Join Log in
Score:-1
jFasaJr avatar Server

Unable to connect to SSH server locally with pubkey from laptop for ssh-copy-id

vn flag
jFasaJr

I cannot for the life of me figure out where I'm going wrong here and need other eyes to point out my mistake(s). I'm running an sshd service on my arch desktop locally with ufw opening the designated ssh port.

Password authentication works when I enable it, however I cannot transfer my public key even then with ssh-copy-id. When I switch the sshd_config to be publickey only I get connection refused.

The ssh [insert additional commands] -vvv debug data just confirms the machine doesn't have my pubkey yet, but when I run ssh-copy-id -p 31221 -i ~/.ssh/ed25519key.pub [email protected] over my local network, it just said that 1 key remains to be insalled and that if I'm prompted it's to install the key, but then it refuses connection.

My ufw rules, note the specific IP address was the last thing I tried to eliminate things, it hasn't been there the entire time.

[john@thedream ssh]$ sudo ufw status
[sudo] password for john:
Status: active

To                         Action      From
--                         ------      ----
WWW Full                   ALLOW       Anywhere
31221                      ALLOW       192.168.1.0/24
31221                      ALLOW       192.168.1.251
WWW Full (v6)              ALLOW       Anywhere (v6)

My sshd_config

#   $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
Port 31221
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 50
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
AuthenticationMethods publickey
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

My sshd service is running

[john@thedream ssh]$ sudo systemctl status sshd
● sshd.service - OpenSSH Daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: disabled)
     Active: active (running) since Tue 2023-02-21 18:02:28 CST; 2s ago
   Main PID: 9451 (sshd)
      Tasks: 1 (limit: 38319)
     Memory: 1.1M
        CPU: 4ms
     CGroup: /system.slice/sshd.service
             └─9451 "sshd: /usr/bin/sshd -D [listener] 0 of 10-100 startups"

Feb 21 18:02:28 thedream systemd[1]: Started OpenSSH Daemon.
Feb 21 18:02:28 thedream sshd[9451]: Server listening on 0.0.0.0 port 31221.
Feb 21 18:02:28 thedream sshd[9451]: Server listening on :: port 31221.

And my port 31221 is open

[john@thedream ssh]$ sudo lsof -i:31221
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    9451 root    3u  IPv4  88455      0t0  TCP *:31221 (LISTEN)
sshd    9451 root    4u  IPv6  88457      0t0  TCP *:31221 (LISTEN)
61
1 + 0
ssh
Score:0
jFasaJr avatar Server
vn flag
jFasaJr

So it turns out that you can only use ssh-copy-id with PasswordAuthentication set to yes as far as anything I can find says.

Quote from the ssh-copy-id man page: (presumably using a login password, so password authentication should be enabled, unless you've done some clever use of multiple identities)

The caveat being if you have a multi-identity setup and one of them already has a saved public key on the server already, not sure how to set that up honestly or if there are additional steps required, but I believe it would be easy enough using your client side ssh config like you would with other services.

I must have been messing something up previously with my passwordauth enabled beforehand as well and wasn't catching it.

Resolution is:

  1. Setup a basic but secure SSH Server with sshd on the host machine
  2. Then gen a key pair on the client and use ssh-copy-id to push your public key to the server.
  3. Then go and disable passwordauthentication in the sshd_config on the server.
  4. Finally enable the publickey authentication options in that same config.

Seems to work fine after going back to the basics.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.