Shell User Authentication Failure

Discussion in 'ISPConfig 3 Priority Support' started by yupthatguy, Oct 8, 2021 at 10:36 AM.

  1. yupthatguy

    yupthatguy Member HowtoForge Supporter

    My steps are as follows:

    1.) I created the domain git.example.com and I've added a domain alias tester1.git.example.com

    2.) I created a the ssh key pair on my machine using :
    $ ssh-keygen -b 4096

    3.) Then I go to ISPC gui and create a new shell, for the url git.example.com from the drop down, enter the user name, then copy and paste the content id_test_tgit_rsa.pib into text field in the ISPC gui, and click "save" (remembered today.. yay me)

    4.) from there I go back to my host and attempt to ssh into the server using:
    $ssh -t -i ~/.ssh/id_test_tgit_rsa [email protected]

    Result:
    Code:
     ssh -t -i ~/.ssh/id_test_tgit_rsa [email protected]
    The authenticity of host 'tester1.git.example.com (192.168.0.47)' can't be established.
    ECDSA key fingerprint is SHA256:/UbY27WLpQv3cKjD9DYVcBFO9PvWOGQedqZBiNMmDgQ.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Failed to add the host to the list of known hosts (/home/user/.ssh/known_hosts).
    
    More detail (verbose)
    [CODE]$ ssh -vvv -t -i ~/.ssh/id_test_tgit_rsa [email protected]
    OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
    debug1: Reading configuration data /home/user/.ssh/config
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
    debug1: /etc/ssh/ssh_config line 21: Applying options for *
    debug2: resolving "tester1.git.example.com" port 22
    debug2: ssh_connect_direct
    debug1: Connecting to tester1.git.example.com [192.168.0.47] port 22.
    debug1: Connection established.
    debug1: identity file /home/user/.ssh/id_test_tgit_rsa type 0
    debug1: identity file /home/user/.ssh/id_test_tgit_rsa-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
    debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to tester1.git.example.com:22 as 'adminguytgit'
    debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
    debug3: send packet: type 20
    debug1: SSH2_MSG_KEXINIT sent
    debug3: receive packet: type 20
    debug1: SSH2_MSG_KEXINIT received
    debug2: local client KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
    debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
    debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
    debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
    debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: none,[email protected],zlib
    debug2: compression stoc: none,[email protected],zlib
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug2: peer server KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
    debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
    debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
    debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: none
    debug2: compression stoc: none
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
    debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
    debug3: send packet: type 30
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug3: receive packet: type 31
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:/UbY27WLpQv3cKjD9DYVcBFO9PvWOGQedqZBiNMmDgQ
    debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
    debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts"
    debug3: record_hostkey: found key type ECDSA in file /home/user/.ssh/known_hosts:10
    debug3: load_hostkeys: loaded 1 keys from 192.168.0.47
    The authenticity of host 'tester1.git.example.com (192.168.0.47)' can't be established.
    ECDSA key fingerprint is SHA256:/kukbiouoefelrpe
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Failed to add the host to the list of known hosts (/home/user/.ssh/known_hosts).
    debug3: send packet: type 21
    debug2: set_newkeys: mode 1
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug3: receive packet: type 21
    debug1: SSH2_MSG_NEWKEYS received
    debug2: set_newkeys: mode 0
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: /home/user/.ssh/id_test_tgit_rsa RSA SHA256:9kBcvnrue98uh3RPHoOV8E4r/IgKlLIq3Oa8KsO7s1qHs explicit agent
    debug1: Will attempt key: [email protected] RSA SHA256:+jj6IX5B5jLV8fdeoruer(2BOsBskTVeyCntS/HBl4 agent
    debug1: Will attempt key: [email protected] RSA SHA256:ZMRVqFFj5DTLf4YoQfiT60QBIkW+vcXsK258fcGp2tY agent
    debug1: Will attempt key: [email protected] RSA SHA256:KbRGHfik360ABsRjJiJCI510NgG5KdVX4fke/CPtatU agent
    debug1: Will attempt key: [email protected] RSA SHA256:TQWa71nSVJymQdYoARcsvGhmSE31yO6DM5TvNBNKl6c agent
    debug1: Will attempt key: [email protected] RSA SHA256:FenNaEH+EdsSWrLVcaUf6zbP8aJ9lgVvy4SjgjWdZZ0 agent
    debug1: Will attempt key: [email protected] RSA SHA256:8Sf4OrQe4yN9tazaN8YaO4Kr5kg2joiuhyIK0OXAkTc agent
    debug1: Will attempt key: [email protected] RSA SHA256:c1WlRsZ0QDVGdedwerffe4c5Rp/JszHuA2ExMXoMIhM2xw agent
    debug1: Will attempt key: [email protected] RSA SHA256:9/DO/j+xQ4Fdc4LxKZdgDpwL0uiP1kr1wfNM+ran4Rw agent
    debug1: Will attempt key: [email protected] RSA SHA256:6JqrTqw4CUC071WoM754FTxZm4LJ/tjDsa9RAYPK7M0U agent
    debug1: Will attempt key: [email protected] RSA SHA256:seCSTO+I434r40Zvfked3MS+2GI44344f5guh0DvCiA agent
    debug1: Will attempt key: [email protected] RSA SHA256:qwYYwsNwkbYrwY8r43435tO1oQc4rr3rerf9kVDkXW0 agent
    debug1: Will attempt key: [email protected] RSA SHA256:gXFadksBd77onWktQeQxfrfer4ib5KLpLs8m7aExymY agent
    debug1: Will attempt key: [email protected] RSA SHA256:es4wc46qNFnQtXbSV85fmFgLPGSidXz+FKaTtRFwBSQ agent
    debug1: Will attempt key: [email protected] RSA SHA256:C+8B+Kt44BqbCOJX1G3ZU+O4IrodlrMQUCU+YKCvwXE agent
    debug1: Will attempt key: [email protected] RSA SHA256:S0QKfoorpgO7sVoEn7yUSYtuAfZeGrszci+piIqT1No agent
    debug2: pubkey_prepare: done
    debug3: send packet: type 5
    debug3: receive packet: type 7
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
    debug3: receive packet: type 6
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug3: send packet: type 50
    debug3: receive packet: type 53
    debug3: input_userauth_banner
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    debug3: start over, passed a different list publickey,password
    debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/user/.ssh/id_test_tgit_rsa RSA SHA256:9kBuyafregtgoOV8E4r/IgKlLIq3Oa8KsO7s1qHs explicit agent
    debug3: send packet: type 50
    debug2: we sent a publickey packet, wait for reply
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: [email protected] RSA SHA256:+jj6IX5B5jLV8f49/3EPFg62BOs434ntS/HBl4 agent
    debug3: send packet: type 50
    debug2: we sent a publickey packet, wait for reply
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    debug1: Offering public key: [email protected] RSA SHA256:ZMRVqFFj5DTLf4YoQfiT60QBIkW43r43rfg8fcGp2tY agent
    debug3: send packet: type 50
    debug2: we sent a publickey packet, wait for reply
    debug3: receive packet: type 1
    Received disconnect from 192.168.0.47 port 22:2: Too many authentication failures
    Disconnected from 192.168.0.47 port 22
    
