bastion server with MFA - linux

I have a bastion server with enabled MFA using google-authenticator service. But I cannot use proxycommand through my bastion:
> ssh -vvv -i ~/.ssh/file.pem user#ip -o "proxycommand ssh -q -W %h:%p user#bastion"
OpenSSH_7.9p1 Ubuntu-10, OpenSSL 1.1.1b 26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname ip is address
debug1: Executing proxy command: exec ssh -q -W ip:22 user#bastion
debug1: identity file /home/user/.ssh/file.pem type -1
debug1: identity file /home/user/.ssh/file.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Ubuntu-10
Password:
Verification code:
connection exited by timeout
Is it possible to use proxycommand with MFA?
/etc/pam.d/common-session:
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_systemd.so
auth required pam_google_authenticator.so nullok
/etc/ssh/sshd_config :
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

The issue was with firewall rules, proxycommand works with MFA!

Related

How to login by ssh in Alpine Linux without passwords?

I'm using a Android cell phone. I write python program and run the program in Termux. But there some lib can't be installed or use in Android cell phone, sklearn and tensorflow for example. So I decided to try to use a docker container for my programing envirment.
I create a docker image and update it to docker-hub: zwdnet/mypython. Then I installed qemu in Termux,and installed Alpine Linux (alpine-virt-3.10.1-x86_64) in Termux. I followed this pages' method(It is a Chinese blog, not English): https://stageguard.top/2019/08/15/run-docker-on-qemu-alpine/#1-Docker
After this, I use the command
qemu-system-x86_64 -hda python.img -boot c -m 4096 -netdev user,id=nde1,hostfwd=tcp::2222-:22 -device e1000,netdev=nde1,id=d-net1 -nographic &
start the alpine linux in back and
ssh root#localhost -p 2222
login. (After then I installed the docker and run the container success, that is another question.)
Now I want to login Apline linux without enter the passwords.
First I use
ssh-keygen -t rsa
generate the key, and use
ssh-copy-id -i ./mykey.pub root#localhost -P 2222
to sent the pub key to the Apline linux and changed the /etc/ssh/sshd_config file.
At last I restarted the sshd service and logout.
But when I login again, It is ask me to enter the password again.
I thought maybe that is because I login in with root. So I login and create a new username, and repeat the ahead operators. But I failed. The ssh ask me to enter password again.
This is my mod of ~/.ssh and the key files.
$ssh zym#localhost -p 2222 "ls -la"
zym#localhost's password:
total 20
drwxr-sr-x 3 1000 zym 4096 May 16 15:04 .
drwxr-xr-x 3 root root 4096 May 16 14:44 ..
-rw------- 1 1000 zym 251 May 16 15:04 .ash_history
drwx------ 2 1000 zym 4096 May 16 14:56 .ssh
-rw------- 1 root zym 883 May 16 15:04 .viminfo
$ ssh zym#localhost -p 2222 "ls -la .ssh"
zym#localhost's password:
total 12
drwx------ 2 1000 zym 4096 May 16 14:56 .
drwxr-sr-x 3 1000 zym 4096 May 16 15:04 ..
-rw------- 1 root zym 571 May 16 14:56 authorized_keys
and this is my /etc/ssh/sshd_config file:
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
The login information is
$ ssh zym#localhost -p 2222 -v
OpenSSH_8.2p1, OpenSSL 1.1.1g 21 Apr 2020
debug1: Reading configuration data /data/data/com.termux/files/usr/etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to localhost [127.0.0.1] port 2222.
debug1: Connection established.
debug1: identity file /data/data/com.termux/files/home/.ssh/id_rsa type 0
debug1: identity file /data/data/com.termux/files/home/.ssh/id_rsa-cert type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_dsa type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_dsa-cert type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa-cert type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa_sk type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519 type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519-cert type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519_sk type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_xmss type -1
debug1: identity file /data/data/com.termux/files/home/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1
debug1: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:2222 as 'zym'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Vwx+lpRpyl04g5gaO73Es9C1IslCcD7f9CUfBFyi96M
debug1: Host '[localhost]:2222' is known and matches the ECDSA host key.
debug1: Found key in /data/data/com.termux/files/home/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /data/data/com.termux/files/home/.ssh/id_rsa RSA SHA256:l/1hMa3CC1MHkHsJT6R7CRZJzYEXU
debug1: Will attempt key: /data/data/com.termux/files/home/.ssh/id_dsa
debug1: Will attempt key: /data/data/com.termux/files/home/.ssh/id_ecdsa
debug1: Will attempt key: /data/data/com.termux/files/home/.ssh/id_ecdsa_sk
debug1: Will attempt key: /data/data/com.termux/files/home/.ssh/id_ed25519
debug1: Will attempt key: /data/data/com.termux/files/home/.ssh/id_ed25519_sk
debug1: Will attempt key: /data/data/com.termux/files/home/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2->
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /data/data/com.termux/files/home/.ssh/id_rsa RSA SHA256:l/1hMa3CC1MHkHsJT6R7CRZJzU
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /data/data/com.termux/files/home/.ssh/id_dsa
debug1: Trying private key: /data/data/com.termux/files/home/.ssh/id_ecdsa
debug1: Trying private key: /data/data/com.termux/files/home/.ssh/id_ecdsa_sk
debug1: Trying private key: /data/data/com.termux/files/home/.ssh/id_ed25519
debug1: Trying private key: /data/data/com.termux/files/home/.ssh/id_ed25519_sk
debug1: Trying private key: /data/data/com.termux/files/home/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
zym#localhost's password:
I copyed the mykey and mykey.pub to /data/data/com.termux/files/home/.ssh/ , no use.
Could you please help me to see how to sovle this problem? Thanks!
I'm a Chinese and my English is poor. Please forgive me for the words errors.
Thanks #MarcoLucidi ,but the -i in ssh dose not work.
$ ssh -i ./mykey -p 2222 zym#localhost -v
OpenSSH_8.2p1, OpenSSL 1.1.1g 21 Apr 2020
debug1: Reading configuration data /data/data/com.termux/files/usr/etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to localhost [127.0.0.1] port 2222.
debug1: Connection established.
debug1: identity file ./mykey type 0
debug1: identity file ./mykey-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1
debug1: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:2222 as 'zym'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Vwx+lpRpyl04g5gaO73Es9C1IslCcD7f9CUfBFyi96M
debug1: Host '[localhost]:2222' is known and matches the ECDSA host key.
debug1: Found key in /data/data/com.termux/files/home/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: ./mykey RSA SHA256:4rVLy6uWZoHmCMqYYyaASSV2iaoIdIbvIDtA1EBNuW0 explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2->
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: ./mykey RSA SHA256:4rVLy6uWZoHmCMqYYyaASSV2iaoIdIbvIDtA1EBNuW0 explicit
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
zym#localhost's password:
i discovered that alpine linux image is shipped with a root user that has no password set yet. And for some reason it seems like not having a password set for root prevents the public key authentication from succeeding when trying to ssh on root account.
try setting a password to root user: ex:
echo 'root:dummy_passwd'|chpasswd
and then retry:
shh root#<ip_address>
now the command should work with the public key authentication. don't ask me why.
note: i discovered that because i could connect to a normal user session but not to root session with the same sshd_config, on the same machine, and with the same authorized_keys file (with correct permissions and correct ownership). that was the only thing i could think of and it made the difference.
You indicated in a comment that this user "zym" has UID 0. You also show that zym's home directory and .ssh directory are owned by UID 1000:
drwxr-sr-x 3 1000 zym 4096 May 16 15:04 .
drwxr-xr-x 3 root root 4096 May 16 14:44 ..
-rw------- 1 1000 zym 251 May 16 15:04 .ash_history
drwx------ 2 1000 zym 4096 May 16 14:56 .ssh
The OpenSSH server enforces strict permissions on the authorized_keys file:
~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.
The actual permissions-checking performed by sshd is complicated. But basically it checks for two things:
The authorized_keys file must be owned by the user logging in, and it must not be group- or world-writable.
The directory containing authorized_keys, the .ssh directory, and the home directory must be owned by root or the user logging in, and must not be group- or world-writable.
The OpenSSH server is probably ignoring your authorized_keys file because these requirements aren't being met. You're trying to log in as a user with UID 0, while the authorized_keys file, .ssh directory, and home directory are owned by a different UID.
You can fix this by making the UIDs match. Either set "zym" to have UID 1000, or change zym's home directory and the files contained there to be owned by zym's actual UID of 0.
Alternately, you can disable this permissions check by setting StrictModes to "no" in sshd_config on the server and restarting sshd.
After trying to disable my root user's password with passwd -l, or by directly setting the password hash to ! in /etc/shadow, I was surprised to find my attempts to log in via ssh key rejected with "User root not allowed because account is locked" reported in /var/log/messages.
Based on guidance from https://unix.stackexchange.com/a/193131/353183, I changed the password hash in /etc/shadow from ! to *, and that let me log in successfully.
Hashes beginning with an exclamation point signify a locked user, and OpenSSH rejects logins for locked users even when they use an authorized key. The asterisk still disables password logins by serving as an impossible-to-match hash, but it does not mark the account as locked. For more details, see https://stackoverflow.com/a/25211719/2402324.

