Ssh connection by password by wan

iamguruman · November 18, 2019, 11:02pm

Hello

Im trying to cconect ssh from wan to openwrt

Traffic rule port 22 is accepted: https://prnt.sc/pys9f4
Password auth is switched on https://prnt.sc/pys9mh

Can I connect via ssh wan without key?..

p.s. debug ssh -vvv host:


MacBook-Air-Aleksej-2:~ UserUserUser$ ssh -vvv 192.168.0.57
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.0.57 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.0.57 [192.168.0.57] port 22.
debug1: Connection established.
debug1: identity file /Users/UserUserUser/.ssh/id_rsa type -1
debug1: identity file /Users/UserUserUser/.ssh/id_rsa-cert type -1
debug1: identity file /Users/UserUserUser/.ssh/id_dsa type -1
debug1: identity file /Users/UserUserUser/.ssh/id_dsa-cert type -1
debug1: identity file /Users/UserUserUser/.ssh/id_ecdsa type -1
debug1: identity file /Users/UserUserUser/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/UserUserUser/.ssh/id_ed25519 type -1
debug1: identity file /Users/UserUserUser/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/UserUserUser/.ssh/id_xmss type -1
debug1: identity file /Users/UserUserUser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: no match: dropbear
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.0.57:22 as 'UserUserUser'
debug3: hostkeys_foreach: reading file "/Users/UserUserUser/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/UserUserUser/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from 192.168.0.57
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
debug2: MACs stoc: hmac-sha1,hmac-sha2-256
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:QG0tz5LMjjQmy6Xzgmi500bOEfvWg5F90Ju2TjXWUjw
debug3: hostkeys_foreach: reading file "/Users/UserUserUser/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/UserUserUser/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from 192.168.0.57
debug1: Host '192.168.0.57' is known and matches the RSA host key.
debug1: Found key in /Users/UserUserUser/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /Users/UserUserUser/.ssh/id_rsa (0x0)
debug2: key: /Users/UserUserUser/.ssh/id_dsa (0x0)
debug2: key: /Users/UserUserUser/.ssh/id_ecdsa (0x0)
debug2: key: /Users/UserUserUser/.ssh/id_ed25519 (0x0)
debug2: key: /Users/UserUserUser/.ssh/id_xmss (0x0)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/UserUserUser/.ssh/id_rsa
debug3: no such identity: /Users/UserUserUser/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /Users/UserUserUser/.ssh/id_dsa
debug3: no such identity: /Users/UserUserUser/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/UserUserUser/.ssh/id_ecdsa
debug3: no such identity: /Users/UserUserUser/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/UserUserUser/.ssh/id_ed25519
debug3: no such identity: /Users/UserUserUser/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /Users/UserUserUser/.ssh/id_xmss
debug3: no such identity: /Users/UserUserUser/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
UserUserUser@192.168.0.57's password: 
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
UserUserUser@192.168.0.57's password:

trendy · November 19, 2019, 12:06am

better try this:
ssh root@192.168.0.57

orangepizza · November 19, 2019, 12:14am

192.168.0.57 is LAN address. where you try to access router from?

eduperez · November 19, 2019, 12:18am

Yes, exactly: you are trying to use your Mac's "UserUserUser" username on the router.

iamguruman · November 19, 2019, 1:25am

I generate ssh-key and connected well,
but i dont understand how to connect without key

jeff · November 19, 2019, 1:31am

Does the user exist?

Does the user have a valid password with a valid password-change date in /etc/shadow?
(Using the passwd command should have done this.)

trendy · November 19, 2019, 8:42am

From man ssh_config

 PreferredAuthentications

         Specifies the order in which the client should try authentication methods.  This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g.
         password).  The default is:

               gssapi-with-mic,hostbased,publickey,
               keyboard-interactive,password

h8red · November 19, 2019, 3:34pm

Is PasswordAuth in /etc/config/dropbear is on?

config dropbear
	option PasswordAuth 'on'
	option RootPasswordAuth 'off'
	option Port         '22'

mk24 · November 19, 2019, 3:49pm

By default, the only user defined in an OpenWrt system is root. You must tell the SSH client to log in to the remote system as user "root". This is done either with the root@host construct or the -l root option to the ssh client.

If you try to use a different user the password will always be wrong. For security, ssh does not tell the client that a user does not exist since that would allow a hacker to probe for extant user names.

trendy · November 19, 2019, 3:49pm

It is on for non-root, but if you have not configured other users there is only root available to connect, for whom it is not allowed.