Open skyblaster opened 3 months ago
Can you send the verbose output of the ssh connection? please try using ssh -vvv
when connecting.
Thanks for the hint!
I see that OpenSSH is attempting to use my private keys first and of course fails.
If I add -o PubkeyAuthentication=no
to the command, then the issue goes away.
❯ ssh admin@localhost -p 5555 -o PubkeyAuthentication=no
ssh_debug.txt
Hi, I am unable to find why the default MaxAuthTries is 3. Changes made to SSH config is related to this HLD: https://github.com/ycoheNvidia/SONiC/blob/ea7eccf80137d945b1fd2d2980bf693526a22246/doc/ssh_config/ssh_config.md
Please take a look to see how to configure SSH server using the sonic management interface and up the number of MaxAuthTries.
@ycoheNvidia Can you explain why the default was changed from 6 to 3?
@skyblaster, I noticed in your ssh_debug.txt log that you have up to 9 keys SSH will attempt before attempting public key authentication, so i am curious why the default (6) still works for you.
@amazor I don't know why it was changed, the code does not force default values, we based the HLD default values on default openssl values.
I do not see any SSH_SERVER table in config_db by default, so no settings should be updated through the flow created by @ycoheNvidia. Instead, i see it was updated through this PR directly in the build_debian.sh script. https://github.com/sonic-net/sonic-buildimage/pull/17798
These settings were changed "according to Sonic OS review result", as seen in the PR.
Whether or not these configuration changes are "correct" or not is subjective, but i do believe these settings should be updated using the existing SSH_SERVER policy table in config_db rather than hardcoding when building debians.
@ycoheNvidia Do you agree? Should i make a PR that updates the config_db.json file to include these "hardened" default values, and removes the hardcoded values from the build_debian.sh script?
Hi @abdosi, What are your thoughts on the changes mentioned above?
Using the instructions at https://sonic.software/ to launch the sonic-vs image in QEMU, SSH fails to connect to master and 202405 builds with the following error:
Comparing the relevant parts of
/etc/ssh/sshd_config
, it appears thatMaxAuthTries
is set to too low of a value. If I increase this to 6 (the commented value), or remove the line completely, then it is possible to make a connection.202311 builds:
Master and 202405 builds
I suspect this is a result of the bump from Debian 11 to 12. It's possible that https://github.com/sonic-net/sonic-host-services/pull/99 contains a fix, but I haven't tested the patches to confirm.