Join Log in
Score:1
zamunda68 avatar Server

AuthorizedKeysCommand setup prompts for password

td flag
zamunda68

The issue: Even though I've set up AuthorizedKeysCommand and password authentication is stopped when I attempt to log in from my Mac, I am still being asked to enter the password:

OS: Rocky Linux 9.2

OpenSSH version on the server: OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:g7nyjiJifRo58tqXivGLTyxst7KP207XMKj3mNS3z4z
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/user/.ssh/id_ecdsa
debug1: Trying private key: /Users/user/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/user/.ssh/id_ed25519
debug1: Trying private key: /Users/user/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/user/.ssh/id_xmss
debug1: Trying private key: /Users/user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
([email protected]) Password:

Here is the /etc/ssh/sshd_config:


# General SSH settings
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# Specify the protocol versions
Protocol 2

# HostKeys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication settings

# Disable root login
PermitRootLogin no

# Use public key authentication
PubkeyAuthentication yes

# Local file to check for public keys (optional, as we use AuthorizedKeysCommand)
#AuthorizedKeysFile .ssh/authorized_keys

# Use the script to fetch keys from GitLab repo
AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh %u
AuthorizedKeysCommandUser root

# ignore existing authorized_keys files by default
AuthorizedKeysFile /dev/null

# Disable password authentication as requested
PasswordAuthentication no

# Other settings for best practices
PermitEmptyPasswords no
UsePAM yes
X11Forwarding no
TCPKeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 33

# Subsystem for SFTP
Subsystem sftp /usr/libexec/openssh/sftp-server

Here is the script that fetches the public key(s) from GitLab:


# Check for required username argument
if [[ -z "$1" ]]; then
  >&2 echo "Username required."
  exit 1
fi

# Environment variables for configuration
TOKEN="GitLab-access-token"
PROJECT_ID="123"
GITLAB_BASE_URL="https://gitlab.mygitlab.tld/api/v4/projects"
USERNAME="$1"

# Complete URL to the user's public key file
USER_KEY_URL="${GITLAB_BASE_URL}/${PROJECT_ID}/repository/files/${USERNAME}%2Epub/raw?ref=main"

# Use curl with the token to fetch the public key from the URL
RESPONSE=$(curl --header "Private-Token: $TOKEN" --silent --fail --write-out "HTTPSTATUS:%{http_code}" "$USER_KEY_URL")

HTTP_STATUS=$(echo "$RESPONSE" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')

# Output only the SSH key to stdout
if [ "$HTTP_STATUS" == "200" ]; then
  echo "$RESPONSE" | sed -e 's/HTTPSTATUS:.*//g'
else
  >&2 echo "Failed to fetch keys with status code $HTTP_STATUS"
  exit 1
fi

This is what I see if I execute "journalctl -u sshd -n 50":

Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: main: sshd: ssh-rsa algorithm is disabled
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: User user authorized keys /dev/null is not a regular file
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh user failed, status 1
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: Accepted keyboard-interactive/pam for user from 192.168.50.175 port 51277 ssh2
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: pam_unix(sshd:session): session opened for user user(uid=1001) by (uid=0)

I've tested the Bash script manually via cURL and it fetches the public key from the GitLab repository just fine, exactly as it should. I've also manually executed the Bash script and the output contained the public key of the user, exactly as it is on my Mac. To clarify, I am doing the tests from my Mac and authenticating with the Mac's public key.

I cannot disable PAM, because I see that is not supported well for Rocky Linux in the logs. Any idea why this password prompt for the UNIX user still happens? Does PAM fall back to the password?

I've modified the Bash script to redirect errors in a file /tmp/fetch_gitlab_keys.log:

Wed Aug 16 03:46:12 AM EDT 2023 - Curl output: 000
Wed Aug 16 03:46:12 AM EDT 2023 - Failed to fetch keys with status code 000

The OS has SELinux, which I've disabled, and that makes zero difference.

65
0 + 6
ssh
HBruijn avatar
in flag
HBruijn
I wouldn’t be surprised if the issue is selinux related - https://serverfault.com/a/443230
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
To prove you really disabled selinux, what is `sestatus` output?
0
Reply
HBruijn avatar
in flag
HBruijn
By the way; Are you trying to download a specific file from a repo that contains your public key(s) ? Because the typical way to use public keys from gitlab is to use the public keys a user has uploaded as their public SSH key(s) in their profile ; then you request `https://gitlab.example.com/users/${USERNAME}.keys` and immediately get their public ssh key(s) in the authorized_keys compatible format that is expected as the output for AuthorizedKeysCommand
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
Switch the loglevel to debug and see what happens when you try to login.
0
Reply
ws flag
symcbean
Looks like the key you are presenting does not match the authorized_keys entries - see https://support.cpanel.net/hc/en-us/articles/360056952833-How-to-verify-if-a-public-and-private-RSA-SSH-key-match-
0
Reply
zamunda68 avatar
td flag
zamunda68
@HBruijn - but I've disabled it entirely. sestatus command was showing "permissive".
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.