issues with stretch, part 1 of many

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

issues with stretch, part 1 of many

Ionel Mugurel Ciobîcă-4


Dear all,

I have many issues with stretch which I cannot figure it out. I will
post one at the time, to keep it clear and simple.

I use Debian since 1997. I never had an issue with any release, except
stretch. I installed fresh using net install disk. The install went OK
(except I was forced to chose a wrong timezone (I was not asked about
the continent), but that I fix after installation).

The first question I want to ask relates to ssh, ssh-ask and
ssh-agent. When I ssh to another computer I am asked "Allow use of key
id_rsa? Key fingerprint ..." If I uninstall all ssh-ask programs I
simply can't use the ssh-agent anymore and I am prompted for password.
I try ssh-ask, ssh-ask-fullscreen, ssh-ask-gnome and the similar from
kde. I check the /etc/ssh/ssh_config and /etc/ssh/sshd_config for
anything that may relate to this. The only think coming close are:
UsePAM yes
ChallengeResponseAuthentication no

Is there something I overlook?

To be clear, I do not want to be asked if I allow the use of a key, I
just want this to be assumed yes, as it was the case in the past.

So, I run Linux 4.9.0-8-amd64, Debian 9u6. ssh is openssh_7.4p1,
openssl 1.0.2l ssh-agent is started in $HOME/.xsessionrc as:
eval `ssh-agent -s`

Thank you for any hint.

Kind regards,
 Ionel


Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Ionel Mugurel Ciobîcă-3
On 27-11-2018, at 13h 33'55", Ionel Mugurel Ciobîcă wrote about "issues with stretch, part 1 of many"

>
>
> Dear all,
>
> I have many issues with stretch which I cannot figure it out. I will
> post one at the time, to keep it clear and simple.
>
> I use Debian since 1997. I never had an issue with any release, except
> stretch. I installed fresh using net install disk. The install went OK
> (except I was forced to chose a wrong timezone (I was not asked about
> the continent), but that I fix after installation).
>
> The first question I want to ask relates to ssh, ssh-ask and
> ssh-agent. When I ssh to another computer I am asked "Allow use of key
> id_rsa? Key fingerprint ..." If I uninstall all ssh-ask programs I
> simply can't use the ssh-agent anymore and I am prompted for password.
> I try ssh-ask, ssh-ask-fullscreen, ssh-ask-gnome and the similar from
> kde. I check the /etc/ssh/ssh_config and /etc/ssh/sshd_config for
> anything that may relate to this. The only think coming close are:
> UsePAM yes
> ChallengeResponseAuthentication no
>
> Is there something I overlook?
>
> To be clear, I do not want to be asked if I allow the use of a key, I
> just want this to be assumed yes, as it was the case in the past.
>
> So, I run Linux 4.9.0-8-amd64, Debian 9u6. ssh is openssh_7.4p1,
> openssl 1.0.2l ssh-agent is started in $HOME/.xsessionrc as:
> eval `ssh-agent -s`
>

A hint of the followup questions already is given by the ssh-agent the
first time when the passphrase is introduced, by announcing: "Enter
passphrase for id_rsa (will confirm each use):".

I do not want to confirm each usage. My .xsession(rc) contains many
calls of "xterm -e ssh ..." using -geometry to position the xterms,
and all of those "allow use of key..." questions agglomerates on the
same place, one on top of each other. I do not understand conceptually
why this would be desired (to be asked again and again). The point of
ssh-agent was to make it simpler, not more complicated. If I want to
be asked, I will not use the agent, so I can input password when
connecting...


Kind regards,
 Ionel

Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Étienne Mollier
On 11/27/18 2:05 PM, Ionel Mugurel Ciobîcă wrote:
> On 27-11-2018, at 13h 33'55", Ionel Mugurel Ciobîcă wrote about "issues with stretch, part 1 of many"
>>
>>
>> Dear all,
>>
[...]

>>
>> The first question I want to ask relates to ssh, ssh-ask and
>> ssh-agent. When I ssh to another computer I am asked "Allow use of key
>> id_rsa? Key fingerprint ..." If I uninstall all ssh-ask programs I
>> simply can't use the ssh-agent anymore and I am prompted for password.
>> I try ssh-ask, ssh-ask-fullscreen, ssh-ask-gnome and the similar from
>> kde. I check the /etc/ssh/ssh_config and /etc/ssh/sshd_config for
>> anything that may relate to this. The only think coming close are:
>> UsePAM yes
>> ChallengeResponseAuthentication no
>>
>> Is there something I overlook?
>>
>> To be clear, I do not want to be asked if I allow the use of a key, I
>> just want this to be assumed yes, as it was the case in the past.
>>
>> So, I run Linux 4.9.0-8-amd64, Debian 9u6. ssh is openssh_7.4p1,
>> openssl 1.0.2l ssh-agent is started in $HOME/.xsessionrc as:
>> eval `ssh-agent -s`
>>

Good Day Ionel,

According to my experience, when ssh-agent is started, it is
ready store passphrase and decipher the private key.  However,
it doesn't do this automatically when I type my passphrase at
a connection attempt.

