kr icon indicating copy to clipboard operation
kr copied to clipboard

Published 20 hours ago verified publisher icon kryptco

`kr add -s <server>` fails on macOS

Open RyanBreaker opened this issue 6 years ago • 2 comments

I've tested this with a fresh kr installation on macOS 10.13 against fresh installations of CentOS 7, Fedora, Debian, and Ubuntu, all with the same results. No teams are configured, this is only running Core as a single user.

Per the pasted log below, kr add -s <server> fails with the error bash: sshd: command not found but ssh-copy-id -f <server> works.

#( 06/09/18@12:34PM )( breaker@Ryans-MacBook-Air ):~
   kr -v
kr version 2.4.8
#( 06/09/18@12:34PM )( breaker@Ryans-MacBook-Air ):~
   kr add -s 172.16.0.205
The authenticity of host '172.16.0.205 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:Jh1mBmixtPd6g9nBVyR3rwZEU5DiqODHc9SbYe0rEE0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.205' (ECDSA) to the list of known hosts.
[email protected]'s password:
bash: sshd: command not found
Server does not use .ssh/authorized_keys for access control.
Error adding keys: Server incompatible with `kr` access control
#( 06/09/18@12:35PM )( breaker@Ryans-MacBook-Air ):~
   ssh-copy-id -f 172.16.0.205
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/breaker/.ssh/id_krypton.pub"
[email protected]'s password:

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh '172.16.0.205'"
and check to make sure that only the key(s) you wanted were added.

#( 06/09/18@12:36PM )( breaker@Ryans-MacBook-Air ):~
   ssh 172.16.0.205
Krypton ▶ Requesting SSH authentication from phone
Krypton ▶ Success. Request Allowed ✔
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jun  9 12:35:39 2018
breaker@debian:~$

My ~/.ssh/config:

# Added by Krypton
Host *
	PKCS11Provider /usr/local/lib/kr-pkcs11.so
	ProxyCommand /usr/local/bin/krssh %h %p
	IdentityFile ~/.ssh/id_krypton
	IdentityFile ~/.ssh/id_rsa

Please let me know about anything else I can supply to help debug this.

RyanBreaker avatar Jun 09 '18 17:06 RyanBreaker

Thank you for reporting this -- we do extra checks to make sure the server actually uses ~/.ssh for authorized keys, but it looks like this is a false negative. The checks work by running sshd as the current user to check the server's config.

Where is sshd located on the server, and is there a specific reason it isn't on the path of the user logging in?

kcking avatar Jun 13 '18 15:06 kcking

Interestingly, for all of these servers sshd is indeed on the PATH for the user I'm logging into. On CentOS 7 for example, it's at /usr/sbin/sshd which is in PATH by default for a fresh install and is runnable by the user on login:

[breaker@<server> ~]$ sshd --foo
unknown option -- -
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

RyanBreaker avatar Jun 14 '18 18:06 RyanBreaker