docker-fail2ban
docker-fail2ban copied to clipboard
crazy-max
ssh-add does not work properly
Behaviour
Steps to reproduce this issue
- Have an actionstart contain ssh-add (to ban on the router)
- Have actionban contain ssh
- Permission denied due to
read_passphrase: can't open /dev/tty: No such device or address
Expected behaviour
The identity should be properly added, and ssh should read the passphrase.
Actual behaviour
ssh does not read the passphrase.
Configuration
- Docker version (type
docker --version) : Docker version 20.10.12, build e91ed57 - Docker compose version if applicable (type
docker-compose --version) : docker-compose version 1.29.2 - Platform (Debian 9, Ubuntu 18.04, ...) : Debian 11
- System info (type
uname -a) :Linux <REDACTED> 5.10.0-10-arm64 #1 SMP Debian 5.10.84-1 (2021-12-08) aarch64 GNU/Linux - Include all necessary configuration files :
docker-compose.yml,.env, ...
Relevant docker-compose.yml
services
fail2ban:
image: crazymax/fail2ban
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- ${DOCKERCONFIG}/fail2ban/data:/data
- ${DOCKERCONFIG}/fail2ban/extra/pfsense_rpi:/extra/pfsense_rpi
- ${DOCKERCONFIG}/fail2ban/extra/known_hosts:/root/.ssh/known_hosts
- /var/log/docker:/var/log/docker
environment:
TZ: ${TZ}
/data/action.d/pfsense
####### Run the ssh command once with /root/known_hosts empty, otherwise it fails!
[Definition]
actionstart = echo -e '#!/bin/sh\necho PASSPHRASE' > /tmp/echo_passphrase
chmod 700 /tmp/echo_passphrase
export SSH_ASKPASS_REQUIRE="force"
export SSH_ASKPASS="/tmp/echo_passphrase"
ssh-agent /bin/sh -c 'ssh-add /extra/pfsense_rpi'
rm /tmp/echo_passphrase
actionstop = ssh-agent /bin/sh -c 'ssh-add -D'
actionban = ssh -v -p 10022 -i /extra/pfsense_rpi [email protected] easyrule block wan <ip>
actionunban = ssh -v -p 10022 -i /extra/pfsense_rpi [email protected] easyrule unblock wan <ip>
[Init]
protocol = tcp
actiontype =
I am trying to use ssh-add because deciphering the private key everytime is pretty time-consuming.
Note that this action works and correctly bans <ip> on the PFSense router.
####### Run the ssh command once with /root/known_hosts empty, otherwise it fails!
[Definition]
actionban = echo -e '#!bin/sh\necho PASSPHRASE' > /tmp/echo_passphrase
chmod 700 /tmp/echo_passphrase
export SSH_ASKPASS_REQUIRE="force"
export SSH_ASKPASS="/tmp/echo_passphrase"
ssh -p 10022 -i /extra/pfsense_rpi [email protected] easyrule block wan <ip>
rm /tmp/echo_passphrase
actionunban = echo -e '#!bin/sh\necho PASSPHRASE' > /tmp/echo_passphrase
chmod 700 /tmp/echo_passphrase
export SSH_ASKPASS_REQUIRE="force"
export SSH_ASKPASS="/tmp/echo_passphrase"
ssh -p 10022 -i /extra/pfsense_rpi [email protected] easyrule unblock wan <ip>
rm /tmp/echo_passphrase
[Init]
protocol = tcp
actiontype =
but in my opinion takes too long.
Docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 37
Running: 36
Paused: 0
Stopped: 1
Images: 34
Server Version: 20.10.12
Storage Driver: fuse-overlayfs
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc version: v1.0.2-0-g52b36a2d
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
cgroupns
Kernel Version: 5.10.0-10-arm64
Operating System: Debian GNU/Linux 11 (bullseye)
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 7.627GiB
Name: <REDACTED>
ID: JEXP:SIXA:6AG6:CMB3:C6XY:MCMO:YITL:WT7V:NYBP:3PIB:3LPR:IDF6
Docker Root Dir: /media/schklom/data-hdd/docker_data_root
Debug Mode: false
Username: schklom
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
Default Address Pools:
Base: 192.168.0.0/16, Size: 24
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Logs
$ docker exec fail2ban fail2ban-client set nextcloud banip 1.2.3.4
1
$ docker exec fail2ban fail2ban-client unban 1.2.3.4
1
$ docker logs fail2ban
<Truncated for readability>
Server ready
2022-01-14 21:50:42,572 fail2ban.actions [1]: NOTICE [nextcloud] Ban 1.2.3.4
2022-01-14 21:50:47,831 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- exec: ssh -v -p 10022 -i /extra/pfsense_rpi [email protected] easyrule block wan 1.2.3.4
2022-01-14 21:50:47,832 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021'
2022-01-14 21:50:47,832 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Reading configuration data /etc/ssh/ssh_config'
2022-01-14 21:50:47,832 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling'
2022-01-14 21:50:47,832 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Connecting to pfsense.home [172.16.10.20] port 51456.'
