1

The issue: Even though I've set up AuthorizedKeysCommand and password authentication is stopped when I attempt to log in from my Mac, I am still being asked to enter the password:

OS: Rocky Linux 9.2

OpenSSH version on the server: OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:g7nyjiJifRo58tqXivGLTyxst7KP207XMKj3mNS3z4z debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /Users/user/.ssh/id_ecdsa debug1: Trying private key: /Users/user/.ssh/id_ecdsa_sk debug1: Trying private key: /Users/user/.ssh/id_ed25519 debug1: Trying private key: /Users/user/.ssh/id_ed25519_sk debug1: Trying private key: /Users/user/.ssh/id_xmss debug1: Trying private key: /Users/user/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive ([email protected]) Password:

Here is the /etc/ssh/sshd_config:

 # General SSH settings Port 22 AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: # Specify the protocol versions Protocol 2 # HostKeys HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Logging SyslogFacility AUTH LogLevel INFO # Authentication settings # Disable root login PermitRootLogin no # Use public key authentication PubkeyAuthentication yes # Local file to check for public keys (optional, as we use AuthorizedKeysCommand) #AuthorizedKeysFile .ssh/authorized_keys # Use the script to fetch keys from GitLab repo AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh %u AuthorizedKeysCommandUser root # ignore existing authorized_keys files by default AuthorizedKeysFile /dev/null # Disable password authentication as requested PasswordAuthentication no # Other settings for best practices PermitEmptyPasswords no UsePAM yes X11Forwarding no TCPKeepAlive yes ClientAliveInterval 120 ClientAliveCountMax 33 # Subsystem for SFTP Subsystem sftp /usr/libexec/openssh/sftp-server

Here is the script that fetches the public key(s) from GitLab:

 # Check for required username argument if [[ -z "$1" ]]; then >&2 echo "Username required." exit 1 fi # Environment variables for configuration TOKEN="GitLab-access-token" PROJECT_ID="123" GITLAB_BASE_URL="https://gitlab.mygitlab.tld/api/v4/projects" USERNAME="$1" # Complete URL to the user's public key file USER_KEY_URL="${GITLAB_BASE_URL}/${PROJECT_ID}/repository/files/${USERNAME}%2Epub/raw?ref=main" # Use curl with the token to fetch the public key from the URL RESPONSE=$(curl --header "Private-Token: $TOKEN" --silent --fail --write-out "HTTPSTATUS:%{http_code}" "$USER_KEY_URL") HTTP_STATUS=$(echo "$RESPONSE" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') # Output only the SSH key to stdout if [ "$HTTP_STATUS" == "200" ]; then echo "$RESPONSE" | sed -e 's/HTTPSTATUS:.*//g' else >&2 echo "Failed to fetch keys with status code $HTTP_STATUS" exit 1 fi

This is what I see if I execute "journalctl -u sshd -n 50":

Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: main: sshd: ssh-rsa algorithm is disabled Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: User user authorized keys /dev/null is not a regular file Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh user failed, status 1 Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: Accepted keyboard-interactive/pam for user from 192.168.50.175 port 51277 ssh2 Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: pam_unix(sshd:session): session opened for user user(uid=1001) by (uid=0)

I've tested the Bash script manually via cURL and it fetches the public key from the GitLab repository just fine, exactly as it should. I've also manually executed the Bash script and the output contained the public key of the user, exactly as it is on my Mac. To clarify, I am doing the tests from my Mac and authenticating with the Mac's public key.

I cannot disable PAM, because I see that is not supported well for Rocky Linux in the logs. Any idea why this password prompt for the UNIX user still happens? Does PAM fall back to the password?

I've modified the Bash script to redirect errors in a file /tmp/fetch_gitlab_keys.log:

Wed Aug 16 03:46:12 AM EDT 2023 - Curl output: 000 Wed Aug 16 03:46:12 AM EDT 2023 - Failed to fetch keys with status code 000

The OS has SELinux, which I've disabled, and that makes zero difference.

Improve this question
6
  • I wouldn’t be surprised if the issue is selinux related - serverfault.com/a/443230 Commented Aug 16, 2023 at 9:09
  • To prove you really disabled selinux, what is sestatus output? Commented Aug 16, 2023 at 9:14
  • By the way; Are you trying to download a specific file from a repo that contains your public key(s) ? Because the typical way to use public keys from gitlab is to use the public keys a user has uploaded as their public SSH key(s) in their profile ; then you request https://gitlab.example.com/users/${USERNAME}.keys and immediately get their public ssh key(s) in the authorized_keys compatible format that is expected as the output for AuthorizedKeysCommand Commented Aug 16, 2023 at 11:13
  • Switch the loglevel to debug and see what happens when you try to login. Commented Aug 16, 2023 at 13:27
  • Looks like the key you are presenting does not match the authorized_keys entries - see support.cpanel.net/hc/en-us/articles/… Commented Aug 16, 2023 at 16:23

1 Answer 1

Reset to default
2

You may have missed AuthenticationMethods in /etc/ssh/sshd_config that (as a rule) has a default value of "any" which means to offer the next auth methods until success.

Try to specify: AuthenticationMethods publickey for enable only this prefer.

You could see default state of sshd-daemon with auth* params by follow command:

~$: sudo sshd -T | grep auth

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.