plugout.net

by **5AMsan** » Sat Jan 28, 2023 11:40 am

Hello,

It seems RSA pub key auth is not working on my NAS although password auth does.
I successfuly added my pub key in dedicated form usiing full access option. Key is indeed listed in pub key list.
I tried to restart my NAS after changing SSH conf without success, I keep having "permission denied" error.
I found two topics on this forum that didn't help that much.
SSH client is a WSL Kali Linux. Key is like "SSH-RSA #KEY# root@hostname"

Also, I must add "-oHostKeyAlgorithms=+ssh-rsa" argument to connect to NAS or get "unable to negotiate" error.

Any thoughts welcome!

Nice day to all of you.

by **Jocko** » Sat Jan 28, 2023 10:39 pm

Hi

Enable the debug mode.

Code: Select all: debugon

So when you will try to use your Key, you should get information in

Code: Select all: cat /var/log/messages

. For exemple if your Key is not enough strong.

Note: think to disable thé debug mode after testing

by **5AMsan** » Sun Jan 29, 2023 9:09 am

TU Jocko for debugging tips.
There's indeed some issues with dropbear.
Some warnings about key format also appear but looks OK.

Here's the logs part

Code: Select all: Jan 29 09:46:44 lacie local0.warn API[2023/01/29 09:46:44] nasapi.inc(49)[2453]: calling 'mrvlDropbearSetStatus key 22' Jan 29 09:46:44 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/usr/bin/mv -f /rw_fs/etc/nas_conf_db.xml.update /rw_fs/etc/nas_conf_db.xml Jan 29 09:46:44 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/usr/bin/mv -f /rw_fs/etc/nas_conf_db.xml.try /rw_fs/etc/nas_conf_db.xml.bak Jan 29 09:46:44 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 755 /rw_fs/etc/dropbear Jan 29 09:46:44 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 600 /rw_fs/etc/dropbear/dropbear_rsa_host_key Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/touch /rw_fs/tmp/var/log/lastlog Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/touch /rw_fs/tmp/var/run/utmp Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/usr/bin/unlink /etc/rootcheck Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/usr/bin/sudo chmod 777 /rw_fs/.ssh Jan 29 09:46:45 lacie authpriv.notice sudo: root : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 777 /rw_fs/.ssh Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 755 /rw_fs/.ssh Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/mv /rw_fs/.ssh/authorized_keys_disable /rw_fs/.ssh/authorized_keys Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/usr/bin/sudo chmod 700 /rw_fs/.ssh Jan 29 09:46:45 lacie authpriv.notice sudo: root : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 700 /rw_fs/.ssh Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/dropbear -s -p 22 -r /rw_fs/etc/dropbear/dropbear_rsa_host_key Jan 29 09:46:45 lacie authpriv.warn dropbear[5063]: Failed loading /etc/dropbear/dropbear_dss_host_key Jan 29 09:46:45 lacie authpriv.warn dropbear[5063]: Failed loading /etc/dropbear/dropbear_ecdsa_host_key Jan 29 09:46:45 lacie authpriv.info dropbear[5064]: Running in background Jan 29 09:46:45 lacie authpriv.notice sudo: ... Jan 29 09:46:45 lacie daemon.info avahi-daemon [..] Jan 29 09:46:45 lacie local0.warn API[2023/01/29 09:46:45] nasapi.inc(484)[2453]: mrvlDropbearSetStatus Return Code: 0 Jan 29 09:46:45 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/ps -ef Jan 29 09:46:48 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 777 /rw_fs/.ssh Jan 29 09:46:48 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 777 /rw_fs/.ssh/authorized_keys Jan 29 09:46:48 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 0644 /rw_fs/.ssh/authorized_keys Jan 29 09:46:48 lacie authpriv.notice sudo: nobody : TTY=unknown ; PWD=/usr/htdocs/global ; USER=root ; COMMAND=/bin/chmod 700 /rw_fs/.ssh Jan 29 09:46:54 lacie authpriv.info dropbear[5125]: Child connection from 192.168.1.129:35758 Jan 29 09:46:54 lacie authpriv.info dropbear[5125]: Exit before auth (user 'root', 0 fails): Exited normally

--- EDIT ---

OK! Got the errror with ssh -v arg, didn't thought about this one before... S'ry.

So `sssh -v [...]` said :

Code: Select all: debug1: send_pubkey_test: no mutual signature algorithm debug1: Trying private key: /home/samsan/.ssh/id_ecdsa debug1: Trying private key: /home/samsan/.ssh/id_ecdsa_sk debug1: Trying private key: /home/samsan/.ssh/id_ed25519 debug1: Trying private key: /home/samsan/.ssh/id_ed25519_sk debug1: Trying private key: /home/samsan/.ssh/id_xmss debug1: Trying private key: /home/samsan/.ssh/id_dsa debug1: No more authentication methods to try.

by **5AMsan** » Sun Jan 29, 2023 9:32 am

OK!

