[édit: titre initial: "[SSH] connexion impossible par mot de passe, même en local"]
Bonjour,
Pour atteindre mon but d'établir un tunnel SSH entre deux ordis, je pense avoir deux problèmes. Le premier concerne l'accès au serveur SSH, le second semble être un problème de permission sur le port TCP 22. Le but de cette demande d'aide est de confirmer et résoudre le premier, que j'ai identifié après le second, en essayant de me connecter au serveur SSH depuis l'ordi1 qui a lancé le serveur. La résolution du second sera pour plus tard.
Je reste avec la connexion par mot de passe, sans clef. Voici les extraits du terminal pour aider au diagnostic. Je précise que l'installation de Fedora33 est récente et ne résulte pas d'une mise à jour depuis une version précédente.
Ajout des utilisateurs autorisés dans le fichier de configuration créé pour l'occasion:
#xed /etc/ssh/sshd_config.d/maconfiguration.conf
J'y mets les lignes:
AllowUsers camiperdi camiperdi2
PasswordAuthentication yes
Lancement du serveur en tant que camiperdi, et vérification de l'état:
$systemctl start sshd.service
$systemctl list-units | grep ssh
sshd.service loaded active running OpenSSH server daemon
system-sshd\x2dkeygen.slice loaded active active system-sshd\x2dkeygen.slice
sshd-keygen.target loaded active active sshd-keygen.target
$systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2021-03-07 18:30:34 CET; 13min ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 6796 (sshd)
Tasks: 1 (limit: 18896)
Memory: 2.1M
CPU: 10ms
CGroup: /system.slice/sshd.service
└─6796 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
#lsof -i -n -P | grep LISTEN
systemd-r 1307 systemd-resolve 12u IPv4 31962 0t0 TCP *:5355 (LISTEN)
systemd-r 1307 systemd-resolve 14u IPv6 31965 0t0 TCP *:5355 (LISTEN)
systemd-r 1307 systemd-resolve 17u IPv4 31968 0t0 TCP 127.0.0.53:53 (LISTEN)
cupsd 1469 root 9u IPv6 36945 0t0 TCP [::1]:631 (LISTEN)
cupsd 1469 root 10u IPv4 36946 0t0 TCP 127.0.0.1:631 (LISTEN)
sshd 6796 root 5u IPv4 81365 0t0 TCP *:22 (LISTEN)
sshd 6796 root 7u IPv6 81367 0t0 TCP *:22 (LISTEN)
Existence du second problème, depuis ordi2 en tant que camiperdi2, j'obtiens un refus de connexion, comme ceci (commande inspirée de la documentation du site):
$ssh -L 15000:adresse_ordi2:5902 camiperdi@adresserouteur
ssh: connect to host adresse_ordi1 port 22: Connection refused
$ssh -L 15000:adresse_ordi2:5902 camiperdi2@adresserouteur
ssh: connect to host adresse_ordi1 port 22: Connection refused
Je tente alors sur ordi1 (serveur) une connexion avec le mot de passe de camiperdi (celui de la session), mais invariablement j'ai un refus de permission:
$ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:c7ufmdN/Tht/xe0cq6YClH41z4Su6GDw+JYxK7Yd8Jw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
camiperdi@localhost's password:
camiperdi@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
(ok, c'était le premùier coup avec le
are you sure qui apparaît, depuis j'ai ceci, en verbeux:)
$ssh -vvv camiperdi@localhost
OpenSSH_8.4p1, OpenSSL 1.1.1j FIPS 16 Feb 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host localhost originally localhost
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host localhost originally localhost
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/camiperdi/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/camiperdi/.ssh/known_hosts2'
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/camiperdi/.ssh/id_rsa type -1
debug1: identity file /home/camiperdi/.ssh/id_rsa-cert type -1
debug1: identity file /home/camiperdi/.ssh/id_dsa type -1
debug1: identity file /home/camiperdi/.ssh/id_dsa-cert type -1
debug1: identity file /home/camiperdi/.ssh/id_ecdsa type -1
debug1: identity file /home/camiperdi/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/camiperdi/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/camiperdi/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/camiperdi/.ssh/id_ed25519 type -1
debug1: identity file /home/camiperdi/.ssh/id_ed25519-cert type -1
debug1: identity file /home/camiperdi/.ssh/id_ed25519_sk type -1
debug1: identity file /home/camiperdi/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/camiperdi/.ssh/id_xmss type -1
debug1: identity file /home/camiperdi/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'camiperdi'
debug3: hostkeys_foreach: reading file "/home/camiperdi/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/camiperdi/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:c7ufmdN/Tht/xe0cq6YClH41z4Su6GDw+JYxK7Yd8Jw
debug3: hostkeys_foreach: reading file "/home/camiperdi/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/camiperdi/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from localhost
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/camiperdi/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/camiperdi/.ssh/id_rsa
debug1: Will attempt key: /home/camiperdi/.ssh/id_dsa
debug1: Will attempt key: /home/camiperdi/.ssh/id_ecdsa
debug1: Will attempt key: /home/camiperdi/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/camiperdi/.ssh/id_ed25519
debug1: Will attempt key: /home/camiperdi/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/camiperdi/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KCM:)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/camiperdi/.ssh/id_rsa
debug3: no such identity: /home/camiperdi/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/camiperdi/.ssh/id_dsa
debug3: no such identity: /home/camiperdi/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/camiperdi/.ssh/id_ecdsa
debug3: no such identity: /home/camiperdi/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/camiperdi/.ssh/id_ecdsa_sk
debug3: no such identity: /home/camiperdi/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/camiperdi/.ssh/id_ed25519
debug3: no such identity: /home/camiperdi/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/camiperdi/.ssh/id_ed25519_sk
debug3: no such identity: /home/camiperdi/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/camiperdi/.ssh/id_xmss
debug3: no such identity: /home/camiperdi/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
camiperdi@localhost's password:
Permission Denied
Je suis dans l'impasse après moultes tentatives et consultations de divers messages similaires. Qu'est-ce que je fais mal et n'ai pas compris? Le mot de passe à entrer est-il bien celui de la session de l'utilisateur qui a lancé le serveur SSH?
Ensuite j'ai temporairement remplacé pam_sss.so par pam_ldap.so dans le fichier /etc/authselect/password-auth, mais là je ne comprends plus ce que je fais, et je n'aime pas.
Mais le statut a changé (bien que j'aie remis pam_sss.so...???), apparellent une connexion se fait, mais il y a une erreur d'affichage:
$ssh camiperdi@localhost
camiperdilocalhost's password:
Last login: Sun Mar 7 22:33:30 2021 from ::1
Error opening display!
A l'aide, s'il vous plaît! Je ne comprends pas.