key_load_public: No such file or directory
debug1: identity file /root/.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1 Ubuntu-2
debug1: match: OpenSSH_6.9p1 Ubuntu-2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 172.19.100.1:xxxx as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes192-ctr <email address hidden> none
debug1: kex: client->server aes192-ctr <email address hidden> none
debug1: SSH2_MSG_
debug1: got SSH2_MSG_
debug1: SSH2_MSG_
debug1: got SSH2_MSG_
debug1: Server host key: ssh-ed25519 SHA256:
debug1: checking without port identifier
The authenticity of host '[172.19.
ED25519 key fingerprint is SHA256:
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.19.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_
debug1: SSH2_MSG_
*******
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
*******
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Offering ED25519 public key: /root/.
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
However; on the guest:
-------
root@stack:~/.ssh# ls -al
total 40
drwx------ 2 root root 4096 Dec 2 23:58 .
drwx------ 20 root root 4096 Nov 22 19:47 ..
-rw------- 1 root root 2 Dec 2 23:58 authorized_keys
-rw------- 1 root root 464 Dec 2 23:39 id_ed25519
-rw-r--r-- 1 root root 99 Dec 2 23:39 id_ed25519.pub
-rw------- 1 root root 1766 Dec 2 23:32 id_rsa
-rw-r--r-- 1 root root 399 Dec 2 23:32 id_rsa.pub
-rw-r--r-- 1 root root 142 Dec 2 23:59 known_hosts
On the server:
-------
root@msi-
total 308
drwx------ 2 root root 4096 Dec 3 00:22 .
drwxr-xr-x 192 root root 12288 Dec 2 23:24 ..
-rw------- 1 root root 1251 Jan 24 2015 banner-warning.txt
-rw------- 1 root root 263002 Sep 11 11:33 moduli
-rw------- 1 root root 2448 Dec 2 23:53 ssh_config
-rw------- 1 root root 3554 Dec 2 18:17 sshd_config
-rw------- 1 root root 411 Dec 2 18:21 ssh_host_
-rw-r--r-- 1 root root 102 Dec 2 18:21 ssh_host_
-rw------- 1 root root 1675 Nov 25 17:00 ssh_host_rsa_key
-rw------- 1 root root 402 Nov 25 17:00 ssh_host_
-rw------- 1 root root 338 Oct 24 22:37 ssh_import_id
-rw------- 1 root root 0 Nov 25 19:41 ssh_known_hosts
and regarding the authorized keys for the root account:
root@msi-
ssh-rsa xxxxxxxxxxxxxxx
ssh-rsa xxxxxxxxxxxxxxx
ssh-ed25519 xxxxxxxxxxxxxxx
Since I'm not using default settings on the server & the client, I'm posting them here, except for the new SSH port number (!= 22):
/etc/ssh/ sshd_config on the server: ------- ------- ------- ------- ------- ------- ----
-------
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for protocols sshd will bind to ssh_host_ rsa_key ssh_host_ dsa_key ssh_host_ ecdsa_key ssh_host_ ed25519_ key aration yes
Port xxxx
# Use these options to restrict which interfaces/
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/
# HostKey /etc/ssh/
# HostKey /etc/ssh/
HostKey /etc/ssh/
# Privilege Separation is turned on for security
UsePrivilegeSep
# Self-Signed Certificate ssl/myCA/ certs/openssh_ server_ crt.pem
# HostCertificate /root/.
# Lifetime and size of ephemeral version 1 server key Interval 3600
KeyRegeneration
ServerKeyBits 2048
# OpenSSH server logs to the AUTH facility of syslog, at the INFO level.
# If you want to record more information - such as failed login attempts
# - you should increase the logging level to VERBOSE. All the details of
# ssh login attempts will be saved in your /var/log/auth.log
# By default LogLevel INFO
LogLevel VERBOSE
SyslogFacility AUTH
# Setting a lower login grace time (time to keep pending connections alive
# while waiting for authorization) can be a good idea as it frees up
# pending connections quicker but at the expense of convenience.
LoginGraceTime 30
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes ation yes
PubkeyAuthentic
# Don't read the user's ~/.rhosts and ~/.shosts files known_hosts tication yes tication no tication nHosts yes
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_
RhostsRSAAuthen
# similar for protocol version 2
HostbasedAuthen
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthen
#IgnoreUserKnow
# To enable empty passwords, change to yes (NOT RECOMMENDED) words no
PermitEmptyPass
# Change to yes to enable challenge-response passwords (beware issues with seAuthenticatio n no
# some PAM modules and threads)
ChallengeRespon
# Change to no to disable tunnelled clear text passwords and password authentication tication yes ication no
# With no, only RSA public keys authentication is allowed
#PasswordAuthen
PasswordAuthent
# Kerberos options tication no Token no lPasswd yes Cleanup yes
#KerberosAuthen
#KerberosGetAFS
#KerberosOrLoca
#KerberosTicket
# GSSAPI options cation no redentials yes
#GSSAPIAuthenti
#GSSAPICleanupC
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60 by default
# Allow two pending connections. Between the third and tenth connection
# the system will start randomly dropping connections from 30% up to 100%
# at the tenth simultaneous connection.
MaxStartups 2:30:10
Banner /etc/ssh/ banner- warning. txt
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/ openssh/ sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
...