Before issuing any SSH connection, I run ssh-add and type my
passphrase.  Afterwards, I can connect to any machine accepting
my key.  I'm not exactly sure this is the right way to do it in
terms of security, but it does the job in terms of convenience.
:^)

Concerning ssh-ask programs, they are merely useful in
situations where the SSH client has no access to the terminal.

> A hint of the followup questions already is given by the ssh-agent the
> first time when the passphrase is introduced, by announcing: "Enter
> passphrase for id_rsa (will confirm each use):".
>
> I do not want to confirm each usage. My .xsession(rc) contains many
> calls of "xterm -e ssh ..." using -geometry to position the xterms,
> and all of those "allow use of key..." questions agglomerates on the
> same place, one on top of each other. I do not understand conceptually
> why this would be desired (to be asked again and again). The point of
> ssh-agent was to make it simpler, not more complicated. If I want to
> be asked, I will not use the agent, so I can input password when
> connecting...

You should probably run your connections in a side script
instead of your session startup script.  This way, you have a
chance to run ssh-add before issuing connections, but after
starting the SSH agent.

Have a look at ssh-add(1) and ssh-agent(1) manual pages, there
may be a few things you might be interested in.

> Kind regards,

Kind regards to you too,
--
Étienne Mollier <[hidden email]>


Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Michael Wagner
On Nov 27, 2018 at 20:02:19, Étienne Mollier wrote:

>
> According to my experience, when ssh-agent is started, it is
> ready store passphrase and decipher the private key.  However,
> it doesn't do this automatically when I type my passphrase at
> a connection attempt.
>
> Before issuing any SSH connection, I run ssh-add and type my
> passphrase.  Afterwards, I can connect to any machine accepting
> my key.  I'm not exactly sure this is the right way to do it in
> terms of security, but it does the job in terms of convenience.
> :^)
Hello Étienne,

I put this in my .bashrc

--------------------------------------------------------------------
if [ ! -S ~/.ssh/ssh_auth_sock ]; then
  eval $(ssh-agent -t 43200)
  ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
fi
export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
ssh-add -l | grep "The agent has no identities" && /usr/bin/ssh-add
-------------------------------------------------------------------

So every time I login the first time, or when the last ssh-add command
is older than 12h, I'll be asked for the passphrase of the key.

Michael


signature.asc (923 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Étienne Mollier
Michael Wagner, on 2018-11-29 :

> I put this in my .bashrc
>
> --------------------------------------------------------------------
> if [ ! -S ~/.ssh/ssh_auth_sock ]; then
>   eval $(ssh-agent -t 43200)
>   ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
> fi
> export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
> ssh-add -l | grep "The agent has no identities" &&
> /usr/bin/ssh-add
> -------------------------------------------------------------------
>
> So every time I login the first time, or when the last ssh-add command
> is older than 12h, I'll be asked for the passphrase of the key.

Good Day Michael,

That's good to know; many thanks for your input!

The best expiry implementation I had until then was that my
trusty terminal tends to be issued with reboots quite often.
Perhaps 14400 s of lifetime should be sufficient on my side;
seems sound for lunch break.

Maybe I'm missing something, but why the rewiring of the
authentication socket?
Mere convenience?

Kind Regards,
--
Étienne Mollier <[hidden email]>


Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Ionel Mugurel Ciobîcă-3
In reply to this post by Ionel Mugurel Ciobîcă-4

On 27-11-2018, at 13h 33'55", Ionel Mugurel Ciobîcă wrote about "issues with stretch, part 1 of many"

>
>
> Dear all,
>
> I have many issues with stretch which I cannot figure it out. I will
> post one at the time, to keep it clear and simple.
>
> I use Debian since 1997. I never had an issue with any release, except
> stretch. I installed fresh using net install disk. The install went OK
> (except I was forced to chose a wrong timezone (I was not asked about
> the continent), but that I fix after installation).
>
> The first question I want to ask relates to ssh, ssh-ask and
> ssh-agent. When I ssh to another computer I am asked "Allow use of key
> id_rsa? Key fingerprint ..." [...]


