search

danfruehauf / NetworkManager-ssh

SSH VPN integration for NetworkManager
Other
253 stars 40 forks source link

Client tries to load SSH key from root instead of current account #78

Open bserem opened 5 years ago

bserem commented 5 years ago

I am logged in my debian system as my personal user, configured a VPN on network manager over the gui and tried to connect.

I can see in the log that it tries to load a keyfile from root and not from my user:

Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: Connecting to server.example.ch [185.142.212.217] port 22.#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: Connection established.#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_rsa type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_rsa-cert type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_dsa type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_dsa-cert type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_ecdsa type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_ecdsa-cert type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_ed25519 type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_ed25519-cert type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_xmss type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: identity file /root/.ssh/id_xmss-cert type -1#015
Sep 17 17:04:37 dwarf nm-ssh-service[5161]: debug1: Local version string SSH-2.0-OpenSSH_7.8p1 Debian-1#015

Shouldn't it be loading my users keys?

danfruehauf commented 5 years ago

Hi @bserem, thanks for the inquiry.

So it is doing what is expected. NM and the lot runs with a root context, so it is a bit difficult to find out which user is actually triggering the connection. You can specify a full path to a SSH key, but then you can't have a pass phrase on it as it will not prompt you for it.

In case you choose ssh-agent auth, then what happens is that the authentication dialog (which you won't see) will pass the SSH_AUTH_SOCK to the ssh process that will initiate the VPN. This will cause ssh to authenticate using the ssh-agent authentication socket of your own user - despite running as root.

I hope that clarifies the process. And in general I recommend running it with the ssh-agent option.

kurtabersold commented 5 years ago

It would be nice if adding -o UserKnownHostsFile /home/user/.ssh/known_hosts to SSH Advanced Options. It does seem to work when not using key-based authentication.


Oct 06 16:02:47 myhost nm-ssh-service[21339]: Using root's .ssh/known_hosts
Oct 06 16:02:47 myhost nm-ssh-service[21339]: -o
Oct 06 16:02:47 myhost nm-ssh-service[21339]: ServerAliveInterval=10
Oct 06 16:02:47 myhost nm-ssh-service[21339]: -o
Oct 06 16:02:47 myhost nm-ssh-service[21339]: TCPKeepAlive=yes
Oct 06 16:02:47 myhost nm-ssh-service[21339]: -o
Oct 06 16:02:47 myhost nm-ssh-service[21339]: UserKnownHostsFile
Oct 06 16:02:47 myhost nm-ssh-service[21339]: /home/user/.ssh/known_hosts```