Setting up local_keys for external hosts

[Patrick Devine]

I have an external host that does an automated push / pull with one of my SIMP boxes. I would like to enable two ssh keys so the two users that connect to my SIMP box is done via the key vs login. I have generated the ssh-keygen for the rsa key and copied that over to my simp box and put the key in the /etc/ssh/local_keys/<USERNAME>. When I try to ssh to the simp box I am still getting prompted for a password and get this message pops in my auditd.log

2017-08-01T15:08:11+00:00 hostname audispd: node=hostname  type=USER_LOGIN msg=audit(1501600091.891:26185): pid=20838 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=IP terminal=ssh res=failed'

Here is what I ref for this.

https://simp.readthedocs.io/en/master/user_guide/HOWTO/SSH_Keys.html

Is there something in the PAM module I need to enable to allow cert based auth against an SIMP host?

Thanks

[Nick Miller]

Hello Patrick!

Can you try sshing to the box with a little more verbosity? Try `ssh -v` or `ssh -vvv`. This output should let us know about what authentication methods the client is trying against the server. Also, can you run though this page: http://simp.readthedocs.io/en/master/user_guide/Troubleshooting/Why_Cant_I_Login.html and make sure you are allowing the user to log in with `pam::access::manage`?

Thanks,

Nick Miller

--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+uns...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/f65a4147-6432-452d-8f9c-3b312a6b96bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

	Nicholas Miller Consultant | Onyx Point, Inc. 7050 Hi Tech Drive, Suite 102 Hanover, MD. 21076 e: nick....@onyxpoint.com w: 443-655-3675

[Patrick Devine]

I am thinking it is a pam rule that I haven't figure out yet.. The user I am trying to ssh with is in LDAP and an admin group. The admin group has a pam access rule assigned to all my VMs so I can get in using my userid / password combo. I am wondering if a new rule has to be created for a key based auth.

Here is the verbose output from my sshing. 

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 2: Applying options for *

debug3: ciphers ok: [aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr]

debug3: key names ok: [ssh-rsa,ssh-dss]

debug3: macs ok: [hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-sha2-512,hmac-sha2-256]

debug2: ssh_connect: needpriv 0

debug1: Connecting to Hostname[HostIP] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug3: Incorrect RSA1 identifier

debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key

debug1: identity file /root/.ssh/id_rsa type 1

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: identity file /root/.ssh/id_ecdsa type -1

debug1: identity file /root/.ssh/id_ecdsa-cert type -1

debug1: identity file /root/.ssh/id_ed25519 type -1

debug1: identity file /root/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

debug2: kex_parse_kexinit: aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

debug2: kex_parse_kexinit: hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-sha2-512,hmac-sha2-256

debug2: kex_parse_kexinit: hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-sha2-512,hmac-sha2-256

debug2: kex_parse_kexinit: zl...@openssh.com,zlib,none

debug2: kex_parse_kexinit: zl...@openssh.com,zlib,none

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: curve255...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

debug2: kex_parse_kexinit: aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

debug2: kex_parse_kexinit: hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-sha2-512,hmac-sha2-256

debug2: kex_parse_kexinit: hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-sha2-512,hmac-sha2-256

debug2: kex_parse_kexinit: none

debug2: kex_parse_kexinit: none

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug1: kex: server->client aes25...@openssh.com <implicit> none

debug1: kex: client->server aes25...@openssh.com <implicit> none

debug1: kex: curve255...@libssh.org need=32 dh_need=32

debug1: kex: curve255...@libssh.org need=32 dh_need=32

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: RSA KEY

debug3: load_hostkeys: loading entries for host "Hostname" from file "/root/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys

debug3: load_hostkeys: loading entries for host "'HostIP" from file "/root/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:2

debug3: load_hostkeys: loaded 1 keys

debug1: Host 'Hostname' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:1

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /root/.ssh/id_rsa (0x7f2cbf4cab20),

debug2: key: /root/.ssh/id_dsa ((nil)),

debug2: key: /root/.ssh/id_ecdsa ((nil)),

debug2: key: /root/.ssh/id_ed25519 ((nil)),

debug3: input_userauth_banner

Warning Banner stuff. 

debug1: Authentications that can continue: publickey,password

debug3: start over, passed a different list publickey,password

debug3: preferred publickey,hostbased,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: hostbased,keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /root/.ssh/id_rsa

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug1: Trying private key: /root/.ssh/id_dsa

debug3: no such identity: /root/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /root/.ssh/id_ecdsa

debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /root/.ssh/id_ed25519

debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred: ,keyboard-interactive,password

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

Prompt for password.

[Nick Miller]

If this is an LDAP user, have you tried adding an ssh key to their entry in LDAP?

--

You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp+uns...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/simp/b4028d02-c3c8-4445-9505-dbb848833869%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Trevor Vaughan]

There are a couple of things here that might be causing issue.

1) I see that you're ssh'ing out as root, are you trying to ssh *in* as root? If so, the root user cannot login to SIMP systems directly

2) Are you SSH'ing *from* a SIMP system? If so, was the SSH key generated *on* the SIMP system? If not, you may need to regenerate the key on a FIPS enabled system.

Thanks,

Trevor

On Wed, Aug 2, 2017 at 9:38 AM, Nick Miller <nick....@onyxpoint.com> wrote:

If this is an LDAP user, have you tried adding an ssh key to their entry in LDAP?

On Wed, Aug 2, 2017 at 9:13 AM Patrick Devine <pdde...@sabine-solutions.com> wrote:

I am thinking it is a pam rule that I haven't figure out yet.. The user I am trying to ssh with is in LDAP and an admin group. The admin group has a pam access rule assigned to all my VMs so I can get in using my userid / password combo. I am wondering if a new rule has to be created for a key based auth.

Here is the verbose output from my sshing. 

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 2: Applying options for *

debug3: ciphers ok: [aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr]

debug2: kex_parse_kexinit: aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

debug2: kex_parse_kexinit: aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

debug2: kex_parse_kexinit: hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-sha2-512,hmac-sha2-256

debug2: kex_parse_kexinit: hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-sha2-512,hmac-sha2-256

debug2: kex_parse_kexinit: zl...@openssh.com,zlib,none

debug2: kex_parse_kexinit: zl...@openssh.com,zlib,none

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: curve255...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

debug2: kex_parse_kexinit: aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

To unsubscribe from this group and stop receiving emails from it, send an email to simp+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/simp/b4028d02-c3c8-4445-9505-dbb848833869%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

	Nicholas Miller Consultant | Onyx Point, Inc. 7050 Hi Tech Drive, Suite 102 Hanover, MD. 21076 e: nick....@onyxpoint.com w: 443-655-3675

--
You received this message because you are subscribed to the Google Groups "SIMP Q&A Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simp+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp/CAHY4EYO%3D3Q0K%2Btd2m%3DvNArdoe_Q11CYhiYQzJ-MgfqN--AReLQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

[Patrick Devine]

Ok that got me closer.. Here is our normal log in scenario for our system. Login as our ldap user and then sudo sudosh over to root to do our admin stuff. I have been logging into my first VM and sudosh and then trying to ssh over to the second vm which has the rsa key in /etc/ssh/local_keys/{my userid}.. I just tried logging in with my ldap user on my first VM and then just ssh over to the second vm and it let me right in. I now have to check if the same logic will work from my non-simp system trying to do the same thing to a SIMP based system.

Thanks

On Tuesday, August 1, 2017 at 11:16:56 AM UTC-4, Patrick Devine wrote: