1

I've inherited an old CentOS-6 system with OpenSSH 5.3 installed. And OpenSSH is behaving oddly: Currently the daemon requires the use of a public key and a password in order to login. (It's been this way for as long as I can recall.) And now I need to be able to login with only a password or a key - But not both!

I've verified that these settings are configured on the daemon:

[root@cp ~]# grep -v '#' /etc/ssh/sshd_config | grep -v ^$
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
UseDNS no
Subsystem   sftp    /usr/libexec/openssh/sftp-server
AllowUsers eric@*
AllowUsers techsup@*

I've checked /var/log/secure. And found these two lines after a successful login:

Feb  6 22:33:21 cp sshd[28717]: Accepted keyboard-interactive/pam for root from X.X.X.X port 25075 ssh2
Feb  6 22:33:21 cp sshd[28717]: pam_unix(sshd:session): session opened for user root by (uid=0)

I've tried debugging the login process. But nothing stood out:

eric@cp2:~$ ssh -v [email protected]
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to cp.EXAMPLE.com [X.X.X.X] port 22.
debug1: Connection established.
debug1: identity file /home/eric/.ssh/id_rsa type -1
debug1: identity file /home/eric/.ssh/id_rsa-cert type -1
debug1: identity file /home/eric/.ssh/id_ecdsa type -1
debug1: identity file /home/eric/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/eric/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/eric/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/eric/.ssh/id_ed25519 type -1
debug1: identity file /home/eric/.ssh/id_ed25519-cert type -1
debug1: identity file /home/eric/.ssh/id_ed25519_sk type -1
debug1: identity file /home/eric/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/eric/.ssh/id_xmss type -1
debug1: identity file /home/eric/.ssh/id_xmss-cert type -1
debug1: identity file /home/eric/.ssh/id_dsa type -1
debug1: identity file /home/eric/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to cp.EXAMPLE.com:22 as 'root'
debug1: load_hostkeys: fopen /home/eric/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

How can I disable this behavior so that I can login with either a password or a key?

TIA,

Eric Pretorious

Reno, Nevada

Improve this question
2
  • Better check the running configuration with sshd -T if possible
    – Turdie
    Commented Feb 8 at 7:18
  • Please show a debug output showing the problem, ie. actually logging in using both a public key and a password.
    – Tilman Schmidt
    Commented Feb 8 at 9:46

4 Answers 4

Reset to default
1

The debug shows that all identity files returned errors (type -1) and there is no public key authentication performed. Do you have read permissions to any files in /home/eric/.ssh/?

There is also an error no matching host key type found. Their offer: ssh-rsa,ssh-dss. Use ssh -o HostKeyAlgorithms=+ssh-rsa

Improve this answer
3
  • Yes - I was using a client without keys to confirm that a key is required before the client even receives a prompt for their password. (I need to be able to login with either a key or a password but not both.)
    – Eric Pretorious
    Commented Feb 7 at 20:44
  • Then maybe you should provide a relevant debug output with the original unmodified environment or at least note the conditions under which the debug output is made? You just made me waste my time writing an answer based on a wrong debug output.
    – AlexD
    Commented Feb 7 at 20:53
  • I apologize! But I think that you may have misread the debug output.
    – Eric Pretorious
    Commented Feb 7 at 21:30
1

To be more explicit: you aren't (yet) trying to 'login' at all

That error does NOT mean your ssh client is trying to authenticate, commonly described as login, with a publickey. It says no matching host key type because your client does not accept the keys from the server/host. This happens at least 6 messages before it tries any kind of client/user authentication, either publickey or password. See where it says Their offer: ssh-rsa,ssh-dss -- both ssh-rsa and ssh-dss are now obsolete and insecure, and disabled by default in recent versions of OpenSSH (since 7.0 and 8.8 respectively).

See SSH No Matching Host Key Type Found
https://unix.stackexchange.com/questions/699192/unable-to-negotiate-with-ip-address-port-22-no-matching-host-key-type-found
https://unix.stackexchange.com/questions/707663/old-linux-rejects-my-ssh-id-rsa-key-from-newly-installed-windows
https://unix.stackexchange.com/questions/693370/can-no-longer-ssh-after-local-os-update-reinstall-no-matching-host-key-type-found
https://unix.stackexchange.com/questions/704177/scp-command-getting-failed-unable-to-negotiate-with-10-100-10-10-port-55-no-matching-host-key-type-found

and either specify or configure [-o]HostKeyAlgorithms={ssh-rsa|ssh-dss|ssh-rsa,ssh-dss}. Once the server key is accepted, if you then want to authenticate/login with an RSA key you will also need [-o]PubkeyAcceptedKeyTypes=ssh-rsa or in 8.5 up the newer and preferred name PubkeyAcceptedAlgorithms as stated in several of those dupes.

Improve this answer
0

As @AlexD pointed out: the remote ssh is an old OpenSSH_5.3 and does not have way more secure ciphers being default in OpenSSH_8.9p1.

There is a reason why ciphers were dropped, so unless your Centos 6 box sits behind a firewall the priority is to upgrade the openssh. You will need a physical access to the machine so if something goes wrong you are not locked out.

You are connecting to: ssh -v [email protected] which means that the remote box should look for your say id_rsa.pub with eric@??? in /root/.ssh/.

Improve this answer
4
  • UPDATE: I've confirmed that a key is required before the client even receives a prompt for their password! (Reminder: I need to be able to login with either a key or a password but not both.)
    – Eric Pretorious
    Commented Feb 8 at 0:17
  • I guess you tried: ssh -v [email protected] and then ssh root@localhost?
    – darked89
    Commented Feb 8 at 0:46
  • 1
    The error encountered in the Q is authentication (signature) methods not ciphers. Although ciphers have also changed, 5.3 and 8.9 should both support AES-CTR (plus HMAC or UMAC), which is adequately secure though not the best possible.
    – dave_thompson_085
    Commented Feb 8 at 7:03
  • @dave_thompson_085 you right, my A was over-simplistic.
    – darked89
    Commented Feb 8 at 10:18
0

Im not sure if CentOS 6 supports it, but I would try to set

RequiredAuthentications2 publickey

in the sshd_config.

https://infosec.mozilla.org/guidelines/openssh

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .