search

danfruehauf / NetworkManager-ssh

SSH VPN integration for NetworkManager
Other
253 stars 40 forks source link

Host key verification failed #108

Open bernharl opened 2 years ago

bernharl commented 2 years ago

Whenever I try establishing the VPN in my Gnome settings I get an error notification with "Connection failed Activation of network connecition failed".

The output of sudo journalctl -u NetworkManager shows:

Dec 26 10:03:45 bernharl NetworkManager[1089]: <info>  [1640509425.3231] agent-manager: agent[e0bd843a91c6a260,:1.332/org.gnome.Shell.NetworkAgent/120]: agent registered
Dec 26 10:03:55 bernharl NetworkManager[1089]: <info>  [1640509435.6958] agent-manager: agent[e1c5087a67875115,:1.359/org.gnome.Shell.NetworkAgent/1000]: agent registered
Dec 26 10:04:43 bernharl NetworkManager[1089]: <info>  [1640509483.3841] audit: op="connection-activate" uuid="153efe70-c19e-4c33-9c87-ed6ae68c92c6" name="kuka-remote" pid=15792 uid=1000 result="success"
Dec 26 10:04:43 bernharl NetworkManager[1089]: <info>  [1640509483.3873] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: Started the VPN service, PID 17005
Dec 26 10:04:43 bernharl NetworkManager[1089]: <info>  [1640509483.3979] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: Saw the service appear; activating connection
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: Found ssh agent socket at: '/run/user/1000/keyring/ssh'
Dec 26 10:04:43 bernharl NetworkManager[1089]: <info>  [1640509483.4029] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: VPN connection: (ConnectInteractive) reply received
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: ssh started with pid 17013
Dec 26 10:04:43 bernharl NetworkManager[1089]: <info>  [1640509483.4108] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: VPN plugin: state changed: starting (3)
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: Reading configuration data /etc/ssh/ssh_config
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: Connecting to 127.0.0.1 [127.0.0.1] port 6556.
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: Connection established.
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_rsa type 0
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_rsa-cert type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_dsa type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_dsa-cert type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ecdsa type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ecdsa-cert type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ecdsa_sk type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ed25519 type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ed25519-cert type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ed25519_sk type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_xmss type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: identity file /root/.ssh/id_xmss-cert type -1
Dec 26 10:04:43 bernharl nm-ssh-service[17005]: debug1: Local version string SSH-2.0-OpenSSH_8.8
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: compat_banner: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: Authenticating to 127.0.0.1:6556 as 'root'
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: SSH2_MSG_KEXINIT sent
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: SSH2_MSG_KEXINIT received
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: kex: algorithm: curve25519-sha256
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: kex: host key algorithm: ssh-ed25519
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: SSH2_MSG_KEX_ECDH_REPLY received
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: Server host key: ssh-ed25519 SHA256:p2AKvq2SeIzf28KGVI4GGCOhLWRyhQkNqhONcNi/TY4
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: checking without port identifier
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /home/bernhard/.ssh/known_hosts:7
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /home/bernhard/.ssh/known_hosts:10
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /home/bernhard/.ssh/known_hosts:11
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /home/bernhard/.ssh/known_hosts:15
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /etc/ssh/ssh_known_hosts:1
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /etc/ssh/ssh_known_hosts:4
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /etc/ssh/ssh_known_hosts2:1
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: hostkeys_find_by_key_cb: found matching key in /etc/ssh/ssh_known_hosts2:4
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: read_passphrase: can't open /dev/tty: No such device or address
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: Host key verification failed.
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: ssh exited with error code 255
Dec 26 10:04:49 bernharl NetworkManager[1089]: <warn>  [1640509489.5501] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: VPN plugin: failed: connect-failed (1)
Dec 26 10:04:49 bernharl NetworkManager[1089]: <warn>  [1640509489.5502] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: VPN plugin: failed: connect-failed (1)
Dec 26 10:04:49 bernharl NetworkManager[1089]: <info>  [1640509489.5502] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: VPN plugin: state changed: stopping (5)
Dec 26 10:04:49 bernharl NetworkManager[1089]: <info>  [1640509489.5502] vpn-connection[0x55a6149cc510,153efe70-c19e-4c33-9c87-ed6ae68c92c6,"kuka-remote",0]: VPN plugin: state changed: stopped (6)

The lines 

Dec 26 10:04:49 bernharl nm-ssh-service[17005]: debug1: read_passphrase: can't open /dev/tty: No such device or address
Dec 26 10:04:49 bernharl nm-ssh-service[17005]: Host key verification failed.

lead me to believe that the program expects me to be able to input the password of my ssh key, but is unable to do so as it is not connected to a terminal. I have tried setting up askpass, and my environment now looks like this:

~ ❯ env | grep SSH                                                                                              10s 10:05:03
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
SSH_ASKPASS_REQUIRE=prefer
SSH_ASKPASS=/usr/bin/qt4-ssh-askpass

where qt4-ssh-askpass is the graphical ssh askpass promt provided by openssh-askpass.

The strange thing however is that I don't actually have password protection on my ssh key, so I don't understand why this should be relevant at all...

I'm running Arch Linux on a Thinkpad T15v, using the Gnome Wayland session. Installed using my own PKGBUILD (hosted at: https://aur.archlinux.org/packages/networkmanager-ssh/)

bernharl commented 2 years ago

I also confirmed now that it doesn't work under X11 either.

Could this be related to /usr/lib/NetworkManager/nm-ssh-service? Is this what is being used by this program to prompt for the password? If so, perhaps it crashes for some reason. Any way to get logs from it? Running it directly from terminal just yields Have to supply ID, name and service