Hi,
I have the following situation:
PC1 running Leap 15.0 (LEAP)
PC2 running Tumbleweed (TW)
Both systems are on the same LAN, no firewall is blocking SSH connections.
SSH connection in both directions (LEAP->TW and LEAP->TW) has worked fine for years. On 3.Dec I updated TW as usual. Since then I had not tried connecting to it.
Yesterday I noticed that connection LEAP->TW is still possible but authentication fails. No config files were modified on any of the systems, hardware is the same too. LEAP can still connect to other systems (LAN and WAN) via SSH without problem. TW can connect to LEAP too.
On LEAP I see:
~]: ssh -p CUSTOMPORT TW -l root -v
OpenSSH_7.6p1, OpenSSL 1.1.0i-fips 14 Aug 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 25: Applying options for *
debug1: Connecting to TW ███.███.███.███] port CUSTOMPORT.
debug1: Connection established.
debug1: identity file /home/████/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/████/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/████/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/████/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/████/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/████/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/████/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/████/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9
debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to TW:CUSTOMPORT as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:████
debug1: Host '[TW]:CUSTOMPORT' is known and matches the ECDSA host key.
debug1: Found key in /home/████/.ssh/known_hosts:9
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:████ /home/████/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/████/.ssh/id_dsa
debug1: Trying private key: /home/████/.ssh/id_ecdsa
debug1: Trying private key: /home/████/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
root@TW: Permission denied (publickey,keyboard-interactive).
On TW I see journalctl messages like these:
Dec 20 11:53:53 TW sshd[1906]: pam_unix(sshd:auth): authentication failure: logname= uid=0 euid=0 tty=ssh ruser= rhost=███.███.███.███ user=root
Dec 20 11:53:55 TW sshd[1904]: error: PAM: Authentication failure for root from ███.███.███.███
The config is:
# grep -vE "^ #]" /etc/ssh/sshd_config
Port CUSTOMPORT
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
What I tried so far (and it didn’t help):
-
Checking my password 100 times (it is correct)
-
Deleting the line in ~/.ssh/known_hosts on LEAP for the TW host. The line was recreated fine on next login attempt but authentication still fails
-
Updating again the TW host
-
Setting PasswordAuthentication to yes/no on TW
Any idea what is going on and how to fix it?