fail to ssh remote host with error message "Permission denied (publickey)" - public-key

Recently,I meet problem with ssh remote host.
At first,I can ssh the remote host when the "PasswordAuthentication" parameter is "yes" in the /etc/ssh/sshd_config file.
However,after I changing the "PasswordAuthentication" parameter to "no" in the /etc/ssh/sshd_config file,I fail to ssh remote host.
I know my problem is about PublicKey,because I have these parameters in my /etc/ssh/sshd_config file:
RSAAuthentication yes
PubkeyAuthentication yes
PermitRootLogin yes
The result of "# ssh root#172.17.4.17 -VVV" looks like that,
debug1: Server host key: RSA 8a:bb:7f:d0:61:69:cc:b2:a1:a0:16:be:52:c1:5c:94
debug3: load_hostkeys: loading entries for host "172.17.4.17" from file "/home/jundu/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/jundu/.ssh/known_hosts:12
debug3: load_hostkeys: loaded 1 keys
debug1: Host '172.17.4.17' is known and matches the RSA host key.
debug1: Found key in /home/jundu/.ssh/known_hosts:12
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/jundu/.ssh/id_rsa ((nil))
debug2: key: /home/jundu/.ssh/id_dsa ((nil))
debug2: key: /home/jundu/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/jundu/.ssh/id_rsa
debug3: no such identity: /home/jundu/.ssh/id_rsa
debug1: Trying private key: /home/jundu/.ssh/id_dsa
debug3: no such identity: /home/jundu/.ssh/id_dsa
debug1: Trying private key: /home/jundu/.ssh/id_ecdsa
debug3: no such identity: /home/jundu/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
Permission denied (publickey)?I just don't know what does it mean.Can anyone provide me with some suggestions?Thank you in advance!

In some cases of using ssh, when we meet the issues about Permission denied (publickey)?, it means two things:
1) we are using ssh key-pairs to access remote host.
2) we never let remote host know our local host's public key and don't have a private key to access.
Solutions:
step1: copy a public key to remote host(usually in ~/.ssh/authorized_key)
step2: paste the corresponding private key in local host's ~/.ssh/id_rsa(or id_dsa)

Related

Locked out of SSH terminal

I manated to lock myself out of SSH on an Canonical-Ubuntu-22.04 SSH always free server. do anyone know how i can get access back?
PS C:\Users\mikel> ssh -i ~/.ssh/ssh-key-2022-10-19.key ubuntu#129.xxx.200.16
ssh: connect to host 129.xxx.200.16 port 22: Connection refused
ssh: connect to host 129.xxx.200.16 port 22: Connection refused
means the remote host is sending the reject flags back, it can be due to
firewall blocking ssh port
iptables blocking port 22
security groups (Ingress, egress) blocking port 22
First check if you have allowed port 22 in console, if yes
then login to instance via console connection and then try to debug 1,2 points

Can't connect MySQL to DMS via CA

I'm having troubles connecting MySQL database as a source endpoint on AWS DMS.
Client sent me credentials (host, port, username, password) and certificates (CA cert, client cert, client key) and I successfully connected to DB with DBeaver.
I tried to import CA certificate in DMS and it did it successfully, but for SSL mode selected in endpoint (both verify-full and verify-ca) it gives me an error in connection testing:
Test Endpoint failed: Application-Status: 1020912, Application-Message: Cannot connect to ODBC provider ODBC general error., Application-Detailed-Message: RetCode: SQL_ERROR SqlState: HY000 NativeError: 2026 Message: [unixODBC][MySQL][ODBC 8.0(w) Driver]SSL connection error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
I have checked CA certificate with
openssl x509 -in certificate.pem -text -noout
and it seems OK.
I also ran into this article which says that CA cert must be signed by certification authority, the client sent me self signed CA certificate and apparently doesn't know how to properly sign it.
Does anyone knows how to bypass getting CA signed certificate or to get proper CA signed certificate (if this really is a problem)?

Can I use fail2ban behind router for mail server?

