SSH authentication Issue
-
I have a wpsshupdate user set up to allow SSH updating using this plugin.
I have a copy of the RSA-4096 SSH keys accessible by the webserver group.
I am able to ssh to localhost from the wpsshupdate user and successfully log in.
When I attempt to use the plugin to update I get:
Private key incorrect for wpsshupdate
Make sure that the key you are using is an RSA key and not a DSA keyWhen I look at my auth.log I see:
Aug 13 16:13:27 web02 sshd[4529]: rexec line 18: Deprecated option UsePrivilegeSeparation
Aug 13 16:13:27 web02 sshd[4529]: rexec line 25: Deprecated option KeyRegenerationInterval
Aug 13 16:13:27 web02 sshd[4529]: rexec line 26: Deprecated option ServerKeyBits
Aug 13 16:13:27 web02 sshd[4529]: rexec line 37: Deprecated option RSAAuthentication
Aug 13 16:13:27 web02 sshd[4529]: rexec line 44: Deprecated option RhostsRSAAuthentication
Aug 13 16:13:41 web02 sshd[4529]: reprocess config line 37: Deprecated option RSAAuthentication
Aug 13 16:13:41 web02 sshd[4529]: reprocess config line 44: Deprecated option RhostsRSAAuthentication
Aug 13 16:13:41 web02 sshd[4529]: Received disconnect from 127.0.0.1 port 54974:11: [preauth]
Aug 13 16:13:41 web02 sshd[4529]: Disconnected from authenticating user wpsshupdate 127.0.0.1 port 54974 [preauth]I have hardened my ssh to accept only RSA4096 or Ed25519 keys if that might be causing the issue?
-
Also, I only allow the following:
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]But since its ssh’ing to itself, you’d think it would work since the user itself can without issue.
I am using version 0.8.2.
The private key starts with:
—–BEGIN RSA PRIVATE KEY—–The php user and the webserver are both using the custom user deploy, which has group access to read the /home/wpsshupdate/.ssh/wp_rsa file. This is a duplicate of the id_rsa file, but with more open permissions. The reason for that is the ssh server will not accept id_rsa for testing with group read permissions for the deploy user on it. I suppose I might get around this by having the deploy user be the ssh user, but I purposely set it up so that the deploy user cannot connect via ssh.
And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them.
Also, this is on Ubuntu 18.04, phpfpm-73, nginx 1.17.2, OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017, wordpress-4.9.10
And as far as I know, the keys are not encrypted & for sure, they do not have a passcode on them.
Encryption isn’t an issue given that the keys start off with
-----BEGIN RSA PRIVATE KEY-----. It’s only an issue for keys starting off with-----BEGIN OPENSSH PRIVATE KEY-----.Anyway, I’d be willing to bet $10 that the underlying library is not due to the key being in an unsupported format. Maybe the issue is, as David Anderson hinted at, your permissions. You insist those are fine, but that would certainly explain what you’re seeing, none-the-less.
I would suggest you provide me with the key and I can verify that the key is able to be loaded but that’s also basically giving me the credentials to your server as well. Can you create a key that you believe reproduces the issue that you’d be willing to share?
If it is a legit issue with the underlying library I will pay you, via PayPal, $10 for finding that issue.
I mean, I suppose it’s possible that the key is malformed. You can’t just base64 encode a random string and expect it to be loaded as an RSA key. I would not pay $10.00 for this. But I can’t make that determination without seeing a key that reproduces the issue.
The topic ‘SSH authentication Issue’ is closed to new replies.
