[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH : Authentification par clefs + interdiction d'accès par mot de passe - Trixie brut d'installation

Le Wed, 08 Oct 2025 09:58:28 +0200,
Sébastien NOBILI <s-liste-debian-user-french@pipoprods.org> a écrit :


Le 2025-10-08 07:31, Alain Vaugham a écrit :

[...]

- est-tu sûr que la clé est présentée au serveur lors de la connexion
SSH (tu peux augmenter la verbosité avec `ssh -vvv` et rechercher des
"Will attempt key:")


Ce que j'ai donc fait depuis le client :
$ ssh -vvv -pXXXX user@ip_du_serveur

Je ne sais pas vraiment interpréter le rapport mais il me semble que
certains indices indiquent que ma clef rsa ne soit pas reconnue.

Je relève par exemple :
debug1: identity file /home/moi/.ssh/id_rsa type 0
alors que les ligne suivante sont de type -1
debug1: Will attempt key: /home/user/.ssh/id_rsa RSA SHA256:Ui___[masqué]___SQ 
puis :
debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:Ui___[masqué]___SQ Je n'identifie pas ce qu'est cette clef publique : "RSA SHA256:Ui___[masqué]___SQ". C'est peut-être une clef de cession mais ce que je sais c'est que ce n'est pas 
l'empreinte de ma clef publique.
Je constate aussi que cette ligne est absente :
debug1: Trying private key: /home/user/.ssh/id_rsa
L'intégralité du rapport -vvv est au bas de courrier.

Quelques notes qui peuvent peut-être aider :
- Mon login client (/home/moi 1002) est différent que le login sur le
serveur (/home/user 1000)
- Mon known_hosts permet plusieurs identifications sur des IP routables
ainsi que sur d'autres IP non routables
- Dans mon known_hosts il y a une connexion avec une Bulleye qui fonctionne 
encore merveilleusement. Elle sert pour des scripts avec scp.
- dans le rapport -vvv ci-dessous j'ai anonimisé les IP, les logins, les clefs 
et le port de connexion




- est-ce que les permissions sont correctes côté serveur (le dossier
`.ssh/` devrait être en 700 et le fichier `.ssh/authorized_keys` en
600)


J'aurai dû le préciser. Oui, elles sont correctes :
- 700 pour .ssh/ pour que seul le propriétaire puisse traverser
- 600 pour .ssh/authorized_keys pour son r+w
Autant que je me souvienne si les permissions sont incorrectes alors
l'authentification serait refusée.
Dans mon cas, l'authentification par mot de passe est possible.



Je veux bien un coup d'éclairage sur la verbosité ci-dessous.

--
Cordialement,
Alain Vaugham
Clef GPG : 0xDB77E054673ECFD2

==================================================================
moi@ma_machine:~/.ssh$ ssh -vvv -pXXXX user@192.168.ip.serveur

OpenSSH_8.4p1 Debian-5+deb11u5, OpenSSL 1.1.1w  11 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files 
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.ip.serveur is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/moi/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/moi/.ssh/known_hosts2' 
debug2: ssh_connect_direct
debug1: Connecting to 192.168.ip.serveur [192.168.ip.serveur] port XXXX.
debug1: Connection established.
debug1: identity file /home/moi/.ssh/id_rsa type 0
debug1: identity file /home/moi/.ssh/id_rsa-cert type -1
debug1: identity file /home/moi/.ssh/id_dsa type -1
debug1: identity file /home/moi/.ssh/id_dsa-cert type -1
debug1: identity file /home/moi/.ssh/id_ecdsa type -1
debug1: identity file /home/moi/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/moi/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/moi/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/moi/.ssh/id_ed25519 type -1
debug1: identity file /home/moi/.ssh/id_ed25519-cert type -1
debug1: identity file /home/moi/.ssh/id_ed25519_sk type -1
debug1: identity file /home/moi/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/moi/.ssh/id_xmss type -1
debug1: identity file /home/moi/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u5
debug1: Remote protocol version 2.0, remote software version OpenSSH_10.0p2 Debian-7 
debug1: match: OpenSSH_10.0p2 Debian-7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.ip.serveur:XXXX as 'user'
debug3: put_host_port: [192.168.ip.serveur]:XXXX
debug3: hostkeys_foreach: reading file "/home/moi/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/moi/.ssh/known_hosts:8 
debug3: load_hostkeys: loaded 1 keys from [192.168.ip.serveur]:XXXX
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim 
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,ext-info-s,kex-strict-s-v00@openssh.com debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none 
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:onlkpKEBa/ACSGCHuVdDolgWXu1hZS7FgsEsc3j/9dI 
debug3: put_host_port: [192.168.ip.serveur]:XXXX
debug3: put_host_port: [192.168.ip.serveur]:XXXX
debug3: hostkeys_foreach: reading file "/home/moi/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/moi/.ssh/known_hosts:8 
debug3: load_hostkeys: loaded 1 keys from [192.168.ip.serveur]:XXXX
debug3: hostkeys_foreach: reading file "/home/moi/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/moi/.ssh/known_hosts:8 
debug3: load_hostkeys: loaded 1 keys from [192.168.ip.serveur]:XXXX
debug1: Host '[192.168.ip.serveur]:XXXX' is known and matches the ECDSA host key. 
debug1: Found key in /home/moi/.ssh/known_hosts:8
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/moi/.ssh/id_rsa RSA SHA256:Ui__[masqué]___SQ 
debug1: Will attempt key: /home/moi/.ssh/id_dsa
debug1: Will attempt key: /home/moi/.ssh/id_ecdsa
debug1: Will attempt key: /home/moi/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/moi/.ssh/id_ed25519
debug1: Will attempt key: /home/moi/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/moi/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256> debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised) 
debug1: kex_input_ext_info: ping@openssh.com (unrecognised)
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password 
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/moi/.ssh/id_rsa RSA SHA256:___[masqué]___SQ 
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/moi/.ssh/id_dsa
debug3: no such identity: /home/moi/.ssh/id_dsa: No such file or directory 
debug1: Trying private key: /home/moi/.ssh/id_ecdsa
debug3: no such identity: /home/moi/.ssh/id_ecdsa: No such file or directory 
debug1: Trying private key: /home/moi/.ssh/id_ecdsa_sk
debug3: no such identity: /home/moi/.ssh/id_ecdsa_sk: No such file or directory 
debug1: Trying private key: /home/moi/.ssh/id_ed25519
debug3: no such identity: /home/moi/.ssh/id_ed25519: No such file or directory 
debug1: Trying private key: /home/moi/.ssh/id_ed25519_sk
debug3: no such identity: /home/moi/.ssh/id_ed25519_sk: No such file or directory 
debug1: Trying private key: /home/moi/.ssh/id_xmss
debug3: no such identity: /home/moi/.ssh/id_xmss: No such file or directory 
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
user@192.168.ip.serveur: Permission denied (publickey).
==================================================================
Reply to: