1

The issue: Even though I've set up AuthorizedKeysCommand and password authentication is stopped when I attempt to log in from my Mac, I am still being asked to enter the password:

OS: Rocky Linux 9.2

OpenSSH version on the server: OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:g7nyjiJifRo58tqXivGLTyxst7KP207XMKj3mNS3z4z
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/user/.ssh/id_ecdsa
debug1: Trying private key: /Users/user/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/user/.ssh/id_ed25519
debug1: Trying private key: /Users/user/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/user/.ssh/id_xmss
debug1: Trying private key: /Users/user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
(user@192.168.169.170) Password:

Here is the /etc/ssh/sshd_config:


# General SSH settings
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

Specify the protocol versions


Protocol 2


HostKeys


HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key


Logging


SyslogFacility AUTH
LogLevel INFO


Authentication settings


Disable root login


PermitRootLogin no


Use public key authentication


PubkeyAuthentication yes


Local file to check for public keys (optional, as we use AuthorizedKeysCommand)


#AuthorizedKeysFile .ssh/authorized_keys


Use the script to fetch keys from GitLab repo


AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh %u
AuthorizedKeysCommandUser root


ignore existing authorized_keys files by default


AuthorizedKeysFile /dev/null


Disable password authentication as requested


PasswordAuthentication no


Other settings for best practices


PermitEmptyPasswords no
UsePAM yes
X11Forwarding no
TCPKeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 33


Subsystem for SFTP


Subsystem sftp /usr/libexec/openssh/sftp-server

Here is the script that fetches the public key(s) from GitLab:


# Check for required username argument
if [[ -z "$1" ]]; then
  >&2 echo "Username required."
  exit 1
fi

Environment variables for configuration


TOKEN="GitLab-access-token"
PROJECT_ID="123"
GITLAB_BASE_URL="https://gitlab.mygitlab.tld/api/v4/projects"
USERNAME="$1"


Complete URL to the user's public key file


USER_KEY_URL="${GITLAB_BASE_URL}/${PROJECT_ID}/repository/files/${USERNAME}%2Epub/raw?ref=main"


Use curl with the token to fetch the public key from the URL


RESPONSE=$(curl --header "Private-Token: $TOKEN" --silent --fail --write-out "HTTPSTATUS:%{http_code}" "$USER_KEY_URL")


HTTP_STATUS=$(echo "$RESPONSE" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')


Output only the SSH key to stdout


if [ "$HTTP_STATUS" == "200" ]; then
  echo "$RESPONSE" | sed -e 's/HTTPSTATUS:.*//g'
else
  >&2 echo "Failed to fetch keys with status code $HTTP_STATUS"
  exit 1
fi

This is what I see if I execute "journalctl -u sshd -n 50":

Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: main: sshd: ssh-rsa algorithm is disabled
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: User user authorized keys /dev/null is not a regular file
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh user failed, status 1
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: Accepted keyboard-interactive/pam for user from 192.168.50.175 port 51277 ssh2
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: pam_unix(sshd:session): session opened for user user(uid=1001) by (uid=0)

I've tested the Bash script manually via cURL and it fetches the public key from the GitLab repository just fine, exactly as it should. I've also manually executed the Bash script and the output contained the public key of the user, exactly as it is on my Mac. To clarify, I am doing the tests from my Mac and authenticating with the Mac's public key.

I cannot disable PAM, because I see that is not supported well for Rocky Linux in the logs. Any idea why this password prompt for the UNIX user still happens? Does PAM fall back to the password?

I've modified the Bash script to redirect errors in a file /tmp/fetch_gitlab_keys.log:

Wed Aug 16 03:46:12 AM EDT 2023 - Curl output: 000
Wed Aug 16 03:46:12 AM EDT 2023 - Failed to fetch keys with status code 000

The OS has SELinux, which I've disabled, and that makes zero difference.

zamunda68
  • 31
  • I wouldn’t be surprised if the issue is selinux related - https://serverfault.com/a/443230 – HBruijn Aug 16 '23 at 09:09
  • To prove you really disabled selinux, what is sestatus output? – Nikita Kipriyanov Aug 16 '23 at 09:14
  • By the way; Are you trying to download a specific file from a repo that contains your public key(s) ? Because the typical way to use public keys from gitlab is to use the public keys a user has uploaded as their public SSH key(s) in their profile ; then you request https://gitlab.example.com/users/${USERNAME}.keys and immediately get their public ssh key(s) in the authorized_keys compatible format that is expected as the output for AuthorizedKeysCommand – HBruijn Aug 16 '23 at 11:13
  • Switch the loglevel to debug and see what happens when you try to login. – Ginnungagap Aug 16 '23 at 13:27
  • Looks like the key you are presenting does not match the authorized_keys entries - see https://support.cpanel.net/hc/en-us/articles/360056952833-How-to-verify-if-a-public-and-private-RSA-SSH-key-match- – symcbean Aug 16 '23 at 16:23
  • @HBruijn - but I've disabled it entirely. sestatus command was showing "permissive". – zamunda68 Aug 17 '23 at 07:31

0 Answers0