ssh closes connection immediately after successful login for a specific user

This starts driving me nuts!
I have the case here where a specific user when trying to login to a Linux server (running openSUSE 13.2 (Harlequin) (x86_64)) using a password or a private key is immediately logged out again.
The login seems successful (at least according to the ssh log - see below) but immediately after that the connection is closed and the intended command is not executed.
The below output captured using ssh's -vvv option:
ssh -vvv -i <path_to_private_key> <user>#<FQDN> touch /tmp/mms_was_here
...
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:W4i/<removed> <path_to_private_key>
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:W4i/<removed-same-as-above>
debug3: sign_and_send_pubkey: RSA SHA256:W4i/<removed-same-as-above>
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to <FQDN> ([10.10.8.88]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions#openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 nr0 i0/0 o0/0 fd 4/5 cc -1)
Connection to <FQDN> closed by remote host.
Transferred: sent 2564, received 2328 bytes, in 0.0 seconds
Bytes per second: sent 400692.9, received 363811.6
debug1: Exit status -1
Note: I replaced a few appearances of the server's name and some key hashes for privacy but they were correct.
What makes things even more absurd to me is that a different user can log in without problems (with both, password or key authentication)! I painstakingly compared settings, the content of the .ssh directory and what not. They are the same (modulo the different keys of course).
Both user have a valid home directory set as well as /bin/bash as default shell. Their public keys have been added to the respective ~/.ssh/authorized keys-files, the server's hosts.deny and host.allow files are empty (or rather contain only comments). sshd_config has neither an AllowUser/Group nor a DenyUser/Group section.
The password (for password authentication) is set and unlocked. But that user can not login!
After the login attempts of both "service sshd status" reports:
...
30:3d:c6:43:ee:3d:05:32:90:49:65:71:1a [MD5]
May 14 15:43:17 ksta-zhquest-int3 sshd[26223]: pam_unix(sshd:session): session opened for user <user> by (uid=0)
So - even that looks good. sshd has admitted the user. But then one user's command is executed while the other's session is immediately closed again and the command is NOT executed! And that happens for both, password as well as key authentication! Why is that user locked out? Any idea anyone?
I had a very similar issue, it turned out that the subnet that I had put the Debian VM on was not listed in Active Directory sites and services. Took me ages to find the answer and this question kept coming up in my searches, so I'm posting the answer here in case anyone is in the same boat in future.
Update: coming back to this answer because I've encountered other scenarios with similar or identical symptoms.
PasswordAuthentication=No was set in /etc/ssh/sshd_config. I was attempting authentication using a password.
The user had no homefolder. /var/log/auth.log showed the authentication succeeding but then the client side disconnected straight afterwards. I had forgotten to configure /etc/pam.d/common-session with session optional pam_mkhomedir.so
(Ansible) I had a conflicting variable set in the inventory file causing it to try and use ssh key authentication instead of password authentication. This was only visible with -vvv showing ansible using ssh -o PasswordAuthentication=no
Check if the user is not added to some nologin configuration, it also could have set its default shell to /bin/false or something alike
I had a look-alike problem once upgrading an openSUSE computer from a 15.3 release to Tumbleweed. It turned out that there was an old /etc/ssh/sshd_config configuration file left over in the file system which contained in the line for "Subsystem sftp" a binary file /usr/lib/ssh/sftp-server that does not exist. The problem was solved by removing (sic) that /etc/ssh/sshd_config file such that the file at the slightly different location /usr/etc/sshd_config took over, which contained an valid Subsystem sftp binary file in the /usr/libexec directory, then restarting the sshd .