    Received disconnect from 192.168.0.47 port 22:2: Too many authentication failures
    Disconnected from 192.168.0.47 port 22
    [/CODE]

    Finally, I try to manually upload the pub key to the server using:
    ssh-copy-id -i ~/.ssh/id_test_tgit_rsa.pub [email protected]

    And this also fails with "too many authentication failures."
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to wait until fail2ban unbans your IP. You caused too many auth failures and therefore fail2ban banned your IP temporarily.
     
  3. yupthatguy

    yupthatguy Member HowtoForge Supporter

    ok thanks... generally how long should I wait?
     
  4. yupthatguy

    yupthatguy Member HowtoForge Supporter

    Or better yet.. can I whitelist my ip in fail2ban?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

  6. yupthatguy

    yupthatguy Member HowtoForge Supporter

    looking it up now
     
  7. yupthatguy

    yupthatguy Member HowtoForge Supporter

    I followed the instructions, easy enough, but I am still banned..
    Code:
    #
    
    added this to the file: /etc/fail2ban/jail.conf
    # [DEFAULT]
    # bantime = 1h
    ignoreip = 192.168.0.10
    #
    Then I
    #service fail2ban restart
    
    
    Still banned.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    This whitelists your IP to prevent future bans, it does not stop the current ban. Wait until your unbanned automatically or use the fail2ban commands to unban your IP, you can find them by using a search engine of your choice.

