Hardware: VPS bought online
YunoHost version: 4.0.8.2 (stable).
I have access to my server : Through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance? : no
Description of my issue
Cannot SSH into my server. This is the third time I’m installing Yunohost so that I can SSH into my server. I explicitly told the installer to not mess with the SSH configuration, added three different keys to ssh/authorized_keys but none of them work. I disabled fail2ban and tried every combination of username & password I can think of but I still cannot login to my server. I can only SSH with the username I create from the webadmin but the connection immediately closes.
I understand this is a security feature but I want to login to my server and configure its security myself. Is there a way to install Yunohost without messing the current SSH configuration?
Server accepts my key but still asks for a password and then denies access with it.
debug1: Offering public key: /home/niko/.ssh/id_rsa RSA SHA256:eq1axxxxxxxxxxxxxxxxx
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /home/niko/.ssh/id_rsa RSA SHA256:eq1axxxxxxxxxxxxxxxxx
debug1: Authentications that can continue: publickey,password
…
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
Are you sure the issue is that “Yunohost messed with the SSH configuration” (e.g. have you really confirmed that /etc/ssh/sshd_config was edited by Yunohost)
What about regular login using the root and/or admin users
Are you sure that you created the .ssh (with a dot!) folder and authorized_key file with the appropriate permissions
Yes, the connection immediately closes when connecting with your regular yunohost user, because you must explicitly allow it to connect to ssh, c.f. yunohost user ssh --help
What kind of security tweaks are so important such that you absolutely don’t want Yunohost to touch the SSH configuration
Well, I’m not sure whether it was Yunohost who edited the SSH config or not because I have not been able to log into the server yet. Root or admin login was not successful, due to a permission denied error and I have tried all the passwords I ever created. I use a password manager so I’m sure I entered them correctly.
My usual mode of operation is as follows, and I have been doing this successfully for a very long time on several different servers: I do a clean install of Debian, update it, copy my SSH keys (one for WSL, one for Putty and one for redundancy), check that the keys work, install Wireguard, then Yunohost, and go from there. There are no other steps involved until that point to make sure Yunohost setup doesn’t break any functionality (not that I know it will break things but because I’m not such a big Linux expert to be sure). This used to work flawlessly when I used to do it before with Debian 9. I have tried this 3 times now with Debian 10 and everything goes according to plan and everything works as intended, until I setup Yunohost.
Actually I don’t do much of a security tweaking apart from disabling password logins and setting up a watchdog to make sure I’m notified about logins and break-in attempts. I just want to be able to login to my server to install more software which seems impossible right now.
Hmokay but how did you install your server initially then ?
It’s kinda complicated to help you right now because considering you just disabled the Yunohost’s handling of the sshd conf, I have no idea what it looks like and the very point of this option is to say “very well, you can handle the SSH conf yourself but then you’re on your own in terms of support”
The only thing I did to the SSH configuration was to copy 2 keys using ssh-copy-id in WSL and Putty, and add one more line of pubkey to /root/.ssh/authorized_keys manually. All keys were proved to be working. Then I told the Yunohost installer to leave my SSH configuration alone but it obviously did not listen to me, otherwise why would I be unable to login?
Could this be related to WSL2? I used to do things with Putty before, but since the advent of WSL and Putty, I switched to Debian in Windows 10 to manage my server.
I think I will try to install it one more time. This time I’ll skip the Wireguard setup and use a vanilla Debian 10.
EDIT: I have managed to login using the admin account. This is weird because I had tried it several times with several software to no avail. This time it magically worked.