Ssh – Why can I ssh logon without key or password? How to stop this

Securitysshssh-keysubuntu-16.04

I have just discovered I can log into my server as long as I provide a missing file to the ssh client!

What can I check to find out why and what can I change to stop this from happening?

Logging in with missing file

$ ssh -i ~/.ssh/x user@server.com
Warning: Identity file /c/Users/G/.ssh/x not accessible: No such file or 
directory.
Last login: Wed Aug  9 20:20:49 2017 from 192.168.15.250
user@server:~$

Failing to log in with invalid cert

$ ssh -i ~/.ssh/invalid.pem user@server
Permission denied (publickey).

Successfully logging in

$ ssh -i ~/.ssh/valid.pem user@server
Last login: Wed Aug  9 20:21:07 2017 from 192.168.15.250
user@server:~$

These are the only non-commented lines in my /etc/ssh/sshd_config

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

Best Answer

In answer to "What can I check to find out why"

ssh -vv. The -vv parameter gives verbose debugging showing what is happening between pressing return on the local client and seeing the prompt on the remote server

In answer to "Why can I ssh logon without key or password?"

That wasn't what was happening. In this specific case, the appropriate key, valid.pem was duplicated in the id_rsa file. The duplicate key was being used

The following occurs on this client:

  1. Warning is shown that the specified key file is not accessible
  2. the client tries looking for any suitable key

as shown here:

debug2: key: /c/Users/G/.ssh/id_rsa (0x0)
debug2: key: /c/Users/G/.ssh/id_dsa (0x0)
debug2: key: /c/Users/G/.ssh/id_ecdsa (0x0)
debug2: key: /c/Users/G/.ssh/id_ed25519 (0x0)
  1. It then tries the id_rsa key. As shown here debug1: Trying private key: /c/Users/G/.ssh/id_rsa
  2. The server sees that this key is valid and allows logon to continue debug1: Authentication succeeded (publickey).
Related Topic