OpenSSH Requires Password AND Public Key!!!

[epretorious]

I've inherited an old CentOS system with OpenSSH 5.3 installed. And OpenSSH is behaving oddly: Currently the daemon requires the use of a public key and a password in order to login. (It's been this way for as long as I can recall.) And now I need to be able to login with only a password or a key - But not both!

I've verified that these settings are configured on the daemon:

Code: Select all

[root@cp ~]# grep -v '#' /etc/ssh/sshd_config | grep -v '^$'
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
RSAAuthentication no
PubkeyAuthentication no
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
UseDNS no
Subsystem	sftp	/usr/libexec/openssh/sftp-server
AllowUsers eric@*
AllowUsers techsup@*

I've checked /var/log/secure. And found these two lines after a successful login:

Code: Select all

Feb  6 22:33:21 cp sshd[28717]: Accepted keyboard-interactive/pam for root from X.X.X.X port 25075 ssh2
Feb  6 22:33:21 cp sshd[28717]: pam_unix(sshd:session): session opened for user root by (uid=0)

I've tried debugging the login process. And this stood out:

Code: Select all

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/eric/.ssh/id_rsa RSA SHA256:Z2LEkZcy7/ntslBfeMFMh0WoOdt9xneuXX9VMSYv4VU agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: Offering public key: /home/eric/.ssh/id_ed25519 ED25519 SHA256:SjsJwvjUB3dVgurbsHTPooUOsGchvHGaYHy3VRS7who agent
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /home/eric/.ssh/id_rsa RSA SHA256:pDRJBoQKu0Ast8ypN15C6moeZ6I7lOawnj3IIgkFNjM agent
debug1: send_pubkey_test: no mutual signature algorithm

How can I disable this behavior so that I can login with only a password or a key?

TIA,
Eric Pretorious
Reno, Nevada

[epretorious]

FWIW: Here's the complete debugging output from the OpenSSH client when attempting to log in from a remote host without providing a key...

Code: Select all

eric@cp2:~$ ssh -v root@www.EXAMPLE.com
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to www.EXAMPLE.com [X.X.X.X] port 22.
debug1: Connection established.
debug1: identity file /home/eric/.ssh/id_rsa type -1
debug1: identity file /home/eric/.ssh/id_rsa-cert type -1
debug1: identity file /home/eric/.ssh/id_ecdsa type -1
debug1: identity file /home/eric/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/eric/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/eric/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/eric/.ssh/id_ed25519 type -1
debug1: identity file /home/eric/.ssh/id_ed25519-cert type -1
debug1: identity file /home/eric/.ssh/id_ed25519_sk type -1
debug1: identity file /home/eric/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/eric/.ssh/id_xmss type -1
debug1: identity file /home/eric/.ssh/id_xmss-cert type -1
debug1: identity file /home/eric/.ssh/id_dsa type -1
debug1: identity file /home/eric/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: compat_banner: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000002
debug1: Authenticating to www.EXAMPLE.com:22 as 'root'
debug1: load_hostkeys: fopen /home/eric/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

HTH,
Eric P.

[epretorious]

After misreading the client debugging (above)...

Code: Select all

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *

...I used RPM to verify the authenticity of the OpenSSH package:

Code: Select all

[root@cp ~]# rpm -Vv openssh-server
.........  c /etc/pam.d/ssh-keycat
.........  c /etc/pam.d/sshd
.........    /etc/rc.d/init.d/sshd
S.5....T.  c /etc/ssh/sshd_config
.........  c /etc/sysconfig/sshd
.........    /usr/libexec/openssh/sftp-server
.........    /usr/libexec/openssh/ssh-keycat
.........    /usr/sbin/.sshd.hmac
.........    /usr/sbin/sshd
.........    /usr/share/doc/openssh-server-5.3p1
.........  d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
.........  d /usr/share/man/man5/moduli.5.gz
.........  d /usr/share/man/man5/sshd_config.5.gz
.........  d /usr/share/man/man8/sftp-server.8.gz
.........  d /usr/share/man/man8/sshd.8.gz
.........    /var/empty/sshd

And, according to RPM, only the /etc/ssh/sshd_config configuration file differs from what was installed on the target host.

