If I try to login to a fedora 23 virtual machine as root, I get rejected because of "too many authentication failures" (or something like that, I don't remember the precise wording).
I'm running an agent, but none of the keys in the agent would allow a root login so I expect it to fallback to a password prompt, but I get the failure instead.
When I then try with this:
ssh -o PreferredAuthentications=keyboard-interactive,password
I do indeed get a password prompt and can login.
I suspect I'm suffering from the effects of the changes in f23 to remove various crypto algorithms and ssh1 support, etc. But I can't figure out what the heck is going on.
Any ideas? I'd love to not have to dig up the silly long option every time I want to login as root :-).
On Fri, 2016-01-22 at 18:23 -0500, Tom Horsley wrote:
Any ideas? I'd love to not have to dig up the silly long option every time I want to login as root :-).
Personally I block root logins on general principle (they're an obvious target). I login as my user and then run su or sudo.
poc
On 01/23/16 07:23, Tom Horsley wrote:
If I try to login to a fedora 23 virtual machine as root, I get rejected because of "too many authentication failures" (or something like that, I don't remember the precise wording).
I'm running an agent, but none of the keys in the agent would allow a root login so I expect it to fallback to a password prompt, but I get the failure instead.
When I then try with this:
ssh -o PreferredAuthentications=keyboard-interactive,password
I do indeed get a password prompt and can login.
I suspect I'm suffering from the effects of the changes in f23 to remove various crypto algorithms and ssh1 support, etc. But I can't figure out what the heck is going on.
Any ideas? I'd love to not have to dig up the silly long option every time I want to login as root :-).
I tried to replicate this using 2 real F23 systems.
I copied my id_rsa.pub on my local system to /root/.ssh/authorized_keys on the remote machine.
[egreshko@meimei ~]$ whoami egreshko [egreshko@meimei ~]$ ssh root@acer Last login: Sat Jan 23 07:37:23 2016 from 192.168.1.18 [root@acer ~]# whoami root [root@acer ~]#
Is this what's failing for you?
Is this what's failing for you?
Actually, it is weird. If I have my "normal" ssh keys loaded in the agent, I can login just fine and get the password prompt:
tomh> ssh -l root fed23i Enter passphrase for key '/home/tweety/.ssh/id_dsa': root@fed23i's password: Last login: Fri Jan 22 14:58:15 2016 from 10.134.30.143 [root@fed23i ~]# exit logout Connection to fed23i closed.
But when I add a couple of additional keys for the "test" user we have on all the virtual machines, this happens:
tomh> add-nvtest Identity added: /tmp/nvtkey21416/nvtest-rsa (/tmp/nvtkey21416/nvtest-rsa) Identity added: /tmp/nvtkey21416/nvtest-dsa (/tmp/nvtkey21416/nvtest-dsa) tomh> ssh -l root fed23i Received disconnect from 192.168.118.167: 2: Too many authentication failures Disconnected from 192.168.118.167 tomh> ssh-add -l 2048 SHA256:L09nWkcTbR4PmWmD/q6VJmjnwuKCtUHFaPN7xCRcwvM /home/tweety/.ssh/id_rsa (RSA) 1024 SHA256:1cKg/sJMH7TrWctSWky0hLO2PaxRVFfyddsqJQEqg0o /home/tweety/.ssh/id_dsa (DSA) 521 SHA256:/9Zg1JTdgpGwGpTCnLcbRXpuwFmt6P1gzXRcNQjEgLw /home/tweety/.ssh/id_ecdsa (ECDSA) 256 SHA256:vI83jQzZhfvTtZKEmgZiXUS/0te3dS1ew5vt16K38A8 tweety@tomh (ED25519) 1024 SHA256:YD5FOdt2WnvYH7AJ5VDIrJEwJm0MV0g1WtQAlQXXHSo /tmp/nvtkey21416/nvtest-rsa (RSA) 1024 SHA256:2J62l08cX62jDElLNk2qonCH8knistaEXJg+ayb6uPw /tmp/nvtkey21416/nvtest-dsa (DSA)
Does it maybe try every key and decide there are too many that don't work when I go over a certain number?
On 01/22/2016 03:55 PM, Tom Horsley wrote:
Is this what's failing for you?
Actually, it is weird. If I have my "normal" ssh keys loaded in the agent, I can login just fine and get the password prompt:
tomh> ssh -l root fed23i Enter passphrase for key '/home/tweety/.ssh/id_dsa': root@fed23i's password: Last login: Fri Jan 22 14:58:15 2016 from 10.134.30.143 [root@fed23i ~]# exit logout Connection to fed23i closed.
But when I add a couple of additional keys for the "test" user we have on all the virtual machines, this happens:
tomh> add-nvtest Identity added: /tmp/nvtkey21416/nvtest-rsa (/tmp/nvtkey21416/nvtest-rsa) Identity added: /tmp/nvtkey21416/nvtest-dsa (/tmp/nvtkey21416/nvtest-dsa) tomh> ssh -l root fed23i Received disconnect from 192.168.118.167: 2: Too many authentication failures Disconnected from 192.168.118.167 tomh> ssh-add -l 2048 SHA256:L09nWkcTbR4PmWmD/q6VJmjnwuKCtUHFaPN7xCRcwvM /home/tweety/.ssh/id_rsa (RSA) 1024 SHA256:1cKg/sJMH7TrWctSWky0hLO2PaxRVFfyddsqJQEqg0o /home/tweety/.ssh/id_dsa (DSA) 521 SHA256:/9Zg1JTdgpGwGpTCnLcbRXpuwFmt6P1gzXRcNQjEgLw /home/tweety/.ssh/id_ecdsa (ECDSA) 256 SHA256:vI83jQzZhfvTtZKEmgZiXUS/0te3dS1ew5vt16K38A8 tweety@tomh (ED25519) 1024 SHA256:YD5FOdt2WnvYH7AJ5VDIrJEwJm0MV0g1WtQAlQXXHSo /tmp/nvtkey21416/nvtest-rsa (RSA) 1024 SHA256:2J62l08cX62jDElLNk2qonCH8knistaEXJg+ayb6uPw /tmp/nvtkey21416/nvtest-dsa (DSA)
Does it maybe try every key and decide there are too many that don't work when I go over a certain number?
That's exactly what it does, unless you explicitly specify which key to use. This can be done from command line or in ~/.ssh/config (with hostname/IP match)
HTH
Konstantin Svist wrote:
On 01/22/2016 03:55 PM, Tom Horsley wrote:
Does it maybe try every key and decide there are too many that don't work when I go over a certain number?
That's exactly what it does, unless you explicitly specify which key to use. This can be done from command line or in ~/.ssh/config (with hostname/IP match)
https://thomascannon.me/posts/fix-ssh-keys/ expands on this a bit. The IdentitiesOnly option is useful in addition to IdentityFile in the ssh config file.
I happened across that link while reading up on the recent ssh client-side roaming bugs (CVE-2016-0777 and CVE-2016-0778).
Does it maybe try every key and decide there are too many that don't work when I go over a certain number?
That's exactly what it does, unless you explicitly specify which key to use. This can be done from command line or in ~/.ssh/config (with hostname/IP match)
OK. I learn something every day :-). I guess I never had that many keys before. I'll get rid of some of the extra ones I made when experimenting with all the new kinds of keys in newer versions of ssh.
-
Ed Greshko -
Konstantin Svist -
Patrick O'Callaghan -
Todd Zullinger -
Tom Horsley