Can't get past authenticity of host popup with ssh

Discussion:

(too old to reply)

Ross Boylan

2015-02-27 19:20:02 UTC

I can ssh from machine A to B as user ross on both, using key-based
login. ssh-agent is running under KDE on A. A is Debian wheezy, B is
Debian squeeze.

However, when I do the following sequence on A:
sux # change to root with X credentials
ssh -i /home/ross/.ssh/id_rsa ***@B

A window pops up with the message "The authenticity of host 'xxx'
can't be established.
RSA key fingerprint is YYY.
Are you sure you want to continue connecting (yes/no)?
The title is "OpenSSH Authentication Passphrase Request" and it has 2
buttons, "OK" and "Cancel".
When I click OK I get a message, in my original terminal,
Host key verification failed.

Clicking cancel doesn't change the result. Operating in a shell from
which I have unset DISPLAY and the SSH_AGENT variables doesn't change
the result (there's no popup, just an immediate verification failure).

I would be very grateful if anyone could explain what's going and what
I can do to get past this. I have checked permissions of the relevant
files for ross and root on A, and they appear to be in order. On A,
root's .ssh/ has only a known_hosts file.

I have never encountered this popup before; I have only seen the "Are
you sure you want to continue connecting" in the same terminal from
which I ran ssh, and I can reply on the command line. I don't know
where the popup is coming from.

My speculation is that because of the popup all my responses are taken
as "No" for continuing connecting.

I have to run as root for sshuttle.

Thanks.
Ross Boylan

--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: https://lists.debian.org/CAK3NTRDGeWSP6+zyVnx8PzHon+ArM6GPJFw-1xX+***@mail.gmail.com

Ross Boylan

2015-02-27 19:40:02 UTC

Permalink

By using su instead of sux I eliminated the popup and got past the
host verification. Now that root on A has B in the known_hosts file I
can connect from the sux session as well.

I still do not understand where the popup came from and why it didn't
work. Here's some more info on what ssh was doing during the failed
connection:

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 14:d2:cd:ea:d3:a0:82:5b:25:b8:8d:00:ad:c5:54:68
debug1: checking without port identifier
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: permanently_drop_suid: 0
Host key verification failed.

I think the popup happened after the last debug line above.
Ross

On Fri, Feb 27, 2015 at 11:10 AM, Ross Boylan

Post by Ross Boylan
I can ssh from machine A to B as user ross on both, using key-based
login. ssh-agent is running under KDE on A. A is Debian wheezy, B is
Debian squeeze.
sux # change to root with X credentials
A window pops up with the message "The authenticity of host 'xxx'
can't be established.
RSA key fingerprint is YYY.
Are you sure you want to continue connecting (yes/no)?
The title is "OpenSSH Authentication Passphrase Request" and it has 2
buttons, "OK" and "Cancel".
When I click OK I get a message, in my original terminal,
Host key verification failed.
Clicking cancel doesn't change the result. Operating in a shell from
which I have unset DISPLAY and the SSH_AGENT variables doesn't change
the result (there's no popup, just an immediate verification failure).
I would be very grateful if anyone could explain what's going and what
I can do to get past this. I have checked permissions of the relevant
files for ross and root on A, and they appear to be in order. On A,
root's .ssh/ has only a known_hosts file.
I have never encountered this popup before; I have only seen the "Are
you sure you want to continue connecting" in the same terminal from
which I ran ssh, and I can reply on the command line. I don't know
where the popup is coming from.
My speculation is that because of the popup all my responses are taken
as "No" for continuing connecting.
I have to run as root for sshuttle.
Thanks.
Ross Boylan

Bob Proulx

2015-02-28 23:40:01 UTC

Permalink

I think there must be a problem/confusion in there surrounding the
$HOME at that time. I suggest double checking $HOME/.ssh/known_hosts
for every possible value of $HOME that you can postulate. Maybe that
will turn up something.

Post by Ross Boylan
Clicking cancel doesn't change the result. Operating in a shell from
which I have unset DISPLAY and the SSH_AGENT variables doesn't change
the result (there's no popup, just an immediate verification failure).

Try it with the idea that $HOME isn't correctly as expected. Using
the command 'printenv HOME' can be useful because it avoids $HOME
being expanded by the shell and will expand the actual value of it at
that later time just like the real program.

Post by Ross Boylan
I would be very grateful if anyone could explain what's going and what
I can do to get past this. I have checked permissions of the relevant
files for ross and root on A, and they appear to be in order. On A,
root's .ssh/ has only a known_hosts file.

You are using sux which I never use. I am unfamiliar with the details
and the details are what is needed to understand what is happening.

If you sux a terminal (xterm or other) instead of an ssh what do you
get for $HOME? In that terminal if you ssh to the remote host what do
you get? (Unset DISPLAY to avoid the dialog and force in terminal
errors if you get one.) I would also check and possibly unset
SSH_ASKPASS too.

I suspect that when you sux a terminal something will be different
from what you expect.

Post by Ross Boylan
I have never encountered this popup before; I have only seen the "Are
you sure you want to continue connecting" in the same terminal from
which I ran ssh, and I can reply on the command line. I don't know
where the popup is coming from.

It sounds to me like this popup is part of KDE. I have seen both KDE
and GNOME try to encapsulate ssh like this before.

Post by Ross Boylan
My speculation is that because of the popup all my responses are taken
as "No" for continuing connecting.
I have to run as root for sshuttle.

If you sux a terminal then you will be root. Then use that shell to
understand what is happening.

Personally I would simply su or sudo in a regular terminal. I don't
see a need to use sux for this. But each to their own. However you
might try that in this case in order to probe the edges of the box.

su - (or sudo -s, or sudo su -, or whatever)
ssh ...

Post by Ross Boylan
By using su instead of sux I eliminated the popup and got past the
host verification. Now that root on A has B in the known_hosts file I
can connect from the sux session as well.

Oh! I see you got past this but it took me so long to reply that I
decided to leave the above in my mail anyway.

Post by Ross Boylan
I still do not understand where the popup came from and why it didn't
work. Here's some more info on what ssh was doing during the failed
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 14:d2:cd:ea:d3:a0:82:5b:25:b8:8d:00:ad:c5:54:68
debug1: checking without port identifier
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: permanently_drop_suid: 0
Host key verification failed.
I think the popup happened after the last debug line above.

If the host key verification failed then it is because of one of the
host key files /etc/ssh/ssh_known_hosts or $HOME/.ssh/known_hosts
doesn't contain the current key or doesn't match the current key. You
likely do not have /etc/ssh/ssh_known_hosts therefore I suspect that
$HOME isn't what you think it is at that moment due to sux setting it
different from what you expect.

Bob