I'm running Docker on NAS in a home network behind a FritzBox router. Mail and web server are dockerized, external ports 22, 80, 443 are forwarded to the respektive ports on the NAS, Traefik serves as reverse proxy.
While traefik works fine thanks for X-Forwarded headers and HTTP 1.1 Host headers, I'm unable to setup fail2ban to block excessive login attempts of rogue clients. Thanks to NAT on the router, the mail container always seems the router's IP as source.
Server logs look like this:
dovecot: auth: passwd-file(luv5#xn--...,172.19.0.1): unknown user (SHA1 of given password: 63f39e)
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1028]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1028]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1066]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1066]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
dovecot: auth: passwd-file(mathew#xn--...,172.19.0.1): unknown user (SHA1 of given password: 011c94)
postfix/smtpd[2295]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[2295]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36922 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36922
postfix/smtpd[1118]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36948 to [172.19.0.11]:25
dovecot: auth: passwd-file(psycho#xn--...,172.19.0.1): unknown user (SHA1 of given password: 7c4a8d)
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36950 to [172.19.0.11]:25
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36958 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36948
postfix/smtpd[2295]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36950
postfix/smtpd[1066]: connect from unknown[172.19.0.1]
Is there anything that can be done to get fail2ban to block based on IP address for SMTP behind NAT (except for using an "exposed host")?
Thanks to NAT on the router, the mail container always seems the router's IP as source.
If you're able at all to capture from log/journal an originated IP (or something else identifying the intruder) in the filter, you could:
write own failregex or filter capturing forwarded IP, session or username (something you can use as ID to identify intruder), then ...
either try to implement a solution described in our wiki - How to ban something other as host (IP address), like user or mail, etc.
or write some actions like https://github.com/fail2ban/fail2ban/blob/0.10/config/action.d/nginx-block-map.conf (banning intruder resp. rejecting its connection on web-server or mail-service side)
or write your own action to notify your proxying service, in order to ban the originated IP on the other side (no idea traefik has something like that, but there is still open RFE about that - https://github.com/containous/traefik/issues/4026).
Also note similar question - How to implement fail2ban with Traefik

redmine email configuration with smtp

I installed Redmine 2.6.1.1 using Bitnami on Win 7, but couldn't figure out why redmine cannot send any email. I edited the configuration.yml file under \redmine-2.6.1-1\apps\redmine\htdocs\config and tried to send a test mail via both Gmail and our own e-mail server, but it didn't work.
My configuration.yml file is just like below:
default:
email_delivery:
delivery_method: :smtp
smtp_settings:
enable_starttls_auto: true
address: smtp.gmail.com
port: 587
domain: smtp.gmail.com
authentication: :plain
user_name: "someusername#gmail.com"
password: "somepassword"
In this configuration the error is:
an error occurred while sending mail (a socket operation was attempted to an unreachable network. - connect (2))
If I change the address and domain values with IP addresses then the error becomes:
an error occurred while sending mail (Permission denied - connect(2))
If I try to configure it with the values of our own mail server, then I still get the second error (permission denied).
I tried it in another PC and it worked. However, the same configuration in the old PC, it does not work. 2 PCs are in the same network and the only difference between 2 installations is that I did not configure mail settings during the Bitnami installtion in the old machine. After the installation was completed, I modified configuration.yml. However, in the new PC, I configured it during the installation.
I could solve the problem finally. The reason is McAfee security. When I disable McAfee's "Access Protection" task, it worked without any problem.

Mercurial bitbucket authorization failed

I changed my Bitbucket password based on 1Pass's watchtower recommendation. Ever since, I can't pull / push any of my repos, although I can login via a browser. I've tried both HTTP and SSH, and neither work.
Here is a sample output.
hg pull --debug https://caliChander#bitbucket.org/caliChander/cs1
using https://bitbucket.org/caliChander/cs1
http auth: user caliChander, password not set
sending capabilities command
using auth.bitbucket.* for authentication
bitbucket.org certificate successfully verified
using auth.bitbucket.* for authentication
http auth: user caliChander, password *******************************
using auth.bitbucket.* for authentication
bitbucket.org certificate successfully verified
http auth: user caliChander, password *******************************
using auth.bitbucket.* for authentication
bitbucket.org certificate successfully verified
http auth: user caliChander, password *******************************
using auth.bitbucket.* for authentication
bitbucket.org certificate successfully verified
http auth: user caliChander, password *******************************
using auth.bitbucket.* for authentication
bitbucket.org certificate successfully verified
http auth: user caliChander, password *******************************
using auth.bitbucket.* for authentication
bitbucket.org certificate successfully verified
http auth: user caliChander, password *******************************
using auth.bitbucket.* for authentication
bitbucket.org certificate successfully verified
abort: authorization failed
I'm curious as to why it says "password not set" when my ~/.hgrc looks something like this:
[ui]
username = First Last <some.email#random.com>
[auth]
bitbucket.prefix = bitbucket.org
bitbucket.username = caliChander
bitbucket.password = some_very_long_password_here
bitbucket.schemes = http https
[web]
cacerts = /etc/hg-dummy-cert.pem
My gut feeling is that certain characters aren't allowed in the password field? This was randomly generated via 1Pass. Is this so?
Just in case it's needed, the .hg/hgrc in the cs1 repo looks like this:
[paths]
default = https://caliChander#bitbucket.org/caliChander/cs1
I'm on OS X Mavericks. Thanks for the help!
I'm curious as to why it says "password not set"
Because URL may contain both username and password, your https://caliChander#bitbucket.org/ have only username part
[ui] section is irrelevant in auth-stage (it's just informative data, used for defining userdata, shown in log for local commits), only username-password from [auth] used for authentication. You can temporary disable password in hgrc and enter it by hand