Hi everyone,
i've added a User, selected the default "admins" group, selected a shell (/bin/sh) and pasted a SSH key for the user.
Then i've gone to Settings -> Administration.
Under secure shell, i enabled it, selected "wheel, admins" for Login Groups and gone to the Authentication section, where i also selected "wheel, admins" and ask password for sudo.
But when i try to connect to the appliance via SSH to the new user, i get a "Permission denied (publickey)".
I've also tried it with other SSH keys, but it won't work, so i think it is something i messed up with the settings.
Do i forget anything obvious?
Thanks for your help in advance!
Looks quite ok, I never changed anything in the 'Authentication' section so I can't comment on that part.
Quotepasted a SSH key for the user
On the client you want to log in from, you created an SSH key? Did you copy the public key (<key name>.pub in ~/.ssh/) of the client SSH key into the users 'Authorized Keys' field?
Quote from: patient0 on April 07, 2025, 11:16:31 PMOn the client you want to log in from, you created an SSH key? Did you copy the public key (<key name>.pub in ~/.ssh/) of the client SSH key into the users 'Authorized Keys' field?
Yes, thats just, what i did.
I also tried with the keys, working for the root user, but that didn't change anything. For root it works, for the new user it doesn't.
I've done this setup in the past. But it was some time ago, so i don't remember the exact steps to get it working.
I thought the steps i've gone through, were everything i need to do.
That really should work, yes. I created a user, added it to the admin group and pasted the public key in the field.
In the end you got one line starting with 'ssh-ed25519' or 'ssh-rsa' in that field, yes?
What OPNsense version are you using?
Quote from: patient0 on April 07, 2025, 11:31:44 PMIn the end you got one line starting with 'ssh-ed25519' or 'ssh-rsa' in that field, yes?
What OPNsense version are you using?
Yes, i use ed25519 and the (single) line starts with ssh-ed25519
I first thought the comment in the end of the line is the problem, but that is also not the case.
I removed it and it doesnt work, and the keys of the admin user do have comments, and they work.
The OPNsense version is the latest (OPNsense 25.1.4_1-amd64)
I just tested it with a new user.
There it works. Do you know of any restrictions in naming users?
The user "test" works just fine, with the same setup, but the original user "github-runner" does not work.
Quote from: jke on April 07, 2025, 11:38:07 PMQuote from: patient0 on April 07, 2025, 11:31:44 PMIn the end you got one line starting with 'ssh-ed25519' or 'ssh-rsa' in that field, yes?
What OPNsense version are you using?
Yes, i use ed25519 and the (single) line starts with ssh-ed25519
I first thought the comment in the end of the line is the problem, but that is also not the case.
I removed it and it doesnt work, and the keys of the admin user do have comments, and they work.
The OPNsense version is the latest (OPNsense 25.1.4_1-amd64)
Does the user on the client have multiple SSH keys and it may uses another one? You can run 'ssh -v <the user>@opnsense'? That will tell you all the keys it tries.
Quote from: jke on April 07, 2025, 11:40:57 PMThe user "test" works just fine, with the same setup, but the original user "github-runner" does not work.
I created a user named github-runner and it works for me.
Okay, thank you very much for your help.
I guess i found the cause of the Problem, but as of right now, not a solution.
The system was before a "plain" FreeBSD-System, where i had already created the user "github-runner".
There i ran the opnsense-bootstrap script, which i thought, would clean up the system.
But I just found out, the users do not seem to be cleaned correctly.
The must be some sort of conflicts, when creating a user with the same name.
I will clean up every evidence of the "user artifacts" and try again.
Update: I can't find any more evidence of the user (deleted home directory/zfs dataset and the lines with reference in /etc/passwd, /etc/groups, /etc/master.passwd, /usr/local/etc/sudoers), but it still doesn't work.
I think i will setup a clean system again and use the backup of the right now existing appliance.
Or do you maybe have any other idea, where anything else could be, that interferes with the OPNsense setup?
find / -name and grep -r / -e had no more results (only log entries)
Did you use "vipw" or "pw" to remove the user from master.passwd and friends? Because there's a database generated from the plain text file in BSD. "vipw" takes care of rebuilding that.
Quote from: Patrick M. Hausen on April 08, 2025, 12:08:09 AMDid you use "vipw" or "pw" to remove the user from master.passwd and friends? Because there's a database generated from the plain text file in BSD. "vipw" takes care of rebuilding that.
I just found out about this :)
And when i did i tried it, but the problem sadly persists.
Quote from: jke on April 08, 2025, 12:10:37 AMAnd when i did i tried it, but the problem sadly persists.
Did you remove and recreate the user in OPNsense after you removed it from the system?
Try "id <user>" on OPNsense and "ssh -v ..." from the external system to get more debug info.
Quote from: patient0 on April 08, 2025, 12:11:56 AMQuote from: jke on April 08, 2025, 12:10:37 AMAnd when i did i tried it, but the problem sadly persists.
Did you remove and recreate the user in OPNsense after you removed it from the system?
Yes, a few times
Quote from: Patrick M. Hausen on April 08, 2025, 12:12:48 AMTry "id <user>" on OPNsense and "ssh -v ..." from the external system to get more debug info.
root@OPNsense:~ # id github-runner
id: github-runner: no such user
github-runner@runner-1:~$ ssh -v 10.1.0.1 -p 2222
OpenSSH_9.6p1 Ubuntu-3ubuntu13.9, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /runner/.ssh/config
debug1: /runner/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 10.1.0.1 [10.1.0.1] port 2222.
debug1: Connection established.
debug1: identity file /runner/.ssh/id_ed25519 type 3
debug1: identity file /runner/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 FreeBSD-openssh-portable-9.9.p2_1,1
debug1: compat_banner: match: OpenSSH_9.9 FreeBSD-openssh-portable-9.9.p2_1,1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.1.0.1:2222 as 'github-runner'
debug1: load_hostkeys: fopen /runner/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:ap8uNQSdCZ0vwEBaiulo6GXdDiqup6KOH9egGfi8y60
debug1: load_hostkeys: fopen /runner/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[10.1.0.1]:2222' is known and matches the ED25519 host key.
debug1: Found key in /runner/.ssh/known_hosts:4
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Will attempt key: /runner/.ssh/id_ed25519 ED25519 SHA256:7vQBdTAhIVJCRnHC2K3KNfUglYKfFQz0e1jE+5T5pZ8 explicit
debug1: Offering public key: /runner/.ssh/id_ed25519 ED25519 SHA256:7vQBdTAhIVJCRnHC2K3KNfUglYKfFQz0e1jE+5T5pZ8 explicit
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
github-runner@10.1.0.1: Permission denied (publickey).
Oh no!
Forget my last replies.
I guess after removing the user with vipw the OPNsense was clean.
But while testing i reused the command with ssh root@... and got more Permission denied errors.
Then, when posting the ssh -v output, the user wasn't recreated before the attempt.
I can now connect to the OPNsense. Thank you both very much for your help!