Cannot SSH using public key
-
Hey guys I am trying to configure this scan user for key login, but I am beating my head against the desk as I've run out of googling resources...
Here is my error message:
debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: mars_scan_user_key debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. [email protected]: Permission denied (publickey).
Here is the relevant parts my
sshd_config
PasswordAuthentication yes # Nessus scan user Match User scan_user PasswordAuthentication no # Key Authentication RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
My steps for installation were as follows:
sudo useradd -m scan_user sudo groupadd scan sudo usermod -aG scan scan_user sudo mkdir /home/scan_user/.ssh
I generated the key as sudo, but dropped the key in
/home/scan_user/.ssh/new_id_rsa.pub
and changed owner of that directory toscan_user
sudo ssh-keygen -t dsa sudo mv /home/scan_user/.ssh/new_id_rsa.pub /home/scan_user/.ssh/authorized_keys sudo chown -R scan_user:scan_user /home/scan_user/.ssh/ sudo chmod 0600 /home/scan_user/.ssh/authorized_keys sudo chmod 0700 /home/scan_user/.ssh sudo scp /home/scan_user/.ssh/new_id_rsa [email protected]:mars_scan_user_key
Then from my box I am running the following command
ssh -v -i mars_scan_user_key [email protected]
-
Why wouldn't you use
ssh-copy-id
to get the key to the public scan_user?
-
@DustinB3403 said in Cannot SSH using public key:
Why wouldn't you use
ssh-copy-id
to get the key to the public scan_user?I am trying to configure for a nessus scan. I need to upload it via GUI.
-
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
Why wouldn't you use
ssh-copy-id
to get the key to the public scan_user?I am trying to configure for a nessus scan. I need to upload it via GUI.
What key size are you setting? I vaguely remember Nessus not supporting something. It might have been ecdsa keys but it might have been the size also. It's been a while.
-
Also what distro are you logging into?
-
@DustinB3403 said in Cannot SSH using public key:
Why wouldn't you use
ssh-copy-id
to get the key to the public scan_user?I copied the key to my box that way, and I am still getting same error. In practice, that is no different then what I was doing anyway. Maybe less steps, but same as specifying a key, right?
-
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
Why wouldn't you use
ssh-copy-id
to get the key to the public scan_user?I copied the key to my box that way, and I am still getting same error. In practice, that is no different then what I was doing anyway. Maybe less steps, but same as specifying a key, right?
Well no, the ssh-copy-id command puts the key into the authorized keys on the public machine. The way you're doing it is applying a key to a user directory.
~/.ssh/authorized\ keys
Whereas the guide you're following is putting the key directly into
/home/scan_man/.ssh
The key is in a completely different location.
-
@stacksofplates said in Cannot SSH using public key:
Also what distro are you logging into?
Using Ubuntu and trying to follow their broken guide
https://tenable.force.com/s/article/SSH-Public-Key-Authentication
-
@IRJ And to confirm, you aren't using putty to generate the key pair?
-
Yeah I don't like Nessus for many reasons but one is because they're telling you to use DSA keys. That's been deprecated. Try using RSA.
-
@DustinB3403 said in Cannot SSH using public key:
@IRJ And to confirm, you aren't using putty to generate the key pair?
right.
-
Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use
ssh-keygen -t dsa
. . .
This will create the following files 2 files; /home/scan_man/.ssh/new_id_rsa.pub ===> Public Key /home/scan_man/.ssh/new_id_rsa ===> Private Key
-
@IRJ First off, generate the key as the user, just to make everything that much simpler. Use sudo if you have to.
sudo - scan_user keygen
Then copy the public key wherever.
sudo - scan_user ssh-copy-id [email protected]
If those throw an error, try without the
-
(that tells sudo to fully load the scan_user profile.)No mussing about with permissions, they are set coherently already.
As @DustinB3403 said, Nessus will have to support the encryption. If they don't support at least RSA, all these "security" things they tell you to do is not worth anything.
-
@DustinB3403 said in Cannot SSH using public key:
Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use
ssh-keygen -t dsa
. . .
