RSA key problem with IdentityFile in .config/ssh/config

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
jmarks
Getting the hang of things
Posts: 91
Joined: Thu Jan 15, 2009 12:56 am

RSA key problem with IdentityFile in .config/ssh/config

Post by jmarks »

Hello, All
I have an RSA key pair with a non-standard name: rsa_id_1 for my TS-659 to ssh into my TVS-672N.
When specified explicitly with -i in the ssh command, the key works

Code: Select all

# ssh -i  ~/.ssh/id_rsa_1 admin@192.168.4.2
# 
The Ts-659 successfully ssh's into the other QNAP without a password request.

Next, I made a config file in root's ~/.ssh directory, which should remove the need to include the non-standard key in the ssh command:

Code: Select all

Host 192.168.4.2	
	HostName 192.168.4.2
	IdentityFile /mnt/HDA_ROOT/.config/ssh/id_rsa_1
However,

Code: Select all

 ssh -vv admin@192.168.4.2 
results in

Code: Select all

 .
 .
 .
 debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:qy7KGHc1Zv353JW6SHKDaW6uWrtWI/x4doDHP9xsn8U /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
which means this config file was either not seen, or the path to the key in the config file is incorrect.

The same thing happens if the path to the IdentityFile is

Code: Select all

 IdentityFile /root/.ssh/id_rsa_1
Have I specified the IdentityFile path incorrectly? Or is /mnt/HDA_ROOT/.config/ssh/config not being seen by the ssh command? If not, is it in the wrong location?

Any help would be very much appreciated.
Many thanks!
User avatar
Briain
Experience counts
Posts: 1749
Joined: Tue Apr 20, 2010 11:56 pm
Location: Edinburgh (Scotland)

Re: RSA key problem with IdentityFile in .config/ssh/config

Post by Briain »

Hi

Here are a couple of thoughts from a complete amateur in this area. I don't know if anything below will fix the issue as I've not had time to try them, but hey, even if not, maybe one of them will help inspire further thoughts, eventually leading towards the 'proper' solution? :wink:

I'm no expert in this area and I've never used the IdentityFile to make an 'alias' key name work, but I was thinking about this last night (and planning to play with it over the weekend, if time permitted) and because I have 'played' with another aspect of keys in the past, it struck me that perhaps there were options commented out in the main config file, so I had a look at /etc/ssh/ssh_config but there were no IdentityFile lines mentioned in there (so likely not, I thought) then this morning, it occurred to me to look at my Debian laptop's own /etc/ssh/sshd_config file and I see that it does contain the below lines (though obviously, as you can see from the below they are commented out as you'd normally put changes into the per-user configuration file):

# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519

Odd that they're not also listed in the default Qnap file; I wonder why that's the case?

Anyhow, back to the user file in ~/.ssh/ and apologies if you've already tried this - and as I say, I'm a complete 'ham' in this area - but I note you mentioned that you'd made a [new?] config file in root's ~/.ssh directory, whereas I see that within my own Qnap's (a TS-453A) ~/.ssh/ directory, I already have a file called sshd_user_config residing in there (which I didn't 'knowingly' create; I guess it could have been 'system created' when I recently enabled a second SSH user via the GUI, or perhaps it is only for the user list and not the overall 'per-user configuration file' variations to the main /etc/ssh/sshd_conf file) but if that file didn't already exist on your own NAS, I wonder if you'd named your new file as 'sshd_user_config' or just 'sshd_config' (and if the latter - and that file doesn't already exist - maybe you could try renaming your new config file to 'sshd_user_config' and see if that works)? Again, apologies if these are all things that you've already tried (or if I am incorrect in assuming that sshd_user_config is for anything more than the just containing the access control list; I've not yet had time to take a deeper dive into how this should all be done).

If none of the above tricks work, I wonder whether adding the IdentityFile line into the /etc/ssh/sshd_config file might work (though I've not checked whether changing that one will survive a reboot)? As I say, it's now something I do plan to play with in the future (just to enhance my own knowledge) but as I don't have any free time at the moment, I just thought I'd chuck a few wild ideas up here in case any of them worked (or if not, they might trigger other ideas that could be worth experimenting with)?

All the best,
Briain
TS-119, 1 X Seagate ~~ TS-219, 2 X Seagate (R1) ~~ TS-453A, 2 X 3 TB WD Red (R1) ~~ TS-659, 5 X 1 TB Hitachi Enterprise (R6)
APC Smart-UPS 750
User avatar
Briain
Experience counts
Posts: 1749
Joined: Tue Apr 20, 2010 11:56 pm
Location: Edinburgh (Scotland)

Re: RSA key problem with IdentityFile in .config/ssh/config

Post by Briain »

PS I've not yet had time to create bespoke named keys and try entering the IdentyFile into ~/.ssh/sshd_user_config (to find out whether that's even the correct place, or whether that file is purely for containing the access control list) but I did try adding a commented out line to /etc/ssh/sshd_config and as I'd feared, the change did not survive a reboot.

I've been using ed25519 keys for a while and had always planned to tidy things up be removing the old RSA keys from the Qnao, so when time permits, I'll do that and then I'll try creating bespoke named RSA keys and seeing if I can get an IdentityFile entry to work for myself (sorry, but unfortunately I don't know when I'll be able to find time for such fun experimentation).