2022-01-14 21:50:47,833 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Connection established.'
2022-01-14 21:50:47,833 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: identity file /extra/pfsense_rpi type 3'
2022-01-14 21:50:47,833 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: identity file /extra/pfsense_rpi-cert type -1'
2022-01-14 21:50:47,833 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Local version string SSH-2.0-OpenSSH_8.8'
2022-01-14 21:50:47,834 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9'
2022-01-14 21:50:47,834 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: compat_banner: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000'
2022-01-14 21:50:47,834 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: "debug1: Authenticating to pfsense.home:51456 as 'root'"
2022-01-14 21:50:47,834 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory'
2022-01-14 21:50:47,835 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory'
2022-01-14 21:50:47,835 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory'
2022-01-14 21:50:47,835 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_KEXINIT sent'
2022-01-14 21:50:47,835 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_KEXINIT received'
2022-01-14 21:50:47,836 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: kex: algorithm: [email protected]'
2022-01-14 21:50:47,836 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: kex: host key algorithm: ssh-ed25519'
2022-01-14 21:50:47,836 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none'
2022-01-14 21:50:47,836 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none'
2022-01-14 21:50:47,837 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: expecting SSH2_MSG_KEX_ECDH_REPLY'
2022-01-14 21:50:47,837 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_KEX_ECDH_REPLY received'
2022-01-14 21:50:47,837 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Server host key: ssh-ed25519 SHA256:3fVz8OIdJZd1n+h3iwIxIMs1hoGojihUNtITrAfJYCs'
2022-01-14 21:50:47,837 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory'
2022-01-14 21:50:47,838 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory'
2022-01-14 21:50:47,838 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory'
2022-01-14 21:50:47,838 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: "debug1: Host '[pfsense.home]:51456' is known and matches the ED25519 host key."
2022-01-14 21:50:47,838 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Found key in /root/.ssh/known_hosts:1'
2022-01-14 21:50:47,839 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: rekey out after 134217728 blocks'
2022-01-14 21:50:47,839 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_NEWKEYS sent'
2022-01-14 21:50:47,839 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: expecting SSH2_MSG_NEWKEYS'
2022-01-14 21:50:47,839 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_NEWKEYS received'
2022-01-14 21:50:47,840 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: rekey in after 134217728 blocks'
2022-01-14 21:50:47,840 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Will attempt key: /extra/pfsense_rpi ED25519 SHA256:O4398B+EizS6QRks+qYCO56QIUjnUF+pVvOYevT1kjs explicit'
2022-01-14 21:50:47,840 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_EXT_INFO received'
2022-01-14 21:50:47,840 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>'
2022-01-14 21:50:47,841 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: SSH2_MSG_SERVICE_ACCEPT received'
2022-01-14 21:50:47,841 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Authentications that can continue: publickey'
2022-01-14 21:50:47,841 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Next authentication method: publickey'
2022-01-14 21:50:47,842 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Offering public key: /extra/pfsense_rpi ED25519 SHA256:O4398B+EizS6QRks+qYCO56QIUjnUF+pVvOYevT1kjs explicit'
2022-01-14 21:50:47,842 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: Server accepts key: /extra/pfsense_rpi ED25519 SHA256:O4398B+EizS6QRks+qYCO56QIUjnUF+pVvOYevT1kjs explicit'
2022-01-14 21:50:47,843 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: "debug1: read_passphrase: can't open /dev/tty: No such device or address"
2022-01-14 21:50:47,843 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: 'debug1: No more authentication methods to try.'
2022-01-14 21:50:47,843 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- stderr: '[email protected]: Permission denied (publickey).'
2022-01-14 21:50:47,844 fail2ban.utils [1]: ERROR ffff8fcfcf60 -- killed with signal 127 (return code: 255)
2022-01-14 21:50:47,845 fail2ban.actions [1]: ERROR Failed to execute ban jail 'nextcloud' action 'pfsense' info 'ActionInfo({'ip': '1.2.3.4', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0xffff9051b1f0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0xffff9051b8b0>})': Error banning 1.2.3.4
2022-01-14 21:51:08,795 fail2ban.actions [1]: NOTICE [nextcloud] Unban 1.2.3.4
Do you have an idea how to make ssh read the passphrase?
Thank you for making and maintaining this container, it is really well done 👍
