1

I have just discovered I can log into my server as long as I provide a missing file to the ssh client!

What can I check to find out why and what can I change to stop this from happening?

Logging in with missing file

$ ssh -i ~/.ssh/x user@server.com
Warning: Identity file /c/Users/G/.ssh/x not accessible: No such file or 
directory.
Last login: Wed Aug  9 20:20:49 2017 from 192.168.15.250
user@server:~$

Failing to log in with invalid cert

$ ssh -i ~/.ssh/invalid.pem user@server
Permission denied (publickey).

Successfully logging in

$ ssh -i ~/.ssh/valid.pem user@server
Last login: Wed Aug  9 20:21:07 2017 from 192.168.15.250
user@server:~$

These are the only non-commented lines in my /etc/ssh/sshd_config

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
G-.
  • 141
  • 9
  • 1
    Is the login still working if you remove the valid cert while specifying the invalid file name (in other words, does SSH fall back to other files in case of the missing file, as this is a different situation then a wrong key). – Sven Aug 09 '17 at 20:36
  • Yes, the login still works when I move the file to my desktop out of the .ssh folder – G-. Aug 09 '17 at 20:46
  • [With reference to this question:](https://askubuntu.com/questions/688887/i-can-login-my-ssh-server-without-password-and-private-key), it appears I do not have a running agent storing a valid key $ ssh-add -l Could not open a connection to your authentication agent. – G-. Aug 09 '17 at 20:46
  • 3
    Show us what happens when you attempt to connect with the `-vv` for verbose output. – Zoredache Aug 09 '17 at 21:16
  • Thanks @Zoredache, that got me to the answer. The client was falling back on the `id_rsa` in the .ssh directory when the specified key wasn't found. I will write this up as an answer below – G-. Aug 10 '17 at 11:56

1 Answers1

2

In answer to "What can I check to find out why"

ssh -vv. The -vv parameter gives verbose debugging showing what is happening between pressing return on the local client and seeing the prompt on the remote server

In answer to "Why can I ssh logon without key or password?"

That wasn't what was happening. In this specific case, the appropriate key, valid.pem was duplicated in the id_rsa file. The duplicate key was being used

The following occurs on this client:

  1. Warning is shown that the specified key file is not accessible
  2. the client tries looking for any suitable key

as shown here:

debug2: key: /c/Users/G/.ssh/id_rsa (0x0)
debug2: key: /c/Users/G/.ssh/id_dsa (0x0)
debug2: key: /c/Users/G/.ssh/id_ecdsa (0x0)
debug2: key: /c/Users/G/.ssh/id_ed25519 (0x0)
  1. It then tries the id_rsa key. As shown here debug1: Trying private key: /c/Users/G/.ssh/id_rsa
  2. The server sees that this key is valid and allows logon to continue debug1: Authentication succeeded (publickey).
G-.
  • 141
  • 9