Permission denied trying to SSH

[adrianwi]

Agh, it was all going so well too! I've just built my new FreeNAS server (nas0), got FreeNAS installed and running, and transferred all of the data from my old machine (nas1).

I was going to manually configure nas0, but the more I thought about it the bigger job that seemed, so I thought I'd try to save a config from nas1 and upload it to nas0. I expected to have some network issues so had shut down nas1 and after nas0 rebooted, I could log in using the nas1 IP address. I sorted out the networking and assigned nas0 an IP address, and also changed the password of the root user so it was different to the one on nas1.

I then restarted nas1 one and everything came back up but for some reason now when I try and SSH into either nas1 or nas0 I'm getting a Permissions denied message.

Any ideas why, or more importantly how do I fix it so I can SSH into either?

Thanks

 

[Fredda]

Try to log in with ssh -v to see if this will give some more infos.
You still can log in into the GUI of the NAS? Go to the shell and check /var/log/auth.log for problems.
Checkboxes for Login as Root with password and Allow Password Authentication for in the configuration of the ssh service are set?

 

[adrianwi]

Yes, I can still get into the GUI and into the Shell from there, so it's not a massive issue, but much easier to SSH from Terminal on my Mac.

Here's the ssh -v output (I've added a few XXXXXX):

Code:

apeserver:.ssh Adrian$ ssh -v root@192.168.168.15
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 192.168.168.15 [192.168.168.15] port 22.
debug1: Connection established.
debug1: identity file /Users/Adrian/.ssh/id_rsa type -1
debug1: identity file /Users/Adrian/.ssh/id_rsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_dsa type -1
debug1: identity file /Users/Adrian/.ssh/id_dsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_ecdsa type -1
debug1: identity file /Users/Adrian/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_ed25519 type -1
debug1: identity file /Users/Adrian/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_xmss type -1
debug1: identity file /Users/Adrian/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9-hpn14v15
debug1: match: OpenSSH_7.9-hpn14v15 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.168.15:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:vacXXXXXXXXXXXvoWdRoZPuxuZOIXa5qs
debug1: Host '192.168.168.15' is known and matches the ECDSA host key.
debug1: Found key in /Users/Adrian/.ssh/known_hosts2:44
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/Adrian/.ssh/id_rsa
debug1: Trying private key: /Users/Adrian/.ssh/id_dsa
debug1: Trying private key: /Users/Adrian/.ssh/id_ecdsa
debug1: Trying private key: /Users/Adrian/.ssh/id_ed25519
debug1: Trying private key: /Users/Adrian/.ssh/id_xmss
debug1: Next authentication method: password
root@192.168.168.15's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.

Both those ticked in Service settings and the /var/log/auth.log isn't really showing anything helpful, just failed password.

Thanks

 

[Fredda]

/var/log/auth.log isn't really showing anything helpful, just failed password.

Hmm, not helpful for you might be helpful to others, but I guess you got something like
sshd[96723]: Failed password for root from 10.xx.xx.xx port 35886 ssh2
Maybe something went wrong when you changed the root PW. You did this via the GUI?

Your ssh debug shows your ssh command tries to offer a lot of private keys.
Go to Accounts->Users. Edit the root account and put on of the corresponding public keys into the Authentication section.
Now you should be able to login without a password.

 

[KrisBee]

Clear ssh known_hosts file on your Mac client & try again.

 

[adrianwi]

Thanks for the help, and sorry I wasn't more specific on the auth.log message, but I couldn't see much more than failed password as the rest was missing behind a $

I did change the password via the GUI, and tried changing again but no joy. I'm pretty sure the private keys were created when I was playing around with AWS but I'm not really sure how to use them (I really should understand more about this stuff!)

I did try clearing the known_hosts, and got an extra step when trying to connect, but still permissions denied:

Code:

apeserver:.ssh Adrian$ ssh -v root@192.168.168.15
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 192.168.168.15 [192.168.168.15] port 22.
debug1: Connection established.
debug1: identity file /Users/Adrian/.ssh/id_rsa type -1
debug1: identity file /Users/Adrian/.ssh/id_rsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_dsa type -1
debug1: identity file /Users/Adrian/.ssh/id_dsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_ecdsa type -1
debug1: identity file /Users/Adrian/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_ed25519 type -1
debug1: identity file /Users/Adrian/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_xmss type -1
debug1: identity file /Users/Adrian/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9-hpn14v15
debug1: match: OpenSSH_7.9-hpn14v15 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.168.15:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:vacXPOoYDabJ4gpVibAhjEznvoWdRoZPuxuZOIXa5qs
The authenticity of host '192.168.168.15 (192.168.168.15)' can't be established.
ECDSA key fingerprint is SHA256:vacXXXXXXXXXXVibAhjEznvoWdRoZPuxuZOIXa5qs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.168.15' (ECDSA) to the list of known hosts.
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/Adrian/.ssh/id_rsa
debug1: Trying private key: /Users/Adrian/.ssh/id_dsa
debug1: Trying private key: /Users/Adrian/.ssh/id_ecdsa
debug1: Trying private key: /Users/Adrian/.ssh/id_ed25519
debug1: Trying private key: /Users/Adrian/.ssh/id_xmss
debug1: Next authentication method: password
root@192.168.168.15's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
root@192.168.168.15's password: 

 

[Fredda]

It was clear removing the known_hosts did not help, a wrong known_hosts entry would have presented you from connecting at all,
so you would not even have gotten to the point to enter your password.

You should go for the ssh-key option. If you have just played around before: remove the old keys from /Users/Adrian/.ssh/

1. generate a new key-pair with ssh-keygen -t rsa
2. Press enter to accept the default key file.
3. Enter the passphrase for your private key (or press enter twice if you don't want one)
4. Take the /Users/Adrian/.ssh/id_ras.pub file and place it in the root account like I described in post #4
5. ssh into the FreeNAS box. Unlock key with passphrase of step 3 . (Only needed if passphrase was set)

 

[adrianwi]

Thanks! I'd had a quick Google around doing that, so will give it a try. The strange thing though is that I can't see anything in the /Users/Adrian/.ssh folder other than the known_hosts file (which now contains the two FreeNAS IP addressed after the failed attempts to connect). Would these be hidden?

And just so I'm clear, I'm copying and pasting the details in the .pub key into Accounts > Users for the root user into the SSH Public Key field?

 

[Fredda]

And just so I'm clear, I'm copying and pasting the details in the .pub key into Accounts > Users for the root user into the SSH Public Key field?

Exactly!

 

[adrianwi]

Nope, still not playing ball:

Code:

apeserver:.ssh Adrian$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/Adrian/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/Adrian/.ssh/id_rsa.
Your public key has been saved in /Users/Adrian/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:SuGLaeB/8ReamXXXXXXXXXnNSyFUey41gWcHlXiU Adrian@apeserver.local
The key's randomart image is:
+---[RSA 2048]----+
+----[SHA256]-----+
apeserver:.ssh Adrian$ ls
id_rsa        id_rsa.pub    known_hosts    old
apeserver:.ssh Adrian$ nano id_rsa.pub
apeserver:.ssh Adrian$ ssh -v root@192.168.168.15
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 192.168.168.15 [192.168.168.15] port 22.
debug1: Connection established.
debug1: identity file /Users/Adrian/.ssh/id_rsa type 0
debug1: identity file /Users/Adrian/.ssh/id_rsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_dsa type -1
debug1: identity file /Users/Adrian/.ssh/id_dsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_ecdsa type -1
debug1: identity file /Users/Adrian/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_ed25519 type -1
debug1: identity file /Users/Adrian/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/Adrian/.ssh/id_xmss type -1
debug1: identity file /Users/Adrian/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9-hpn14v15
debug1: match: OpenSSH_7.9-hpn14v15 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.168.15:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:vacXPOoYDabJ4XXXXXXXdRoZPuxuZOIXa5qs
debug1: Host '192.168.168.15' is known and matches the ECDSA host key.
debug1: Found key in /Users/Adrian/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:SuGLaeB/8ReampISvx5ZyRvFExxxxxxxxXiU /Users/Adrian/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/Adrian/.ssh/id_dsa
debug1: Trying private key: /Users/Adrian/.ssh/id_ecdsa
debug1: Trying private key: /Users/Adrian/.ssh/id_ed25519
debug1: Trying private key: /Users/Adrian/.ssh/id_xmss
debug1: Next authentication method: password
root@192.168.168.15's password:

 

[Fredda]

Check if the pubkey is in .ssh/authorized_keys inside the root accounts homedirectory.
Check the permissions of the file and the directory.
Check the auth.log on the server.

 

[adrianwi]

This is the /root/.ssh folder:

Code:

root@freenas1:~/.ssh # ls -l
total 2
-rw-------  1 root  wheel  170 Dec 12 15:56 authorized_keys
-rw-r--r--  1 root  wheel  528 Dec 12 10:15 known_hosts
root@freenas1:~/.ssh #

And inside the authorised_keys file is the key:

Code:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/H2OZ5UokZfEPGrlTUV412EzRQP8PAMg/p.......

And this is from the auth.log:

Code:

Dec 12 17:44:19 freenas1 sshd[17791]: Failed password for root from 192.168.168$
Dec 12 17:44:19 freenas1 sshd[17791]: Connection closed by authenticating user $
Dec 12 17:44:37 freenas1 sshd[17934]: Accepted password for root from 192.168.1$

It didn't add anything to the log by running ssh -v root@192.168.168.15, but when entering the password added the first two lines. I then tried it again straight away, and using exactly the same password has worked!

Can't understand that at all. I did find it strange as I'd managed to SSH in using the Terminus app on my phone, but it just wasn't working on my Macs. Very strange.

 

[Fredda]

Strange. But good it finally worked, like it should have. So it's still not working from your Mac?

Also strange the key authentication did not work. But for the completeness sake, to have that working,
the HOME directory, the .ssh directory and the authorized_keys file, they all must not have write permissions
for group or other, otherwise it will not work.

I can't see anything in the /Users/Adrian/.ssh folder other than the known_hosts file

That was a mistake by me, the debug line
debug1: Trying private key: /Users/Adrian/.ssh/id_rsa
means that the ssh client would have offered that file, if it would exist, while the line
debug1: Offering public key: RSA SHA256:SuGLaeB/8ReampISvx5ZyRvFExxxxxxxxXiU /Users/Adrian/.ssh/id_rsa
means that the client used that key for an authentication attempt.