I have two users on desktop
- root
and user
. I have a bastion
and a protected
host. When run ssh protected
as root
on desktop
, I connect fine. When I run ssh protected
as user
on desktop
, I get no output - just a blank line, like it's waiting for something. However, user
can log in directly to the bastion
host and from there to the protected
host.
Both root
and user
have the same contents in their .ssh
directories (#cp -r ~/.ssh /home/user; chown -R user:user /home/user/.ssh
).
The bastion
host appears to be forwarding properly - running $(which sshd) -Ddp 10222
(per https://unix.stackexchange.com/a/128910/9583) shows the same debug1: channel 0: connected to protected port 22
line on both.
Running the same on protected
shows the same output until:
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
The second line does not display when connecting from user
on desktop
.
ssh -vvv protected
as user
on desktop
shows:
OpenSSH_7.9p1, OpenSSL 1.1.1 11 Sep 2018
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: /home/user/.ssh/config line 10: Applying options for protected
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Executing proxy command: exec ssh bastion -W protected:22
debug1: identity file /home/user/.ssh/id_protected type 0
debug1: identity file /home/user/.ssh/id_protected-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: ssh_exchange_identification: \033[3g
\033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H \033H
SSH-2.0-Op
debug1: ssh_exchange_identification: enSSH_7.9
debug1: ssh_exchange_identification:
debug1: ssh_exchange_identification: 6,diffie-hellman-group14-sha1
debug1: ssh_exchange_identification: aes192-ctr,aes256-ctr,[email protected],[email protected]
debug1: ssh_exchange_identification: 2-256,hmac-sha2-512,hmac-sha1
As root
on desktop
everything is the same up until the first ssh_exchange_identification
line.
My ssh config is:
Host *
ServerAliveInterval 60
IdentitiesOnly yes
Host bastion
HostName bastion.host
IdentityFile ~/.ssh/id_protected
User user
Host protected
IdentityFile ~/.ssh/id_protected
Hostname protected
User user
ProxyCommand ssh bastion -W %h:%p
I have also tried https://askubuntu.com/a/976226/427339, but I believe this doesn't apply for two reasons - 1. emptying my ~/.config/fish/fish.config
made no difference, and 2. I can log in to the same user
on protected
from root
on desktop
.
All three systems are running Arch Linux. protected
and desktop
are both using the fish
shell.
Edit:
user
@bastion
's ~/.ssh/config
:
Host *
ServerAliveInterval 60
Host protected
User user
IdentityFile ~/.ssh/id_protected
This, as mentioned above, works fine to log into protected. /etc/hosts
has an entry for protected
pointing to the net-local IP - 10.x.x.x.
Edit 2:
My issue appears very similar to these:
- https://groups.google.com/d/topic/comp.security.ssh/e1nObaX5ZWg/discussion
- https://groups.google.com/d/topic/comp.security.ssh/_HDV0JXXQA8/discussion
- https://groups.google.com/d/topic/comp.security.ssh/tDgwEDJKGuE/discussion
I have not yet tried the MTU workaround, and am not familiar enough with protocol analyzers to have one set up and handy right now.
Edit 3:
Adding -v
to the ProxyCommand
(is now ProxyCommand ssh -v bastion -W %h:%p
), full output of user@desktop$ ssh protected
:
OpenSSH_7.9p1, OpenSSL 1.1.1 11 Sep 2018
debug1: Reading configuration data /home/user/.ssh/config
debug1: /home/user/.ssh/config line 1: Applying options for *
debug1: /home/user/.ssh/config line 5: Applying options for bastion
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to bastion [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_protected type 0
debug1: identity file /home/user/.ssh/id_protected-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to bastion:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HfDmNOGgLrPLMsnCbyZuEuJapj+T6wrSTTiFSd+37ag
debug1: Host 'bastion' is known and matches the ECDSA host key.
debug1: Found key in /home/users/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent
debug1: Server accepts key: /home/user/.ssh/id_protected RSA SHA256:iH5F4stK+j+2/qkGJlL5D6TOEHNiwbR4jCzckI7IHaE explicit agent
debug1: Authentication succeeded (publickey).
Authenticated to bastion ([x.x.x.x]:22).
debug1: channel_connect_stdio_fwd protected:22
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: /home/user/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/user/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
--- very long delay; from `root` everything is the same till here, but the next line is `Last login: ...`, etc - a successful connection ---
debug1: channel 0: FORCE input drain
ssh_exchange_identification: Connection closed by remote host
debug1: channel 0: free: direct-tcpip: listening port 0 for protected port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Killed by signal 1.
.ssh
and their contents are the same (You usedcp -r
, notcp -a
)? You double-checked that the owner change worked correctly?;
. I would have gotten a different error had the directory had the wrong permissions - I don't recall it, but I've seen it before. Visual inspection just now confirms - the files are owned byuser:user
,config
andid_protected
are0600
andid_protected.pub
andknown_hosts
are0644
. The/home/user/.ssh
directory is700
and also owned byuser:user
.ForwardAgent yes
in eachHost
section at least, plus I usenc
as the proxy.root
@desktop
can still log in viabastion
,user
@desktop
still cannot. I typically dislike usingnc
as the proxy as it tends to leave runningnc
processes onbastion
. I'll adduser
@bastion
's.ssh/config
to the post - it's set up so it can log in direct, so I wouldn't need agent forwarding (either way didn't make a difference though).