Home > front end >  Password Authentication only denied OpenSS?
Password Authentication only denied OpenSS?

Time:06-17

Specifically to only using PasswordAuthentication to make a connection. I know there are many posts with regards to public key permission denied. With remote SSH connection attempt:

  • sshd PC UserName@staticIP : Permission denied (publickey, keyboard-interactive)
  • root@staticIP : Permission denied (publickey, keyboard-interactive)

I have a windows PC behind a (public) router which has a static IP assigned to it. For now I just want to get an initial ssh connection before moving to key authentication. I am not getting a password prompt:

Settings sshd_config:

  • PermitRootLogin yes
  • PubkeyAuthentication no
  • PasswordAuthentication yes
  • Logging yes
  • LogLevel VERBOSE

On the public router with static IP:

  • SSH and port 22 is allowed on my router, inbound and outbound.
  • I get no log message in my router's Firewall Log when trying to ssh in.
  • I have port forwarding on, for port 22 to the PC where I have the sshd running.

sshd PC: Firewall has inbound rule allowed for port 22 SSH. The "Allow apps to communicate through Windows Defender Firewall" is allso allowed on Private and Public for both OpenSSH Server and OpenSSH SSH Server.

HrPing is successful: hrping staticIP -p 22 -n 4 -l 1000

Using PowerShell as administrator as well as from an Ubuntu PC I have tried:

  • ssh sshd PC UserName@staticIP -p 22
  • ssh root@staticIP -p 22

On the sshd/Server PC > Services > OpenSSH SSH Server > Log On: should that be selected as Local System Account or This account - and the you select a user?

In ProgramData > SSH > Logs:

10952 2022-06-15 16:36:18.724 Connection from 102.250.4.93 port 12692 on <Local LAN IP address sshd PC> port 22
10952 2022-06-15 16:36:18.987 Connection reset by authenticating user <UserName> 102.250.4.93 port 12692 [preauth]

I get no messages in windows eventViewer under OpenSSH. There are no key's at either the client or sshd PC. With the initial connection attempt, the sshd PC's fingerprint is copied over to the client's known_hosts folder, but that also ends in permission denied.

PS C:\users\myUser\.ssh> ssh UserName@staticIP -p 22 -v
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to staticIP [staticIP] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\myUser/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to staticIP:22 as 'UserName'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:gYkCT81kmqzhDjEIFipnAl2N8ZjtrF3WwOeIKYBQy98
debug1: Host 'staticIP' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\myUser/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
UserName@staticIP: Permission denied (publickey,keyboard-interactive).

sshd_config file:

#   $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/id_ed25519

# Ciphers and keying
#RekeyLimit default none

#Logging yes
#SyslogFacility AUTH
#LogLevel VERBOSE

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication no

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /etc/ssh/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

CodePudding user response:

You can see from the debug output

debug1: Authentications that can continue: publickey,keyboard-interactive

and from the final error message

Permission denied (publickey, keyboard-interactive)

That the server is not accepting password authentication method (otherwise the word password would've been included in the list).

If you have set PasswordAuthentication to yes by yourself then make sure to restart the ssh service in order for the changes to take effect.

  • Related