No SSH access from external net with putty


#1

I can acces to SSH with my IP internet Box 78.XXXX by using putty, when i am at home. So 22 port redirection is OK.

But I can’t access from an outdoor network. I can acces to the console and type my loggin : OSMC
but after i have this message

[No supported authentication methods available (server sent public key), keyboard interractive].

Any ideas to solve this problem ?


#2

This seems to be a public key authentication issue.
I bet you will have to use the public key for external access.


#3

Where and how this public key should be configured ?


#4

The OSMC device user (osmc) needs to have the public key from the device you wnat to connect from, added to the ~/.ssh/authorized_keys file.


#5

The user is osmc, not kodi.


#6

Thx. Updated my post :wink:


#7

If I well understood, I have to generate a public key on my computer with puttygen, and copy this key on my raspberry in .ssh/authorized_keys file.
Can you confirm ?


#8

If you are trying to login to the pi, I think you have to generate it there, then copy to the client machine.


#9

he wants to go into his OSMC installation from the outside. So his way is correct.

@Patoche: Yep, that’s right: Just make sure the ownership and mode of the authorized_keys file and the .ssh directory are set correctly, or sshd will ignore these:

osmc@vero4k2:~$ ls -las .ssh
total 12
4 drwx------  2 osmc osmc 4096 Sep 18 09:51 .
4 drwxr-xr-x 10 osmc osmc 4096 Sep 21 17:11 ..
4 -rw-------  1 osmc osmc  397 Sep 18 09:51 authorized_keys

#10

Fine Guys,

I will test in test in few days when i will be at home.


#11

Thanks, I’ve learned something today too!


#12

BTW - just a thought.
That error message can also show up when ciphers are outdated or incompatible (no matching cipher suite for both sides).
As OSMC is top of the art version/software, using an older putty version could cause that type of error messages.
If you download putty again, make sure to download it form the makers site (no proxy downloaders!).


#13

Tested with last putty version 0.7. Same behavior.


#14

Did you copy the public key onto the OSMC device?
and - are you sure the SSH port is forwarded correctly to the OSCM device? Eventuallly you are trying to connect to the SSH port, and it goes to the router instead of the osmc device.
In case your router has NAT enabled, you need to configure a DMZ exception to forward port 22 to your OSMC device. Also, in that case I would install fail2ban to blacklist the password probing attempts.


#15

Just to be clear here, have you amended the SSH daemon’s config file /etc/ssh/sshd_config on OSMC?

If you have, could you show us a copy: paste-log /etc/ssh/sshd_config


#19

see below some log

osmc@osmc:~$ ls -las .ssh
total 8
4 drwxr-xr-x 2 root root 4096 Aug 30 2016 .
4 drwxr-xr-x 18 osmc osmc 4096 Oct 29 2017 …
0 -rw-r–r-- 1 root root 0 Aug 30 2016 authorized_keys
0 -rw-r–r-- 1 root root 0 Aug 30 2016 authorized_keys2
osmc@osmc:~$


sudo nano etc/ssh/sshd_config

  $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

#Protocol 2


osmc@osmc:~$ paste-log /etc/ssh/sshd_config
https://paste.osmc.tv/oragehaveb


#20

I can see that you have modified /etc/sshd_config. Could you explain what you are trying to do, since it’s not clear.


#21

That is wrong.
Issue a:

~# sudo chmod 700 ~osmc/.ssh
~# sudo chmod 600 ~osmc/.ssh/*
~# sudo chown osmc.osmc ~osmc/.ssh -R

The first line makes the .ssh directory of osmc unreadable for any other user.
Line 2 makes all files inside the .ssh directory unreadable forany other user.
LIne 3 changes ownership of the entire .ssh directory and files inside to the osmc user.

Then, and only then, will the ssh-daemon take these files into account.


#22

sshd_conf -> You have removed (commented) too many things here.
sshd will fallback to defaults.
The wrong ownership/mode of the authorized key directory and files will have invalidated whatever you do with the sshd_configuration file anyway.

Here is the file from my vero4k2 that you can copy (Note, the link will become invalid in 3 days counting from now: https://stargate.solsys.org/short.php?i=ec453fd8
Note - the weak encryption algorythms, you could remove, but make sure you can rach your device first using strong encryption.


#23

I have never modified sshd_conf, so I don’t know why my files are like these