Hey, so I am trying to set up a user, git, on a Linux host that has no password, no TTY shell (usermod -s /bin/false git) , and no privileges (with the exception of modifying files it owns in its home directory, but the lack of a login shell reduces its ability to even do that). So anyway the goal of what I am doing here is to set up a shell of a user that merely acts as an SSH Forwarding Agent for the purposes outlined in this post: GitLab Fallback Alternative - #17 by CodeDragon57. I tried setting /etc/ssh/sshd_config like this to achieve login without any authentication:
Password Authentication no
PermitEmptyPasswords yes
...
AllowAgentForwarding yes
AllowTcpForwarding yes
...
Match User git
AuthenticationMethods none
But, unexpectedly, the server prompts me for a password - which the user doesn’t have. This seems directly contrary to the OpenBSD man pages. For what it’s worth, this is a Rocky 9 host.
Nov 07 19:37:58 codedragon.dev sshd[5205]: Connection closed by authenticating user git 10.0.0.11 port 43622 [preauth]
Nov 07 19:38:03 codedragon.dev sshd[5207]: Accepted publickey for linuxdragon from 10.0.0.11 port 43638 ssh2: ED25519-SK SHA256:lt2OKeuK1LIE6VhIVPp4q5>
Nov 07 19:38:03 codedragon.dev sshd[5207]: pam_unix(sshd:session): session opened for user linuxdragon(uid=1000) by linuxdragon(uid=0)
Note: 10.0.0.9/29 is a Wireguard subnet
Arguably, a more useful log is the ssh debug log here:
debug1: Authentications that can continue:
debug3: start over, passed a different list gssapi-with-mic,publickey,keyboard-interactive,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug3: ssh_get_authentication_socket_path: path '/run/user/1000/ssh-agent.socket'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /home/linuxdragon/.ssh/id_rsa
debug1: Will attempt key: /home/linuxdragon/.ssh/id_ecdsa
debug1: Will attempt key: /home/linuxdragon/.ssh/id_ecdsa_sk ECDSA-SK SHA256:0lOGU3ffbIoE2XUHq9O7eWe7c1KVWJHAU0LDwE3uy4Q authenticator
debug1: Will attempt key: /home/linuxdragon/.ssh/id_ed25519
debug1: Will attempt key: /home/linuxdragon/.ssh/id_ed25519_sk ED25519-SK SHA256:rkm4DrSpNa3OFQHA3dYliEZp/Tnm6mneVnn0nu+9ItI authenticator
debug1: Will attempt key: /home/linuxdragon/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: Trying private key: /home/linuxdragon/.ssh/id_rsa
debug3: no such identity: /home/linuxdragon/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/linuxdragon/.ssh/id_ecdsa
debug3: no such identity: /home/linuxdragon/.ssh/id_ecdsa: No such file or directory
debug1: Offering public key: /home/linuxdragon/.ssh/id_ecdsa_sk ECDSA-SK SHA256:0lOGU3ffbIoE2XUHq9O7eWe7c1KVWJHAU0LDwE3uy4Q authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
debug1: Trying private key: /home/linuxdragon/.ssh/id_ed25519
debug3: no such identity: /home/linuxdragon/.ssh/id_ed25519: No such file or directory
debug1: Offering public key: /home/linuxdragon/.ssh/id_ed25519_sk ED25519-SK SHA256:rkm4DrSpNa3OFQHA3dYliEZp/Tnm6mneVnn0nu+9ItI authenticator
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
debug1: Trying private key: /home/linuxdragon/.ssh/id_xmss
debug3: no such identity: /home/linuxdragon/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
It’s showing the server accepting all authentication methods instead of none as I specified in the server’s /etc/ssh/sshd_config
Oh I figured out the reason why it didn’t work. You have to enable clear text tunneled passwords - which makes this solution to the problem a no-go.
1 Like