Thanks to Jocko for pointing me in the right direction by enabling FW debug mode.

The final fix was to add option so ssh command. I ended up with this command :

Code: Select all: ssh root@lacie -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa'

Or in .ssh/config

Code: Select all: Host lacie Hostname lacie User root HostKeyAlgorithms ssh-rsa PubkeyAcceptedAlgorithms ssh-rsa

by **Jocko** » Tue Jan 31, 2023 8:11 am

Hi

I go to implement authentication with dsa/ecdsa key

by **Jocko** » Tue Jan 31, 2023 3:50 pm

So it is done.

Can you test it ?

To install modified files, do from a shell window :

Code: Select all: plugout download 7069 tar -xf /tmp/fvdw-sl-18-2-ssh-key-31jan2023.tgz -C /

Reboot the nas (which will create new private keys for dropbear) and try to connect without the options '-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa') and/or remove them in your .ssh/config file. Then your client should use ecdsa key exchange

by **5AMsan** » Wed Feb 01, 2023 4:41 pm

Sure, will test it while on remote work tomorrow. I'll report back here as soon as possible.

by **5AMsan** » Wed Feb 01, 2023 8:26 pm

Here are the results.

Attempt with RSA without optional args failed :

Code: Select all: ssh -v root@lacie OpenSSH_9.1p1 Debian-1, OpenSSL 3.0.7 1 Nov 2022 debug1: Reading configuration data /home/samsan/.ssh/config debug1: /home/samsan/.ssh/config line 1: Applying options for lacie debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to lacie.local [192.168.1.230] port 22. debug1: Connection established. debug1: identity file /home/samsan/.ssh/id_rsa type 0 debug1: identity file /home/samsan/.ssh/id_rsa-cert type -1 debug1: identity file /home/samsan/.ssh/id_ecdsa type -1 debug1: identity file /home/samsan/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/samsan/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/samsan/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/samsan/.ssh/id_ed25519 type -1 debug1: identity file /home/samsan/.ssh/id_ed25519-cert type -1 debug1: identity file /home/samsan/.ssh/id_ed25519_sk type -1 debug1: identity file /home/samsan/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/samsan/.ssh/id_xmss type -1 debug1: identity file /home/samsan/.ssh/id_xmss-cert type -1 debug1: identity file /home/samsan/.ssh/id_dsa type -1 debug1: identity file /home/samsan/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.1p1 Debian-1 debug1: Remote protocol version 2.0, remote software version dropbear_2014.63 debug1: compat_banner: no match: dropbear_2014.63 debug1: Authenticating to lacie.local:22 as 'root' debug1: load_hostkeys: fopen /home/samsan/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp521 debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ecdsa-sha2-nistp521 SHA256:sol4pjgag9aQJYPpk6HrZyHcBEuhf3NgYYFl9GJ/oUY debug1: load_hostkeys: fopen /home/samsan/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'lacie.local' is known and matches the ECDSA host key. debug1: Found key in /home/samsan/.ssh/known_hosts:134 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/samsan/.ssh/id_rsa RSA SHA256:vPGxS/qoatqVeq8Jb6jk4hGFGwd9MEawvUo8RA79dSU debug1: Will attempt key: /home/samsan/.ssh/id_ecdsa debug1: Will attempt key: /home/samsan/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/samsan/.ssh/id_ed25519 debug1: Will attempt key: /home/samsan/.ssh/id_ed25519_sk debug1: Will attempt key: /home/samsan/.ssh/id_xmss debug1: Will attempt key: /home/samsan/.ssh/id_dsa debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/samsan/.ssh/id_rsa RSA SHA256:vPGxS/qoatqVeq8Jb6jk4hGFGwd9MEawvUo8RA79dSU debug1: send_pubkey_test: no mutual signature algorithm debug1: Trying private key: /home/samsan/.ssh/id_ecdsa debug1: Trying private key: /home/samsan/.ssh/id_ecdsa_sk debug1: Trying private key: /home/samsan/.ssh/id_ed25519 debug1: Trying private key: /home/samsan/.ssh/id_ed25519_sk debug1: Trying private key: /home/samsan/.ssh/id_xmss debug1: Trying private key: /home/samsan/.ssh/id_dsa debug1: No more authentication methods to try. root@lacie.local: Permission denied (publickey).