Thank you, Étienne. I am aware of all that. I talk here about the
differences between stretch and all previous Debian releases. All
works well before stretch.

Thank you, Michael, for sharing that. Next time I will be in front of
that desktop I will see if I can adapt it to tcsh.

So, nobody knows, who and why it was introduced "will confirm each
use" and the "Allow use of key"?... And most important how to avoid
it or by pass it?

Thank you.

Ionel


Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Étienne Mollier
Ionel Mugurel Ciobîcă, on 2018-11-30 :
> On 27-11-2018, at 13h 33'55", Ionel Mugurel Ciobîcă wrote about "issues with stretch, part 1 of many"
[...]
> > The first question I want to ask relates to ssh, ssh-ask and
> > ssh-agent. When I ssh to another computer I am asked "Allow use of key
> > id_rsa? Key fingerprint ..." [...]
>
> Thank you, Étienne. I am aware of all that. I talk here about the
> differences between stretch and all previous Debian releases.  All
> works well before stretch.

Good Day Ionel,

I haven't checked in Debian 8 how the thing behaves, but it
sounds like a change of default value in a configuration option.
More specifically, I have come to find this entry in ssh_config
manual which looks like affecting most entities you mentioned in
your initial email.

ssh_config(5):

>    AddKeysToAgent
>            Specifies whether keys should be automatically
>            added to a running ssh-agent(1).  If this option
>            is set to yes and a key is loaded from a file, the
>            key and its passphrase are added to the agent with
>            the default lifetime, as if by ssh-add(1).  If
>            this option is set to ask, ssh(1) will require
>            confirmation using the SSH_ASKPASS program before
>            adding a key (see ssh-add(1) for details).  If
>            this option is set to confirm, each use of the key
>            must be confirmed, as if the -c option was speci‐
>            fied to ssh-add(1).  If this option is set to no,
>            no keys are added to the agent.  The argument must
>            be yes, confirm, ask, or no (the default).

I wonder if setting this in you ssh_config file would help
bringing back the behaviour you expect:

        AddKeysToAgent yes


Kind Regards,
--
Étienne Mollier <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Stefan Krusche-2
In reply to this post by Ionel Mugurel Ciobîcă-4
Good day, Ionel,

Am Dienstag, 27. November 2018 schrieb Ionel Mugurel Ciobîcă:

> The first question I want to ask relates to ssh, ssh-ask and
> ssh-agent. When I ssh to another computer I am asked "Allow use of key
> id_rsa? Key fingerprint ..." If I uninstall all ssh-ask programs I
> simply can't use the ssh-agent anymore and I am prompted for password.
> I try ssh-ask, ssh-ask-fullscreen, ssh-ask-gnome and the similar from
> kde. I check the /etc/ssh/ssh_config and /etc/ssh/sshd_config for
> anything that may relate to this. The only think coming close are:
> UsePAM yes
> ChallengeResponseAuthentication no
>
> Is there something I overlook?
>
> To be clear, I do not want to be asked if I allow the use of a key, I
> just want this to be assumed yes, as it was the case in the past.

This is just a guess.  Maybe you are looking for this option
in /etc/ssh/ssh_config:

#   StrictHostKeyChecking ask

The default is to ask, see above, copied from the (unchanged) file on my
system.

man ssh_config(5):

StrictHostKeyChecking
         If this flag is set to yes, ssh(1) will never automatically add
         host keys to the ~/.ssh/known_hosts file, and refuses to connect
         to hosts whose host key has changed.  This provides maximum
         protection against trojan horse attacks, though it can be
         annoying when the /etc/ssh/ssh_known_hosts file is poorly
         maintained or when connections to new hosts are frequently made.
         This option forces the user to manually add all new hosts.  If
         this flag is set to no, ssh will automatically add new host keys
         to the user known hosts files.  If this flag is set to ask (the
         default), new host keys will be added to the user known host
         files only after the user has confirmed that is what they really
         want to do, and ssh will refuse to connect to hosts whose host
         key has changed.  The host keys of known hosts will be verified
         automatically in all cases.

If you configure ssh to ask, then, after you confirmed for one particular
connection/key, this choice will be saved in ~/.ssh/known_hosts and you
will not be asked again (until the key on the same server is changed).

Speculating again: when you installed your system, the file
~/.ssh/known_hosts didn't contain the entries for the servers you usually
connect to.  If that's the case, you can import/copy the ssh configuration
from your old system to avoid being asked.

Hope this helps,
regards,
Stefan

Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Yves-7
In reply to this post by Ionel Mugurel Ciobîcă-4

Idont Know if that can help...