HTH,
Eric P.

[TrevorH]

Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

This looks like the issue to me, the server side is saying it accepts key types that your client has disabled so they are not allowed. Thenit falls back to password use.

There is no currently supported CentOS version that uses openssh 5.3p1 so it looks like you are running CentOS 6 on there and that died just over 3 years ago. You need to be planning how to get off that ASAP as it's insecure and will never be patched.

It's possible that what you are running there now is not the latest in which case updating it might possibly help with this. The latest and last openssh available for CentOS 6 is openssh-5.3p1-124.el6_10.x86_64 so if `rpm -q openssh` does not report that version then you could look at pointing your yum repo files in /etc/yum.repos.d at vault.centos.org at teh 6.10 directory there which is the latest there will ever be. I *think* that RH added ed25519 keys to the CentOS 6 openssh at some point though I am not 100% sure and I've not had a CentOS 6 VM to look at for 3 years.

Otherwise I think you're going to have to tell your ssh client to allow ssh-rsa host keys.

[epretorious]

Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

This looks like the issue to me, the server side is saying it accepts key types that your client has disabled so they are not allowed. Thenit falls back to password use.

Yes - I was using a client without keys to verify that a key is required before the client even receives a prompt for their password.

There is no currently supported CentOS version that uses openssh 5.3p1 so it looks like you are running CentOS 6 on there and that died just over 3 years ago. You need to be planning how to get off that ASAP as it's insecure and will never be patched.

I'm trying - Really!

It's possible that what you are running there now is not the latest in which case updating it might possibly help with this. The latest and last openssh available for CentOS 6 is openssh-5.3p1-124.el6_10.x86_64 so if `rpm -q openssh` does not report that version then you could look at pointing your yum repo files in /etc/yum.repos.d at vault.centos.org at teh 6.10 directory there which is the latest there will ever be. I *think* that RH added ed25519 keys to the CentOS 6 openssh at some point though I am not 100% sure and I've not had a CentOS 6 VM to look at for 3 years.

Otherwise I think you're going to have to tell your ssh client to allow ssh-rsa host keys.

FWIW: I've got the latest version of OpenSSH that's available for CentOS-6:

Code: Select all

[root@cp ~]# rpm -q openssh-server
openssh-server-5.3p1-124.el6_10.x86_64

[epretorious]

UPDATE: I've confirmed that a key is required before the client even receives a prompt for their password! (Reminder: I need to be able to login with either a key or a password but not both.)

HTH,
Eric P.

[Whoever]

FWIW: I've got the latest version of OpenSSH that's available for CentOS-6:

Code: Select all

[root@cp ~]# rpm -q openssh-server
openssh-server-5.3p1-124.el6_10.x86_64

Start by saving your data and re-installing a supported distribution of Linux.

[pjsr2]

Support for a number of ciphers has been removed from ssh over the last years because they are no longer secure.

Your server has a very old version of ssh installed and is only offering these legacy ciphers.
Your client on the other hand is of a more recent version and refuses to use these insecure old ciphers.
I don't know how your client was compiled. It may still have legacy support for these retracted ciphers built into it, but only uses them when you specifically tell it to do so, for example through an option like "-legacy". It may also be that your client has no support for legacy ciphers at all.

Your options are:
1) Upgrade to a supported version of CentOS (remember CentOS7 has its end-of-life in a couple of months) or for example Rocky or AlmaLinux.
2) Use a client that has legacy support for these retracted ciphers. Keep in mind that they are retracted for security reasons!

[jlehtone]

I've confirmed that a key is required before the client even receives a prompt for their password!

Red Hat describes how to set up such requirement in: https://access.redhat.com/documentation ... th_methods

Despite that the man sshd_config of el6 did not mention AuthenticationMethods ...