Can't revert back SSH configuration to login again (Too many authentication failures)

pihomeserver · April 7, 2025, 12:49pm

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.0.13
How are you able to access your server: Other(?)
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: No

Describe your issue

Hi
I’ve installed Yunohost like i did on other VPS servers. All went well and i was able to install and run an app in a docker container with the Redirect app as a reverse proxy
Since the beginning i was able to SSH from a VPS to the new one using password authentication. Then i wanted to SSH using only pubkey. It was ok until something went wrong (of course i can’t find what i did to put me here) and now i’m stuck by ending with an error message :

...
debug1: Found key in /home/chris/.ssh/known_hosts:11
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/chris/.ssh/id_rsa RSA SHA256:###
debug1: Will attempt key: /home/chris/.ssh/id_ecdsa 
debug1: Will attempt key: /home/chris/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/chris/.ssh/id_ed25519 
debug1: Will attempt key: /home/chris/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/chris/.ssh/id_xmss 
debug1: Will attempt key: /home/chris/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/chris/.ssh/id_rsa RSA SHA256:###
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/chris/.ssh/id_ecdsa
debug1: Trying private key: /home/chris/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/chris/.ssh/id_ed25519
debug1: Trying private key: /home/chris/.ssh/id_ed25519_sk
debug1: Trying private key: /home/chris/.ssh/id_xmss
debug1: Trying private key: /home/chris/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
user@newvps's password: 
debug2: we sent a password packet, wait for reply
Received disconnect from ::1 port 22222:2: Too many authentication failures
Disconnected from ::1 port 22222

I have my id_rsa.pub sent to new VPS, SSH compatibility is set to “intermediate”, Password authentication is set to yes
I’ve tried to regenerate SSH configuration from the command line but no change.
I did not see any attribute in the LDAP that could explain why my user is blocked
I’ve tried to revert back the old configuration of SSH (the one from this morning) but still get the error

Is my user locked ?
Any tip or advice are welcome

Share relevant logs or error messages

N/A

ChriChri · April 7, 2025, 5:22pm

Drop all the keys in your agent and then just load the one you need to get into the server. You can add MaxAuthTries to e.g. /etc/ssh/sshd_config.d/maxtries_conf to set a higher value so that all the keys you usually load into your agent can be ignored as one login try before the correct key is used.

BTW: on some machines I have a /home/chris, too

pihomeserver · April 8, 2025, 6:14am

Thanks Chris
I’ve tried that with a value to 20 and i immediatly fallback in an error message :

...
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/chris/.ssh/id_rsa RSA SHA256:###
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/chris/.ssh/id_ecdsa
debug1: Trying private key: /home/chris/.ssh/id_ecdsa_sk
debug1: Offering public key: /home/chris/.ssh/id_ed25519 ED25519 SHA256:###
debug2: we sent a publickey packet, wait for reply
Received disconnect from ::1 port 1234:2: Too many authentication failures
Disconnected from ::1 port 1234

Can it be possible that the user is “locked” ? I can find any information if the PAM module can override some settings
BTW i’ve stopped the fail2ban service. In case of but not sure if it unlocks locked users

ChriChri · April 8, 2025, 6:26am

You changed that setting on your yunohost?

If you’re still able to login on your yunohost you look at /var/log/auth for more informations and if there’s no reason shown you could enable debugging for sshd (LogLevel see man sshd_config).

webjetclouds · April 8, 2025, 7:26am

add to your fail2ban your ip

[sshd]
....
ignoreip 12.0.0.1 192.165.1.10/24

for not have a problem

to connect to your ssh

ssh -i ~/.ssh/<key-private> <user>@<ip-server>

but you need to copy .pub on your server like this

cat ~/.ssh/<public key>.pub | ssh utilisateur@ip_du_serveur "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
systemctl restart sshd

pihomeserver · April 8, 2025, 8:43am

Yes i did in the distant server i want to connect to in the /etc/ssh/sshd_config
I will continue to investigate …

pihomeserver · April 8, 2025, 8:48am

Thank you. Fail2ban is currently stopped to avoid ban issue. So that sounds like it’s a SSHd issue
Key has been added to the user authorized_keys file

pihomeserver · April 8, 2025, 8:55am

Strange behavior is that if i specify the identity file with option -i i fall back on input a password. If i don’t then i end immediatly with the “too many” message

In /var/log/auth.log, nothing is displayed. I guess i have to level up the logs …

pihomeserver · April 8, 2025, 9:32am

ok got the reason. I have reinstalled the server. And fallback on the same issue when I use the domain but not the IP. My DNS record was not correct …
Again the problem was between the chair and the keyboard …

webjetclouds · April 13, 2025, 2:39pm

for the dns require:

@ A domain.tld
@ AAAA domain.tld
* CNAME domain.tld
eg......