Created key with

Code: Select all: ssh-keygen -t dsa -b 1024

Connection with new id :

Code: Select all: ssh -i .ssh/id_dsa -v root@lacie OpenSSH_9.1p1 Debian-1, OpenSSL 3.0.7 1 Nov 2022 debug1: Reading configuration data /home/samsan/.ssh/config debug1: /home/samsan/.ssh/config line 1: Applying options for lacie debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to lacie.local [192.168.1.230] port 22. debug1: Connection established. debug1: identity file .ssh/id_dsa type 1 debug1: identity file .ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.1p1 Debian-1 debug1: Remote protocol version 2.0, remote software version dropbear_2014.63 debug1: compat_banner: no match: dropbear_2014.63 debug1: Authenticating to lacie.local:22 as 'root' debug1: load_hostkeys: fopen /home/samsan/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp521 debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ecdsa-sha2-nistp521 SHA256:sol4pjgag9aQJYPpk6HrZyHcBEuhf3NgYYFl9GJ/oUY debug1: load_hostkeys: fopen /home/samsan/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'lacie.local' is known and matches the ECDSA host key. debug1: Found key in /home/samsan/.ssh/known_hosts:134 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Skipping ssh-dss key .ssh/id_dsa - corresponding algo not in PubkeyAcceptedAlgorithms debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: No more authentication methods to try.

Created key with

Code: Select all: ssh-keygen -t ecdsa

Connection with new id :

Code: Select all: ssh -i .ssh/id_ecdsa -v root@lacie OpenSSH_9.1p1 Debian-1, OpenSSL 3.0.7 1 Nov 2022 debug1: Reading configuration data /home/samsan/.ssh/config debug1: /home/samsan/.ssh/config line 1: Applying options for lacie debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to lacie.local [192.168.1.230] port 22. debug1: Connection established. debug1: identity file .ssh/id_ecdsa type 2 debug1: identity file .ssh/id_ecdsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.1p1 Debian-1 debug1: Remote protocol version 2.0, remote software version dropbear_2014.63 debug1: compat_banner: no match: dropbear_2014.63 debug1: Authenticating to lacie.local:22 as 'root' debug1: load_hostkeys: fopen /home/samsan/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp521 debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ecdsa-sha2-nistp521 SHA256:sol4pjgag9aQJYPpk6HrZyHcBEuhf3NgYYFl9GJ/oUY debug1: load_hostkeys: fopen /home/samsan/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'lacie.local' is known and matches the ECDSA host key. debug1: Found key in /home/samsan/.ssh/known_hosts:134 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: .ssh/id_ecdsa ECDSA SHA256:FuMkKUAxXtwSf9xiWf6pO25rO/Iomz3E26s+k6MEvbA explicit debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: .ssh/id_ecdsa ECDSA SHA256:FuMkKUAxXtwSf9xiWf6pO25rO/Iomz3E26s+k6MEvbA explicit debug1: Server accepts key: .ssh/id_ecdsa ECDSA SHA256:FuMkKUAxXtwSf9xiWf6pO25rO/Iomz3E26s+k6MEvbA explicit Authenticated to lacie.local ([192.168.1.230]:22) using "publickey". debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: pledge: filesystem debug1: Sending environment. debug1: channel 0: setting env LANG = "en_US.UTF-8"

So the second worked.

by **Jocko** » Thu Feb 02, 2023 1:04 pm

Hi

So there is an issue with dsa key support. :scratch
First after creating your dsa key, did you import its public key on the nas side ?

Otherwise please to post the output

Code: Select all: ps axf|grep dropbear

You should have the option '-r /rw_fs/etc/dropbear/dropbear_dss_host_key' in the dropbear command line
Note: dss key is also a dsa key (uses the same encryption method)

by **5AMsan** » Thu Feb 02, 2023 5:03 pm

Yes I added both DSA and ECDSA (obviously)
Indeed the dss key otpion is present

Code: Select all: 1928 ? Ss 0:00 dropbear -s -p 22 -r /rw_fs/etc/dropbear/dropbear_rsa_host_key -r /rw_fs/etc/dropbear/dropbear_dss_host_key -r /rw_fs/etc/dropbear/dropbear_ecdsa_host_key

But IMHO, using ssh options is a totally legit way to work with

plugout.net

[RESOLVED] Can't activate public key auth on SSH

[RESOLVED] Can't activate public key auth on SSH

Re: Can't activate public key auth on SSH

Re: Can't activate public key auth on SSH

Re: Can't activate public key auth on SSH

Re: [RESOLVED] Can't activate public key auth on SSH

Re: [RESOLVED] Can't activate public key auth on SSH

Re: [RESOLVED] Can't activate public key auth on SSH

Re: [RESOLVED] Can't activate public key auth on SSH

Re: [RESOLVED] Can't activate public key auth on SSH

Re: [RESOLVED] Can't activate public key auth on SSH

Who is online