3

I have to connect to my work pc, and I'm working with this config,

Host work
  User          name
  HostName      192.168.31.***
  ProxyCommand  ssh.exe p***@middle_host nc %h %p

Here, middle_host is the organization network that I have to connect to before connecting to the actual desktop. I have successfully done the ssh-copy-id. But when I try to connect to using ssh work the middle_host ask for password but the work pc doesn't. I checked authorized_keys in middle_host and my public keys are there. but it still can't connect without the password prompt.

Permission for different files in middle_host
stat -c "%a" ~ > 700
stat -c "%a" ~/.ssh/ > 700
stat -c "%a" ~/.ssh/authorized_keys > 600

I have checked these answers and followed the answer but could not solve it
Why am I still getting a password prompt with ssh with public key authentication?
ssh-copy-id succeeded, but still prompt password input

To answer the comment:

  1. I don't have root acces in the middle_host (CentOs) so I don't know how to check the sshd log
  2. I tried to connect to middle host with ssh -v middle_host. It throws Unable to negotiate with ***** port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1. So I tryied with -oKexAlgorithms=+diffie-hellman-group1-sha1, now the output shows as
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/koushik/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to ***.**.**.*** [***.**.**.***] port 22.
debug1: Connection established.
debug1: identity file /home/koushik/.ssh/id_rsa type 0
debug1: identity file /home/koushik/.ssh/id_rsa-cert type -1
debug1: identity file /home/koushik/.ssh/id_dsa type -1
debug1: identity file /home/koushik/.ssh/id_dsa-cert type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/koushik/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/koushik/.ssh/id_ed25519 type -1
debug1: identity file /home/koushik/.ssh/id_ed25519-cert type -1
debug1: identity file /home/koushik/.ssh/id_ed25519_sk type -1
debug1: identity file /home/koushik/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/koushik/.ssh/id_xmss type -1
debug1: identity file /home/koushik/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_2*,OpenSSH_3*,OpenSSH_4* compat 0x00000002
debug1: Authenticating to ***.**.**.***:22 as '****'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:mDzOdf7c6GdlUbdzYqOPpD23W1gyyixbjxeUxHU0YlE
debug1: Host '***.**.**.***' is known and matches the RSA host key.
debug1: Found key in /home/koushik/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/koushik/.ssh/id_rsa RSA SHA256:PqSSI5hAPS2zK9l+rOA7TZ01onuarhil6Fhee27+zG8
debug1: Will attempt key: /home/koushik/.ssh/id_dsa
debug1: Will attempt key: /home/koushik/.ssh/id_ecdsa
debug1: Will attempt key: /home/koushik/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/koushik/.ssh/id_ed25519
debug1: Will attempt key: /home/koushik/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/koushik/.ssh/id_xmss
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)


debug1: Next authentication method: publickey
debug1: Offering public key: /home/koushik/.ssh/id_rsa RSA SHA256:PqSSI5hAPS2zK9l+rOA7TZ01onuarhil6Fhee27+zG8
debug1: Server accepts key: /home/koushik/.ssh/id_rsa RSA SHA256:PqSSI5hAPS2zK9l+rOA7TZ01onuarhil6Fhee27+zG8
debug1: Authentication succeeded (publickey).
Authenticated to *...* ([*...*]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = C.UTF-8
Last login: Sun Feb 14 14:18:00 2021 from -----
Eular
  • 243

1 Answers1

0

Firstly, you declared the user in the SSH config, but using a different username in the ProxyCommand.

Secondly, the middle_host is using an old version of OpenSSH v4.3 while the client is using OpenSSH v8.2p1. Older version of OpenSSH used legacy versions of Diffie Hellman (DH) key exchange which are no longer supported by later versions. Out of the three DH parameters that the middle system support, Group-14 is better, while Group-1 is the worst. Therefore, execute the following, and specify Group-14:

ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 middle_host

Side Note:

Exposing OpenSSH v4.3 server to the internet is a bad idea. Consider using VPN instead.

Bruce Malaudzi
  • 1,589