This will create the following files 2 files; /home/scan_man/.ssh/new_id_rsa.pub ===> Public Key /home/scan_man/.ssh/new_id_rsa ===> Private Key
Yeah those guides are fucked. This the second one I am following today and the second one that is completely fucked up.
-
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use
ssh-keygen -t dsa
. . .
This will create the following files 2 files; /home/scan_man/.ssh/new_id_rsa.pub ===> Public Key /home/scan_man/.ssh/new_id_rsa ===> Private Key
Yeah those guides are fucked. This the second one I am following today and the second one that is completely fucked up.
/agree
-
@travisdh1 said in Cannot SSH using public key:
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
Technically the guide I see here is showing RSA key pairs and not dsa, even though the instructions say to use
ssh-keygen -t dsa
. . .
This will create the following files 2 files; /home/scan_man/.ssh/new_id_rsa.pub ===> Public Key /home/scan_man/.ssh/new_id_rsa ===> Private Key
Yeah those guides are fucked. This the second one I am following today and the second one that is completely fucked up.
/agree
I figured the first one out. I guess I should make guides here once I am done, because the interwebs does not have any good documentation for this and Tenable has really screwed up.
-
@travisdh1 said in Cannot SSH using public key:
@IRJ First off, generate the key as the user, just to make everything that much simpler. Use sudo if you have to.
sudo - scan_user keygen
Then copy the public key wherever.
sudo - scan_user ssh-copy-id [email protected]
If those throw an error, try without the
-
(that tells sudo to fully load the scan_user profile.)No mussing about with permissions, they are set coherently already.
As @DustinB3403 said, Nessus will have to support the encryption. If they don't support at least RSA, all these "security" things they tell you to do is not worth anything.
It should support RSA , and it looks like i should switch user to generate keys. I dont see anywhere to generate for another user.
-
@IRJ Just login as the scan_user and then run the ssh-keygen process if you want to run it under that user account.
-
Literally
su scan_user
ssh-keygen -t rsa
-
@DustinB3403 said in Cannot SSH using public key:
Literally
su scan_user
ssh-keygen -t rsa
yeah doing it now.
-
Still getting permission denied when trying to login even via ssh-copy-id
-
I want to throw something right now!!! This should be so basic!!! ugh
-
-
@DustinB3403 said in Cannot SSH using public key:
@IRJ okay lets take a step back.
Can you ssh into this unit as
scan_user
?ssh [email protected]
?I cannot right now because I have these lines in sshd
Match User scan_user PasswordAuthentication no
-
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
@IRJ okay lets take a step back.
Can you ssh into this unit as
scan_user
?ssh [email protected]
?I cannot right now because I have these lines in sshd
Match User scan_user PasswordAuthentication no
Then you would never be able to copy the key to this system. You need password auth first, which can be disabled once you have working keys.
Unless you manually copy and paste the key to this system, which is stupid.
Just enable passauth for the time, setup the key with ssh-copy-id and then turn off the passwordauth.
-
@DustinB3403 said in Cannot SSH using public key:
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
@IRJ okay lets take a step back.
Can you ssh into this unit as
scan_user
?ssh [email protected]
?I cannot right now because I have these lines in sshd
Match User scan_user PasswordAuthentication no
Then you would never be able to copy the key to this system. You need password auth first, which can be disabled once you have working keys.
Ok. I commented out restarted sshd and I was able to login with password.
-
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
@IRJ said in Cannot SSH using public key:
@DustinB3403 said in Cannot SSH using public key:
@IRJ okay lets take a step back.
Can you ssh into this unit as
scan_user
?ssh [email protected]
?I cannot right now because I have these lines in sshd
Match User scan_user PasswordAuthentication no
Then you would never be able to copy the key to this system. You need password auth first, which can be disabled once you have working keys.
Ok. I commented out restarted sshd and I was able to login with password.
Okay, now perform the
ssh-copy-id
command.
-
@IRJ ?
-
@DustinB3403 said in Cannot SSH using public key:
@IRJ ?
I finally got it working! I commented that out and it is now working. I was also able to turn off password authentication for that account.
The issue was in my
sshd_config
AuthorizedKeysFile %h/.ssh/authorized_keys
-
Gonna have to do this on another server for a sanity check though lol