SOLVED SSH passwordless login failed

NeverEnd

Dabbler
Joined
Jun 4, 2019
Messages
32
Hi all,

I've been struggling with ssh passwordless login for several days and searched Internet for countless posts but none of them worked, I'm trying to get some help here and hope that I can make it work.

This is what I've done:
  1. enabled SSH service and enabled password authentication in SSH config GUI page, since I don't want to disable password authentication for all users.
  2. created RSA key pairs with "ssh-keygen -t rsa" on my mac.
  3. created a new user (userA), setup the the home folder with permission 755 (all parent folders are with permission 755), disabled password login for userA, and pasted the public key contents in "SSH Public key" field.
  4. checked that the contents of file "authorized_keys" in folder /mnt/home/userA/.ssh/ is the same as the public key file.
  5. on my mac I run this command "ssh -i /path/to/key/id_rsa userA@freenas", type yes, and it asks me for a password - which I don't have.
could there be something wrong that I've did? what else can I do to find out what's going on?
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
What exactly is the prompt when you're asked for the password?
There a two options what could have happened.
  • When generating the key pair the key was protected by a passphrase, which you now have to enter to unlock the key.
  • Some permissions on the key are not correct and the key is still ignored.
You might also want to add a "-v" to the ssh call....
 

NeverEnd

Dabbler
Joined
Jun 4, 2019
Messages
32
What exactly is the prompt when you're asked for the password?
There a two options what could have happened.
  • When generating the key pair the key was protected by a passphrase, which you now have to enter to unlock the key.
  • Some permissions on the key are not correct and the key is still ignored.
You might also want to add a "-v" to the ssh call....

I did not use passphrase when I created the rsa key.

this is the output when I ssh with "-v", I replaced some personal characters but the messages remain the same:

Code:
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to FREENAS [192.168.1.10] port 22.
debug1: Connection established.
debug1: identity file key/freenas/freenas_rsa type 0
debug1: identity file key/freenas/freenas_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9-hpn14v15
debug1: match: OpenSSH_7.9-hpn14v15 pat OpenSSH* compat 0x04000000
debug1: Authenticating to FREENAS:22 as 'userA'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qbtt2zMI15HLAB6J+vGFO0b5jZQxecW8R7zLg7oSAq0
debug1: Host '[FREENAS]:22' is known and matches the ECDSA host key.
debug1: Found key in /Users/userA/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key:  RSA SHA256:de5tfEQrnqvovbxVa6I/nIjRFxxj3wgM96qLARr3U1M agent
debug1: Will attempt key: key/freenas/freenas_rsa RSA SHA256:ruaK/D8W5f3aO36fQxoPnkSiuQR0trB9XKu4lih97JU explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key:  RSA SHA256:de5tfEQrnqvovbxVa6I/nIjRFxxj3wgM96qLARr3U1M agent
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: key/freenas/freenas_rsa RSA SHA256:ruaK/D8W5f3aO36fQxoPnkSiuQR0trB9XKu4lih97JU explicit
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
userA@FREENAS's password: 
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
The key is not accepted by the server, it should look like this
Code:
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /...../.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentication succeeded (publickey).

You should look at the contents of /var/log/auth.log on you server.
 

NeverEnd

Dabbler
Joined
Jun 4, 2019
Messages
32
@ Fredda You're right, I tailed /var/log/auth.log when I ssh with key and it shows this message:

Code:
Aug 28 18:14:48 freenas sshd[4307]: Authentication refused: bad ownership or modes for directory /mnt/home/userA/.ssh
Aug 28 18:14:56 freenas sshd[4307]: Connection closed by authenticating user userA 192.168.1.99 port 54106 [preauth]


I checked /mnt/home/userA/.ssh and its owner is "userA" with permission 775, I Googled this message and someone says "SSH doesn’t like it if your home or ~/.ssh directories have group write permissions", after changing the permission to 755, now I can login to Freenas passwordless!!

I should've checked /var/log/auth.log... should've thought about this from the very beginning. Thanks very much Fredda.

One more thing: it says "Authentications that can continue: publickey,password" on ssh verbose mode, I've disabled password login for userA and enabled RSA key, should "publickey" be the only methods that the server accept?
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
One more thing: it says "Authentications that can continue: publickey,password" on ssh verbose mode, I've disabled password login for userA and enabled RSA key, should "publickey" be the only methods that the server accept?
Yes, that's what it should show. It does this for my 11.2u5 box.

You could check that from a shell with no key available, in that case the login attempt will fail:
Code:
ssh freenas
Permission denied (publickey).

You can check the sshd config file /usr/local/etc/ssh/sshd_config on your box. Without password logins the line PasswordAuthentication yes should not appear.
 

NeverEnd

Dabbler
Joined
Jun 4, 2019
Messages
32
Mine is also 11.2u5. I enabled "Allow password authentication" on service->ssh config page, and disabled "password login" for user "userA", so the message shows password is an option because it's enabled globally.

By disabling "password authentication" on service->ssh and enable "password login" for specific user, the user can only login with key and can mount SMB share with password. Thanks so much!
 
Top