Bri

PS Just a quick thought; does anything else change when an entry is put into your [~/.ssh/ located] user specific config file (like changing the SSH port, or the likes) as if so, that would at least prove that the Qnap is 'referring' to that custom file (indicating that it's instead a problem with the IdentityFile aspect of things)? If I get some time later, I'll maybe try that on my one.
TS-119, 1 X Seagate ~~ TS-219, 2 X Seagate (R1) ~~ TS-453A, 2 X 3 TB WD Red (R1) ~~ TS-659, 5 X 1 TB Hitachi Enterprise (R6)
APC Smart-UPS 750
User avatar
Briain
Experience counts
Posts: 1749
Joined: Tue Apr 20, 2010 11:56 pm
Location: Edinburgh (Scotland)

Re: RSA key problem with IdentityFile in .config/ssh/config

Post by Briain »

Perhaps some progress...

On that last comment (about making another change to your custom file) I just 'tackled it from the other direction' and wondering where the GUI related change would be recorded, I just changed the SSH port (to 11111) via the Qnap web interface. I then logged in (successfully) using 'ssh -p 11111 admin@coll' and after navigating to ~/.ssh, I see that doing so has resulted in the creation a new file called sshd_config (I definitely didn't have that file in there before), the contents of which can be seen below:

[~/.ssh] # cat sshd_config
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
PermitRootLogin yes
UseDNS no
Subsystem sftp /usr/libexec/sftp-server
AllowTcpForwarding no
AllowUsers admin

Interesting that the Qnap created that new ~/.ssh/sshd_config file (so I was wrong about using sshd_user_config; that looks to be only used for an access control list) but curiously, the change from port 22 to port 11111 isn't appended to that new file, so maybe there's yet another 'bespoke' configuration file lurking somewhere else? That makes me wonder if another change is made (somewhere else) to facilitate pointing that newly created file, so I wonder if it's worth deleting your own ~/.ssh/sshd_config file, then changing the port via the GUI to thus force the Qnap into creating that new file, then adding your custom IdentityFile lines into that Qnap created file and giving it another try?

Time to make dinner and drink some beer, but I'll hopefully get back on the case tomorrow. ;-)

Bri
TS-119, 1 X Seagate ~~ TS-219, 2 X Seagate (R1) ~~ TS-453A, 2 X 3 TB WD Red (R1) ~~ TS-659, 5 X 1 TB Hitachi Enterprise (R6)
APC Smart-UPS 750
jmarks
Getting the hang of things
Posts: 91
Joined: Thu Jan 15, 2009 12:56 am

Re: RSA key problem with IdentityFile in .config/ssh/config

Post by jmarks »

Thanks so much for your interest and help.
I have looked through doc after doc and all say the same thing: ssh details contained within sshd_config are trumped by ~/.ssh/config which are trumped by ssh commands on the command line.
I created a file named config in the /.ssh folder of the admin's home directory <root>/root/.ssh (which links to /mnt/HDA_ROOT/.config/ssh/config) and entered only the host-specific details that are different from the default, with permissions set to 0700.

Code: Select all

Host 192.168.4.2
     HostName 192.168.4.2
     IdentityFile rsa_id_1

Host *
Because the ssh log does not mention trying this key, I can only conclude that I have saved the file in the wrong location. Or something with the permissions or the file contents.

Not to worry. I have found an elegant workaround:
I am using this key pair for Borg backup, and there is environment variable in Borg in which I can store the path to the correct rsa key in an ssh command with the -i switch.

So, problem worked around, but light has not been shed on how to fix the problem itself.
Good enough for me!
Perhaps some kind, long-suffering expert (like @schumaku (although he is MIA) will take pity and explain.
User avatar
Briain
Experience counts
Posts: 1749
Joined: Tue Apr 20, 2010 11:56 pm
Location: Edinburgh (Scotland)

Re: RSA key problem with IdentityFile in .config/ssh/config

Post by Briain »

Ha, ha; Kurt is now probably far too busy laughing his socks off at my 'hammish' attempts (hey, I'm an old radio hacker, not a NAS hacker) at figuring out what's going on and he's probably cringing at my definition of the word 'help', but when his chuckles have subsided, he might indeed respond (PS Hi Kurt; hope you're doing well). ;-) I'm still mighty curious to find out if changing the port (via the GUI) and thus auto-creating that sshd_config file, then populating that file with the custom bits might just work, so hopefully I'll soon obtain some time to experiment with all that stuff myself (it's now hyper-piqued my curiosity, so if I get anywhere at all vaguely interesting - or even if I don't - I'll update this thread).

All the best and have an absolutely great evening!
Briain

PS On the beer front, I instead elected to have a [very] large gin and tonic whilst making the dinner and I'm now rinsing all that down with a small(ish) glass of Rioja, so I'd probably better not be faffing about with SSH any more this evening (that said, I could always enable telnet to get myself out of the mess, but all such nefariousness is maybe best left until the morning pot of coffee has first been consumed). :-D
TS-119, 1 X Seagate ~~ TS-219, 2 X Seagate (R1) ~~ TS-453A, 2 X 3 TB WD Red (R1) ~~ TS-659, 5 X 1 TB Hitachi Enterprise (R6)
APC Smart-UPS 750
Post Reply

Return to “Miscellaneous”