can't connect ssh sh: 6000: command not found [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I'm trying to connect my server
and ssh show me: sh: 6000: command not found
blow is ssh verbose log and my sshd_config.
[~] # ssh -v admin#myserver -P 6000
OpenSSH_7.6p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Connecting to 192.168.50.21 [192.168.50.21] port 6000.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.50.216000 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:XTuaKA/5nJd1wol9+Ckp0or8XCx3Rd/0NGMIdT9lrro
debug1: Host '192.168.50.21' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:XTuaKA/5nJd1wol9+Ckp0or8XCx3Rd/0NGMIdT9lrro /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
admin#192.168.50.21's password:
debug1: Authentication succeeded (password).
Authenticated to 192.168.50.21 ([192.168.50.21]6000).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: Sending command: 6000
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow#openssh.com reply 0
sh: 6000: command not found
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2248, received 3052 bytes, in 0.2 seconds
Bytes per second: sent 14674.8, received 19923.2
debug1: Exit status 127
this is my sshd config
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers admin
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
I don't know why this error show here.
And I use a mac software called ssh shell it can connect to my server.
I'm pretty sure the password is right.
Your commandline doesn't do what you think it does.
ssh -v admin#myserver -P 6000
-v enables some debug information
admin#myserver provides the remote user and remote host
-P 6000 does NOT attempt to connect to port 6000
The command you probably intended was:
ssh -v admin#myserver -p 6000
However, it turns out that -P is an undocumented argument that is accepted by ssh.
This leaves an unaccounted for argument 6000. ssh assumes this is a command that you want to run on the remote server. It doesn't exist, which results in the error shown:
sh: 6000: command not found

Ansible access via SSH to Azure VM's on same host but different ports

I have to VM's running on an azure cloud where the hostname is the same but the ports are different for the two VM's. I can do a direct SSH to each of the machines but now I'm trying to configure my ansible playbook to connect and run a simple ping command
ansible all -m ping
My basic ansible inventory file contained
[all]
test01vm0 ansible_host=test01.cloudapp.azure.com ansible_port=50000
test01vm1 ansible_host=test01.cloudapp.azure.com ansible_port=50001
The result is that first VM replies but the second always fails.
test01vm1 | UNREACHABLE! => {
"changed": false,
"msg": "ERROR! SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue",
"unreachable": true
}
test01vm0 | SUCCESS => {
"changed": false,
"ping": "pong"
}
I came across this thread on how-to-handle-ssh-host-key-verification-with-2-different-hosts-on-the-same-but and i added
these details to my '.ssh/config' file
Host azure.t01vm0
Hostname test01.cloudapp.azure.com
HostKeyAlias azure.t01vm0
CheckHostIP no
Port 50000
User admin
Host azure.t01vm1
Hostname test01.cloudapp.azure.com
HostKeyAlias azure.t01vm1
CheckHostIP no
Port 50001
User admin
I then updated my inventory file to
[all]
test01vm0 ansible_host=azure.t01vm0
test01vm1 ansible_host=azure.t01vm1
which uses the host alias, under the hood the SSH command will resolve the Hostname and Port.
In my 'groups_vars/all' file i have
# ssh access
ansible_connection: ssh
~~ansible_user: admin~~
~~ansible_pass: xxxxx~~
In my 'ansible.cfg' file i have
[defaults]
~~host_key_checking=false~~
But the same issue still happens. Any suggestions on how i can get around this SSH issue?
The full error is
pc#pc-HP-ZBook-15:~/work/devops/ansible$ ansible all -m ping -vvvv
Using /home/pc/work/devops/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<azure.t01vm0> ESTABLISH SSH CONNECTION FOR USER: admin
<azure.t01vm0> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/home/pc/.ansible/cp/ansible-ssh-%h-%p-%r -tt azure.t01vm0 '( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1453379274.37-334027235531 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1453379274.37-334027235531 )" )'
<azure.t01vm1> ESTABLISH SSH CONNECTION FOR USER: admin
<azure.t01vm1> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=50001 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/home/pc/.ansible/cp/ansible-ssh-%h-%p-%r -tt azure.t01vm1 '( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1453379274.37-107934098383321 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1453379274.37-107934098383321 )" )'
test01vm1 | UNREACHABLE! => {
"changed": false,
"msg": "ERROR! SSH encountered an unknown error. The output was:\nOpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014\r\ndebug1: Reading configuration data /home/pc/.ssh/config\r\ndebug1: /home/pc/.ssh/config line 20: Applying options for azure.t01vm1\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: Hostname has changed; re-reading configuration\r\ndebug1: Reading configuration data /home/pc/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/home/pc/.ansible/cp/ansible-ssh-test01.cloudapp.azure.com-50001-admin\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to test01.cloudapp.azure.com [13.69.146.148] port 50001.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 9975 ms remain after connect\r\ndebug3: Incorrect RSA1 identifier\r\ndebug3: Could not load \"/home/pc/.ssh/id_rsa\" as a RSA1 public key\r\ndebug1: identity file /home/pc/.ssh/id_rsa type 1\r\ndebug1: identity file /home/pc/.ssh/id_rsa-cert type -1\r\ndebug1: identity file /home/pc/.ssh/id_dsa type -1\r\ndebug1: identity file /home/pc/.ssh/id_dsa-cert type -1\r\ndebug1: identity file /home/pc/.ssh/id_ecdsa type -1\r\ndebug1: identity file /home/pc/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /home/pc/.ssh/id_ed25519 type -1\r\ndebug1: identity file /home/pc/.ssh/id_ed25519-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.4\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1\r\ndebug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: using hostkeyalias: azure.t01vm1\r\ndebug3: load_hostkeys: loading entries for host \"azure.t01vm1\" from file \"/home/pc/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /home/pc/.ssh/known_hosts:75\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01#openssh.com,ecdsa-sha2-nistp384-cert-v01#openssh.com,ecdsa-sha2-nistp521-cert-v01#openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: kex_parse_kexinit: curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01#openssh.com,ecdsa-sha2-nistp384-cert-v01#openssh.com,ecdsa-sha2-nistp521-cert-v01#openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01#openssh.com,ssh-rsa-cert-v01#openssh.com,ssh-dss-cert-v01#openssh.com,ssh-rsa-cert-v00#openssh.com,ssh-dss-cert-v00#openssh.com,ssh-ed25519,ssh-rsa,ssh-dss\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm#openssh.com,aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm#openssh.com,aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se\r\ndebug2: kex_parse_kexinit: hmac-md5-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-ripemd160-etm#openssh.com,hmac-sha1-96-etm#openssh.com,hmac-md5-96-etm#openssh.com,hmac-md5,hmac-sha1,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: hmac-md5-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-ripemd160-etm#openssh.com,hmac-sha1-96-etm#openssh.com,hmac-md5-96-etm#openssh.com,hmac-md5,hmac-sha1,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: zlib#openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: zlib#openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: kex_parse_kexinit: curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm#openssh.com,aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm#openssh.com,aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se\r\ndebug2: kex_parse_kexinit: hmac-md5-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-ripemd160-etm#openssh.com,hmac-sha1-96-etm#openssh.com,hmac-md5-96-etm#openssh.com,hmac-md5,hmac-sha1,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: hmac-md5-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-ripemd160-etm#openssh.com,hmac-sha1-96-etm#openssh.com,hmac-md5-96-etm#openssh.com,hmac-md5,hmac-sha1,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: none,zlib#openssh.com\r\ndebug2: kex_parse_kexinit: none,zlib#openssh.com\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: mac_setup: setup hmac-md5-etm#openssh.com\r\ndebug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com zlib#openssh.com\r\ndebug2: mac_setup: setup hmac-md5-etm#openssh.com\r\ndebug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com zlib#openssh.com\r\ndebug1: sending SSH2_MSG_KEX_ECDH_INIT\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug1: Server host key: ECDSA ff:e4:84:a7:d4:88:18:6b:80:a7:0c:df:b0:f1:56:16\r\ndebug3: put_host_port: [13.69.146.148]:50001\r\ndebug1: using hostkeyalias: azure.t01vm1\r\ndebug3: load_hostkeys: loading entries for host \"azure.t01vm1\" from file \"/home/pc/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /home/pc/.ssh/known_hosts:75\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug1: Host 'azure.t01vm1' is known and matches the ECDSA host key.\r\ndebug1: Found key in /home/pc/.ssh/known_hosts:75\r\ndebug1: ssh_ecdsa_verify: signature correct\r\ndebug2: kex_derive_keys\r\ndebug2: set_newkeys: mode 1\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug2: set_newkeys: mode 0\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug2: key: /home/pc/.ssh/id_rsa (0x7fcac5e86a60),\r\ndebug2: key: /home/pc/.ssh/id_dsa ((nil)),\r\ndebug2: key: /home/pc/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /home/pc/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password\r\ndebug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup gssapi-with-mic\r\ndebug3: remaining preferred: gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled gssapi-with-mic\r\ndebug1: Next authentication method: gssapi-with-mic\r\ndebug1: Unspecified GSS failure. Minor code may provide more information\nNo Kerberos credentials available\n\r\ndebug1: Unspecified GSS failure. Minor code may provide more information\nNo Kerberos credentials available\n\r\ndebug1: Unspecified GSS failure. Minor code may provide more information\n\n\r\ndebug1: Unspecified GSS failure. Minor code may provide more information\nNo Kerberos credentials available\n\r\ndebug2: we did not send a packet, disable method\r\ndebug3: authmethod_lookup gssapi-keyex\r\ndebug3: remaining preferred: hostbased,publickey\r\ndebug3: authmethod_is_enabled gssapi-keyex\r\ndebug1: Next authentication method: gssapi-keyex\r\ndebug1: No valid Key exchange context\r\ndebug2: we did not send a packet, disable method\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Offering RSA public key: /home/pc/.ssh/id_rsa\r\ndebug3: send_pubkey_test\r\ndebug2: we sent a publickey packet, wait for reply\r\ndebug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password\r\ndebug1: Trying private key: /home/pc/.ssh/id_dsa\r\ndebug3: no such identity: /home/pc/.ssh/id_dsa: No such file or directory\r\ndebug1: Trying private key: /home/pc/.ssh/id_ecdsa\r\ndebug3: no such identity: /home/pc/.ssh/id_ecdsa: No such file or directory\r\ndebug1: Trying private key: /home/pc/.ssh/id_ed25519\r\ndebug3: no such identity: /home/pc/.ssh/id_ed25519: No such file or directory\r\ndebug2: we did not send a packet, disable method\r\ndebug1: No more authentication methods to try.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n",
"unreachable": true
}
EDIT
I updated my ansible.cfg file to include a the private_key_file value
[defaults]
private_key_file=/home/pc/.ssh/id_rsa.pem
when i attempt to SSH onto the box with the private_key, this is the debug details and i get access
ssh -p 50000 admin#test01.cloudapp.azure.com -v -i ~/.ssh/id_rsa.pem
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/pc/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to test01.cloudapp.azure.com [40.112.77.99] port 50000.
debug1: Connection established.
debug1: identity file /home/pc/.ssh/id_rsa.pem type -1
debug1: identity file /home/pc/.ssh/id_rsa.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA a3:30:44:1a:1b:f9:fa:c0:6e:7e:79:a3:fe:da:f4:e1
debug1: Host '[test01.cloudapp.azure.com]:50000' is known and matches the ECDSA host key.
debug1: Found key in /home/pc/.ssh/known_hosts:67
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: pc#pc-HP-ZBook-15
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to test01.cloudapp.azure.com ([40.112.77.99]:50000).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_IE.UTF-8
It seems odd to me that the SSH login is still using the 'publickey' in this case?
If you have a look on that long line, with error, you will find:
debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
Server does not support password authentication. It is no wonder that it fails. You need to allow it in server config or log in using private key.

How to Reverse SSH from Shell Script

Good afternoon,
I am trying to establish a reverse SSH connection using a shell script.
Below is my calling command, from client to host, and back to client: (important data is replaced with xxxxxx)
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=15 -R 19999:localhost:22 admin#xx.xxx.xx.xx -v "sshpass -p xxxxxxx ssh -f -N -q -L 0.0.0.0:81:localhost:80 root#localhost -p 19999"
Show Below are the Output from SSH and from Netstat commands
The connection does show up on Netstat unfortunately, it shows up as TIME_WAIT instead of ESTABLISHED and I cannot access port 80 on client from another machine (by accessing port 81 on host)
Is this the correct way to establish Reverse SSH connection without having to type anything on the host?
If I run the two commands manually
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=15 -R 19999:localhost:22 dmin#xx.xxx.xx.xx -v
and
sshpass -p xxxxxxx ssh -f -N -q -L 0.0.0.0:81:localhost:80 root#localhost -p 19999
Everything work, Once it's connected to the host, I do not have any problems, however I cannot do it this way from a script file.
EDIT: I tried different combinations of using -f -N and -q on the client and the host portion of the commands, but I haven't had any successful results. The best I've gotten was to display the client's firmware welcome message
Netstat output after the command was executed:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 xxx.xxxxxxxxx.myvzw.com:xxxx xxxx.us-west-1.compute.xxxxx.com:ssh TIME_WAIT
tcp 0 0 localhost:49553 localhost:ssh TIME_WAIT
udp 0 0 xxx.xxxxxxxxx.myvzw.com:xxxx xxxxxxx:ntp ESTABLISHED
Active UNIX domain sockets (w/o servers)
Debug Output from top SSH command
OpenSSH_6.6, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to xx.xxx.xxx.xx [xx.xxx.xxx.xx] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4
debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
debug1: Host 'xx:xxx:xxx:xx' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to xx:xxx:xxx:xx ([xx:xxx:xxx:xx]:22).
debug1: Remote connections from LOCALHOST:19999 forwarded to local address localhost:22
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: remote forward success for: listen 19999, connect localhost:22
debug1: All remote forwarding requests processed
debug1: Sending command: sleep 5; sshpass -p xxxxxxx ssh -f -N -q -L 0.0.0.0:1195:localhost:1194 root#localhost -p 19999
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 19999, originator ::1 port 38767
debug1: connect_next: host localhost ([127.0.0.1]:22) in progress, fd=7
debug1: channel 1: new [::1]
debug1: confirm forwarded-tcpip
debug1: channel 1: connected to localhost port 22
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow#openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 2
debug1: channel 1: free: ::1, nchannels 1
Transferred: sent 4768, received 4176 bytes, in 10.4 seconds
Bytes per second: sent 459.7, received 402.6
debug1: Exit status 0
Thank you,
I seem to have been able to establish a reverse connection by applying some "sleep" commands
Below is my command
ssh -o StrictHostKeyChecking=no -o ConnectTimeout=15 -f -R 19999:localhost:22 admin#XX.XXX.XXX.XX -v "sleep 5; sshpass -p XXXXXX ssh -L 0.0.0.0:81:localhost:81 root#localhost -p 19999 -v \"sleep 120\" sleep 120"
So basically I am putting the ssh process to sleep before finishing the second connection and placing the second connection to sleep right afterwards.
Interestingly enough, the connection doesn't cease after 120 seconds, it stays up. If someone would be kind enough to explain why this works, or if there is a better method, please reply
Thanks

Resources