On 2021-10-17, kasak <[email protected]> wrote: > > 17.10.2021 13:48, Stuart Henderson пишет: >> On 2021-10-17, kasak <[email protected]> wrote: >>> Hello everybody! I somehow broke authorization with password in 7.0 >>> >>> All this started after update to 7.0. >>> >>> I have installed default /etc/ssh/sshd_config with sysmerge. >>> >>> After this, i just wanted to disable password auth, to use >>> keyboard-interactive
ahh.... What are you expecting keyboard-interactive to do? It isn't normally used on OpenBSD. >>> The only thing i changed in conf is this line: >>> >>> PasswordAuthentication no >>> >>> After restart i cannot connect to this host for some reason. It just >>> don't ask for any password and quit >>> >>> Here is log: >>> >>> $ ssh -v host >> That's the client-side, but what is logged on the server? > > I'm afraid I cannot find out :) Server is not near. > > When I just send my first mail, I remembered, that I maybe also set > MaxAuthTries to 3. > Maybe this done the trick? If so, is there any way to force client to > use keyboard-interactive first, and not to try absent pubkeys? > >>> OpenSSH_8.8, LibreSSL 3.4.1 >>> debug1: Reading configuration data /etc/ssh/ssh_config >>> debug1: Connecting to host [xxx.xxx.xxx.xxx] port 22. >>> debug1: Connection established. Oh, you have no keys, these would show a type other than -1 if you did: >>> debug1: identity file /home/kasak/.ssh/id_rsa type -1 >>> debug1: identity file /home/kasak/.ssh/id_rsa-cert type -1 >>> debug1: identity file /home/kasak/.ssh/id_dsa type -1 >>> debug1: identity file /home/kasak/.ssh/id_dsa-cert type -1 >>> debug1: identity file /home/kasak/.ssh/id_ecdsa type -1 >>> debug1: identity file /home/kasak/.ssh/id_ecdsa-cert type -1 >>> debug1: identity file /home/kasak/.ssh/id_ecdsa_sk type -1 >>> debug1: identity file /home/kasak/.ssh/id_ecdsa_sk-cert type -1 >>> debug1: identity file /home/kasak/.ssh/id_ed25519 type -1 >>> debug1: identity file /home/kasak/.ssh/id_ed25519-cert type -1 >>> debug1: identity file /home/kasak/.ssh/id_ed25519_sk type -1 >>> debug1: identity file /home/kasak/.ssh/id_ed25519_sk-cert type -1 >>> debug1: identity file /home/kasak/.ssh/id_xmss type -1 >>> debug1: identity file /home/kasak/.ssh/id_xmss-cert type -1 >>> debug1: Local version string SSH-2.0-OpenSSH_8.8 >>> debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 >>> debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 >>> debug1: Authenticating to host:22 as 'kasak' >>> debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file >>> or directory >>> debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or >>> directory >>> debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or >>> directory >>> debug1: SSH2_MSG_KEXINIT sent >>> debug1: SSH2_MSG_KEXINIT received >>> debug1: kex: algorithm: curve25519-sha256 >>> debug1: kex: host key algorithm: ssh-ed25519 >>> debug1: kex: server->client cipher: [email protected] MAC: >>> <implicit> compression: none >>> debug1: kex: client->server cipher: [email protected] MAC: >>> <implicit> compression: none >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >>> debug1: SSH2_MSG_KEX_ECDH_REPLY received >>> debug1: Server host key: ssh-ed25519 >>> SHA256:CcikFZvpvKUQM1NqPBCkEVGwhkQVszJMb8NVxG1pX9Q >>> debug1: load_hostkeys: fopen /home/kasak/.ssh/known_hosts2: No such file >>> or directory >>> debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or >>> directory >>> debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or >>> directory >>> debug1: Host 'host' is known and matches the ED25519 host key. >>> debug1: Found key in /home/kasak/.ssh/known_hosts:30 >>> debug1: rekey out after 134217728 blocks >>> debug1: SSH2_MSG_NEWKEYS sent >>> debug1: expecting SSH2_MSG_NEWKEYS >>> debug1: SSH2_MSG_NEWKEYS received >>> debug1: rekey in after 134217728 blocks >>> debug1: Will attempt key: /home/kasak/.ssh/id_rsa >>> debug1: Will attempt key: /home/kasak/.ssh/id_dsa >>> debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa >>> debug1: Will attempt key: /home/kasak/.ssh/id_ecdsa_sk >>> debug1: Will attempt key: /home/kasak/.ssh/id_ed25519 >>> debug1: Will attempt key: /home/kasak/.ssh/id_ed25519_sk >>> debug1: Will attempt key: /home/kasak/.ssh/id_xmss >>> debug1: SSH2_MSG_EXT_INFO received >>> debug1: kex_input_ext_info: >>> server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>> debug1: Authentications that can continue: publickey,keyboard-interactive >>> debug1: Next authentication method: publickey >>> debug1: Trying private key: /home/kasak/.ssh/id_rsa >>> debug1: Trying private key: /home/kasak/.ssh/id_dsa >>> debug1: Trying private key: /home/kasak/.ssh/id_ecdsa >>> debug1: Trying private key: /home/kasak/.ssh/id_ecdsa_sk >>> debug1: Trying private key: /home/kasak/.ssh/id_ed25519 >>> debug1: Trying private key: /home/kasak/.ssh/id_ed25519_sk >>> debug1: Trying private key: /home/kasak/.ssh/id_xmss And these would show the key fingerprint if keys were present. So you don't have keys to offer anyway so they aren't tried so I don't think this is anything to do with MaxAuthTries. >>> debug1: Next authentication method: keyboard-interactive >>> debug1: Authentications that can continue: publickey,keyboard-interactive >>> debug1: No more authentication methods to try. >>> kasak@host: Permission denied (publickey,keyboard-interactive). >>> >> > > I think to fix this you will either need to get onto the server via another methiod and reenable PasswordAuthentication, or generate a keypair and have the public key copied to the server. It's not super fun, but an ed25519 key isn't too bad to type by hand if you need to get somebody remote to do it .. (General tip for changing sshd config, rcctl restart sshd and test reconnecting before you close the first connection. If you use ControlMaster, make sure you don't reuse an existing already-authenticated connection when testing, in those cases you can rm the control socket to be sure). -- Please keep replies on the mailing list.
