AuthorizedKeysCommand setup prompts for password

Question

The issue: Even though I've set up AuthorizedKeysCommand and password authentication is stopped when I attempt to log in from my Mac, I am still being asked to enter the password:

OS: Rocky Linux 9.2

OpenSSH version on the server: OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:g7nyjiJifRo58tqXivGLTyxst7KP207XMKj3mNS3z4z
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/user/.ssh/id_ecdsa
debug1: Trying private key: /Users/user/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/user/.ssh/id_ed25519
debug1: Trying private key: /Users/user/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/user/.ssh/id_xmss
debug1: Trying private key: /Users/user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
(user@192.168.169.170) Password:

Here is the /etc/ssh/sshd_config:


# General SSH settings
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Specify the protocol versions
Protocol 2
HostKeys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication settings
Disable root login
PermitRootLogin no
Use public key authentication
PubkeyAuthentication yes
Local file to check for public keys (optional, as we use AuthorizedKeysCommand)
#AuthorizedKeysFile .ssh/authorized_keys
Use the script to fetch keys from GitLab repo
AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh %u
AuthorizedKeysCommandUser root
ignore existing authorized_keys files by default
AuthorizedKeysFile /dev/null
Disable password authentication as requested
PasswordAuthentication no
Other settings for best practices
PermitEmptyPasswords no
UsePAM yes
X11Forwarding no
TCPKeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 33
Subsystem for SFTP
Subsystem sftp /usr/libexec/openssh/sftp-server

Here is the script that fetches the public key(s) from GitLab:


# Check for required username argument
if [[ -z "$1" ]]; then
  >&2 echo "Username required."
  exit 1
fi
Environment variables for configuration
TOKEN="GitLab-access-token"
PROJECT_ID="123"
GITLAB_BASE_URL="https://gitlab.mygitlab.tld/api/v4/projects"
USERNAME="$1"
Complete URL to the user's public key file
USER_KEY_URL="${GITLAB_BASE_URL}/${PROJECT_ID}/repository/files/${USERNAME}%2Epub/raw?ref=main"
Use curl with the token to fetch the public key from the URL
RESPONSE=$(curl --header "Private-Token: $TOKEN" --silent --fail --write-out "HTTPSTATUS:%{http_code}" "$USER_KEY_URL")
HTTP_STATUS=$(echo "$RESPONSE" | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
Output only the SSH key to stdout
if [ "$HTTP_STATUS" == "200" ]; then
  echo "$RESPONSE" | sed -e 's/HTTPSTATUS:.*//g'
else
  >&2 echo "Failed to fetch keys with status code $HTTP_STATUS"
  exit 1
fi

This is what I see if I execute "journalctl -u sshd -n 50":

Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: main: sshd: ssh-rsa algorithm is disabled
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: User user authorized keys /dev/null is not a regular file
Aug 16 03:46:12 ssh-target-1-srv sshd[3840]: AuthorizedKeysCommand /usr/local/bin/fetch_gitlab_keys.sh user failed, status 1
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: Accepted keyboard-interactive/pam for user from 192.168.50.175 port 51277 ssh2
Aug 16 03:46:20 ssh-target-1-srv sshd[3840]: pam_unix(sshd:session): session opened for user user(uid=1001) by (uid=0)

I've tested the Bash script manually via cURL and it fetches the public key from the GitLab repository just fine, exactly as it should. I've also manually executed the Bash script and the output contained the public key of the user, exactly as it is on my Mac. To clarify, I am doing the tests from my Mac and authenticating with the Mac's public key.

I cannot disable PAM, because I see that is not supported well for Rocky Linux in the logs. Any idea why this password prompt for the UNIX user still happens? Does PAM fall back to the password?

I've modified the Bash script to redirect errors in a file /tmp/fetch_gitlab_keys.log:

Wed Aug 16 03:46:12 AM EDT 2023 - Curl output: 000
Wed Aug 16 03:46:12 AM EDT 2023 - Failed to fetch keys with status code 000

The OS has SELinux, which I've disabled, and that makes zero difference.

Binoa Mitrosh · Answer 1 · 2024-07-21T12:59:52.127

2

You may have missed AuthenticationMethods in /etc/ssh/sshd_config that (as a rule) has a default value of "any" which means to offer the next auth methods until success.

Try to specify: AuthenticationMethods publickey for enable only this prefer.

You could see default state of sshd-daemon with auth* params by follow command:

~$: sudo sshd -T | grep auth

edited Jul 21 '24 at 12:59

answered Jul 21 '24 at 12:58

Binoa Mitrosh

21

AuthorizedKeysCommand setup prompts for password

Specify the protocol versions

HostKeys

Logging

Authentication settings

Disable root login

Use public key authentication

Local file to check for public keys (optional, as we use AuthorizedKeysCommand)

Use the script to fetch keys from GitLab repo

ignore existing authorized_keys files by default

Disable password authentication as requested

Other settings for best practices

Subsystem for SFTP

Environment variables for configuration

Complete URL to the user's public key file

Use curl with the token to fetch the public key from the URL

Output only the SSH key to stdout

1 Answers1