''The OpenSSH 7 release has disabled some older ciphers and the SSH1 protocol by default. Please be careful when upgrading machines where you only have SSH access.

Moreover, the default of the "UseDNS" configuration option has changed from yes to no. This may cause users who use the "from=" functionality in authorized_keys to limit ssh access by host to be locked out, which is especially troublesome if upgrading remotely.

Please refer to the OpenSSH documentation for more information. ''

https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#openssh-protocol-and-cipher-support-changes

On 2018-11-27 07:33, Ionel Mugurel Ciobîcă wrote:

Dear all,

I have many issues with stretch which I cannot figure it out. I will
post one at the time, to keep it clear and simple.

I use Debian since 1997. I never had an issue with any release, except
stretch. I installed fresh using net install disk. The install went OK
(except I was forced to chose a wrong timezone (I was not asked about
the continent), but that I fix after installation).

The first question I want to ask relates to ssh, ssh-ask and
ssh-agent. When I ssh to another computer I am asked "Allow use of key
id_rsa? Key fingerprint ..." If I uninstall all ssh-ask programs I
simply can't use the ssh-agent anymore and I am prompted for password.
I try ssh-ask, ssh-ask-fullscreen, ssh-ask-gnome and the similar from
kde. I check the /etc/ssh/ssh_config and /etc/ssh/sshd_config for
anything that may relate to this. The only think coming close are:
UsePAM yes
ChallengeResponseAuthentication no

Is there something I overlook?

To be clear, I do not want to be asked if I allow the use of a key, I
just want this to be assumed yes, as it was the case in the past.

So, I run Linux 4.9.0-8-amd64, Debian 9u6. ssh is openssh_7.4p1,
openssl 1.0.2l ssh-agent is started in $HOME/.xsessionrc as:
eval `ssh-agent -s`

Thank you for any hint.

Kind regards,
 Ionel


Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Ionel Mugurel Ciobîcă-3
In reply to this post by Stefan Krusche-2
On  8-12-2018, at 13h 59'28", Stefan Krusche wrote about "Re: issues with stretch, part 1 of many"
> Good day, Ionel,

Hi Stefan,

>
> This is just a guess.  Maybe you are looking for this option
> in /etc/ssh/ssh_config:
>
> #   StrictHostKeyChecking ask


Mine is set to no. I did it way before contacting the list. I am not
asked the passphrase or if I want to store the host in the host list,
etc. I am asked if I allow to use the key. It makes no difference what
I type. Only Enter and Esc are active, and the mouse click on the OK
and Cancel buttons. Of course if I type stuff the squares of the
ssh-ask are turning blue, but that is of no importance.

Ionel

Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Ionel Mugurel Ciobîcă-2
In reply to this post by Étienne Mollier
On 30-11-2018, at 21h 22'48", Étienne Mollier wrote about "Re: issues with stretch, part 1 of many"
>
> Good Day Ionel,

Salut Étienne,
>
> I haven't checked in Debian 8 how the thing behaves, but it
> sounds like a change of default value in a configuration option.
> More specifically, I have come to find this entry in ssh_config
> manual which looks like affecting most entities you mentioned in
> your initial email.
>
> ssh_config(5):
> >    AddKeysToAgent
[...]

There is no such option already in my /etc/ssh/ssh_config. But
re-reading this explanation made me think that indeed the ssh-add is
the responsible. And, indeed, it was the "-c" option of ssh-add in my
.xsession that enabled this behaviour. I guess I added that there by
accident when I was playing with the ssh-agent -c...

Anyway, removing that -c solve the issue. Sorry for the noise. Thank
everyone for their suggestions.

Ionel

Reply | Threaded
Open this post in threaded view
|

Re: issues with stretch, part 1 of many

Étienne Mollier
Hi Ionel,

Ionel Mugurel Ciobîcă <[hidden email]>, on 2018-12-12:
> There is no such option already in my /etc/ssh/ssh_config.

Well sample configurations are one thing, and documented ones
another.  And undocumented ones, which you will discover only by
reading the source code, or obscure mailing list archives, are
yet another thing.

>                                                            But
> re-reading this explanation made me think that indeed the ssh-add is
> the responsible. And, indeed, it was the "-c" option of ssh-add in my
> .xsession that enabled this behaviour. I guess I added that there by
> accident when I was playing with the ssh-agent -c...
>
> Anyway, removing that -c solve the issue. Sorry for the noise.  Thank
> everyone for their suggestions.

Glad to read the situation is sorted.  I don't know for the
others, but I learned a thing or two about SSH key management in
the process; that doesn't exactly qualify as noise.  :^)

Kind Regards
--
Étienne Mollier <[hidden email]>