Error while adding tunnel - ssh unable to authenticate

z0m0s · August 17, 2022, 5:22am

I have a aws ec2 instance with ubuntu running the server. I have attempted to add a tunnel on a local ubuntu and windows client resulting in the same error.

tunnelThing

2022/08/16 05:48:03 SyncTunnels
2022/08/16 05:48:03 New tunnel nothing.z0m0s.com
2022/08/16 05:48:03 BoreTunnel nothing.z0m0s.com
2022/08/16 05:48:08 BoreTunnel error:  Failed to dial: %!(EXTRA *errors.errorString=ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain)

This is the server output when trying to connect to the tunnel.

2022/08/17 03:55:10 dial tcp 127.0.0.1:40315: connect: connection refused

I tried downgrading from openssh 8.9 to 8.4 as someone in a post suggested this worked, but still get the same error.

I tried connecting manually with the tunnel private key using this command:

ssh -v -i id_rsa -R 127.0.0.1:40315:127.0.0.1:3000 ubuntu@nothing.z0m0s.com

output:

debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised) debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: id_rsa debug1: Authentication succeeded (publickey). Authenticated to nothing.z0m0s.com ([3.91.155.121]:22). debug1: Remote connections from 127.0.0.1:40315 forwarded to local address 127.0.0.1:3000 debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: ENABLE_VIRTUAL_TERMINAL_INPUT is supported. Reading the VTSequence from console debug1: ENABLE_VIRTUAL_TERMINAL_PROCESSING is supported. Console supports the ansi parsing debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Remote: /home/ubuntu/.ssh/authorized_keys:2: key options: agent-forwarding command permitopen permitlisten port-forwarding pty user-rc x11-forwarding debug1: remote forward success for: listen 127.0.0.1:40315, connect 127.0.0.1:3000 debug1: All remote forwarding requests processed This key permits tunnels only debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 Connection to nothing.z0m0s.com closed. Transferred: sent 2216, received 2788 bytes, in 0.5 seconds Bytes per second: sent 4166.5, received 5241.9 debug1: Exit status 0

I don’t know if this is the output I am looking for cause I am a bit clueless on all this, but it looks good to me.

Any ideas?

shinerrs · August 17, 2022, 6:05pm

Hey,

I am facing a similiar issue with ubuntu 22.04. The results from the auth.log helped me identify the issue.

I was not so happy with the problem since BoringProxy does not support SHA2.

no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]

The other log to watch for is:

Aug 17 18:08:40 boringproxy-server sshd[1895]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Aug 17 18:08:40 boringproxy-server sshd[1895]: Connection closed by authenticating user root 10.0.0.1 port 51418 [preauth]`

I got it to work by updating my sshd_config on the boringproxy server with the following:

PermitRootLogin yes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
HostKeyAlgorithms=ssh-rsa,ssh-rsa-cert-v01@openssh.com
PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com

I hope they update the ssh soon. There is a PR already awaiting merging.

z0m0s · August 18, 2022, 1:41am

It worked. Thank you!

anders · August 26, 2022, 3:36pm

Just wanted to chime in that I’m hoping to get that PR merged soon. Been a busy summer but I should have more time for boringproxy coming up.