    And then you should try if you can log in by password instead of using the ssh key. And the SSH key must be inserted into the ssh key field of the user in ISPConfig. The ssh copy command you used can't work as you copy the key to a completely wrong user (root instead of
    adminguytgit).
     
  9. yupthatguy

    yupthatguy Member HowtoForge Supporter

    ok.. thanks for the feedback.. reading up now...
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I don't see any mention that you are using jailkit, but if so check what version you have installed and update if it's v2.22
     
  11. yupthatguy

    yupthatguy Member HowtoForge Supporter

    I checked the fail2ban log using
    # cat /var/log/fail2ban.log
    and yeah, my IP is listed
    Code:
    2021-10-08 15:55:53,220 fail2ban.filter         [819]: INFO    [sshd] Found 192.168.0.10 - 2021-10-08 15:55:51
    2021-10-08 15:55:53,221 fail2ban.filter         [819]: INFO    [sshd] Found 192.168.0.18 - 2021-10-08 15:55:51
    2021-10-08 15:59:49,980 fail2ban.filter         [819]: INFO    [sshd] Found 192.168.0.18 - 2021-10-08 15:59:49
    2021-10-08 15:59:50,156 fail2ban.filter         [819]: INFO    [sshd] Found 192.168.0.18 - 2021-10-08 15:59:50
    2021-10-08 16:23:43,967 fail2ban.filter         [819]: INFO    [sshd] Found 192.168.0.18 - 2021-10-08 16:23:43
    2021-10-08 16:23:44,061 fail2ban.filter         [819]: INFO    [sshd] Found 192.168.0.18 - 2021-10-08 16:23:44
    
    
    But I am now having a strange problem... the fail2ban service itself has failed... and for whatever reason I cannot restart it.
    #systemctl restart fail2ban has no effect...
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If fail2ban has a problem, the reason would probably be in the log. Is it running? Try starting it and see what shows up in the log.
     
  13. yupthatguy

    yupthatguy Member HowtoForge Supporter

    log

    Code:
    # fail2ban-client status
     Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
    You have new mail in /var/mail/root
    [email protected]:~# cat /var/log/fail2ban.log
    
    https://pastebin.com/z4vuAXVF
     
  14. yupthatguy

    yupthatguy Member HowtoForge Supporter

    In any case... it seems that my IP was not banned by fail2ban... I got the service working again...
    Code:
    fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed:    0
    |  |- Total failed:    0
    |  `- File list:    /var/log/auth.log
    `- Actions
       |- Currently banned:    0
       |- Total banned:    0
       `- Banned IP list:   
    
    but my ssh still ins't working... guess, I will have to investigate jailkit versions
     
  15. yupthatguy

    yupthatguy Member HowtoForge Supporter

    If someone tells me how to check the version jailkit.. might save a bit of time
     
  16. yupthatguy

    yupthatguy Member HowtoForge Supporter

    got it...
    jailkit/buster-backports,now 2.21-2~bpo10+1 amd64 [installed]
     
  17. yupthatguy

    yupthatguy Member HowtoForge Supporter

    So now I know fail2ban isn't the problem and my ip is whitelisted against future issues..
    I now have jailkit updated to the latest version

    Code:
    # dpkg --install jailkit_2.23-1_amd64.deb
    (Reading database ... 240467 files and directories currently installed.)
    Preparing to unpack jailkit_2.23-1_amd64.deb ...
    Unpacking jailkit (2.23-1) over (2.21-2~bpo10+1) ...
    Setting up jailkit (2.23-1) ...
    

    But the original problem of not being able to ssh into the directory still exists (too many authentication errors). suggestions definitely, welcome.
     
  18. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Do you have device files inside the jail, eg. /dev/null?
     
  19. yupthatguy

    yupthatguy Member HowtoForge Supporter

    So, I fixed it and the problem had no relation to fail2ban or jailkit..

    1.) set a password in the gui for the shell-user
    2.) temporarily added "-o IdentitiesOnly=yes"
    3.) ssh -o IdentitiesOnly=yes -t -i ~/.ssh/id_test_tgit_rsa [email protected]
    4.) changed my ~/.ssh/known_hosts permissions back to 644...
    5.) ssh -t -i ~/.ssh/id_test_tgit_rsa [email protected] works without a problem
     

Share This Page