SSH - Connection reset

My YunoHost server

Hardware: Raspberry Pi 4 8GB at home
YunoHost version: 4.1.7.1
I have access to my server : direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hello,

I’ve just set up two new YNH instances on two Raspberry Pi 4 boards with two different domain names:

• on the first, let’s say pro-domain.tld, I’ve installed GitLab and Nextcloud,
• on the second, let’s say perso-domain.tld, I’ve installed DokuWiki and Seafile.

I’m experiencing connection reset errors when trying to connect via ssh to admin@pro-domain.tld but not when trying to connect to admin@perso-domain.tld.

Here is the extract of /var/log/auth.log on pro-domain.tld:

Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Permissions 0440 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: It is required that your private key files are NOT accessible by others.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: This private key will be ignored.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Error loading host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Permissions 0440 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: It is required that your private key files are NOT accessible by others.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: This private key will be ignored.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Error loading host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Permissions 0440 for '/etc/ssh/ssh_host_rsa_key' are too open.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: It is required that your private key files are NOT accessible by others.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: This private key will be ignored.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Error loading host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Feb 24 17:01:20 pro-domain.tld sshd[765]: Connection from 192.168.xxx.xx port 53668 on 192.168.yyy.yy port 22
Feb 24 17:01:20 pro-domain.tld sshd[765]: fatal: No supported key exchange algorithms [preauth]

When I change the permissions by chmod to 400 (with keyboard and screen connected) I can connect through ssh.
After a while (10 to 15 minutes max), the permissions are set back to 440 and I’m unable to connect.

I’ve never experienced that on the perso-domain.tld server nor on the previous YNH instances I ran.

I wonder if this is related to GitLab because it’s the first and only time I installed it on one of my YNH instances.
Is it anyhow related to [SSH] Lockout depuis l’installation de Gitlab ?
Any hints on what’s going on and how to solve it ?

Many thanks in advance.

Mon serveur YunoHost

Matériel: Raspberry Pi 4 8Go à la maison
Version de YunoHost: 4.1.7.1
J’ai accès à mon serveur : En direct avec un clavier/écran
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non
Si oui, expliquer:

Description du problème

Bonjour,

Je viens juste d’installer deux instances de YNH sur deux Raspberry Pi 4 avec deux noms de domaines différents :

• sur le premier, disons “pro-domain.tld”, j’ai installé GitLab et Nextcloud,
• sur le second, disons “perso-domain.tld”, j’ai installé DokuWiki et Seafile.

Je rencontre des problèmes de connexion (connection reset) quand j’essaie de connecter via ssh à admin@pro-domain.tld mais pas à admin@perso-domain.tld.

Voici un extrait de /var/log/auth.log sur pro-domain.tld :

Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Permissions 0440 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: It is required that your private key files are NOT accessible by others.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: This private key will be ignored.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Error loading host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Permissions 0440 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: It is required that your private key files are NOT accessible by others.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: This private key will be ignored.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Error loading host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Permissions 0440 for '/etc/ssh/ssh_host_rsa_key' are too open.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: It is required that your private key files are NOT accessible by others.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: This private key will be ignored.
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Error loading host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Feb 24 17:01:20 pro-domain.tld sshd[765]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key
Feb 24 17:01:20 pro-domain.tld sshd[765]: Connection from 192.168.xxx.xx port 53668 on 192.168.yyy.yy port 22
Feb 24 17:01:20 pro-domain.tld sshd[765]: fatal: No supported key exchange algorithms [preauth]

Si je change les permissions via chmod à 400 (avec un clavier et un écran connecté au RPi), je peux à nouveau me connecter via ssh.
Après un certain temps (10 à 15 minutes max), les permissions apparaissent à 440 et je ne peux plus me connecter.

Je n’ai jamais eu ce comportement auparavant sur le serveur perso-domain.tld ni sur aucune des autres instances YNH que j’ai pu installer.

Je me demande si c’est lié à GitLab parce que c’est la première fois que je l’ai installé sur une instance.
Est-ce quelque part relié à [SSH] Lockout depuis l’installation de Gitlab ?
Une idée de ce qu’il se passe et de comment résoudre ce problème ?

Merci par avance.

Wokay … then let’s look at ls -l /etc/ssh/ssh_host_rsa_key

Hi @Aleks,
Now it’s:
-r--r-----+ 1 root root 1823 Feb 19 08:04 /etc/ssh/ssh_host_rsa_key
although I did a chmod 400 ssh_host_* maybe half an hour ago.

Wokay well that’s weird … there’s also this “+” sign which means there are some ACL (extended permissions) on this …

Sounds like a cron job doing some stuff … Have you been doing things in particular like mounting nextcloud stuff on a hard drive or something … Any tweaking of cron job-related stuff ?

The system boots from an USB hard drive (I’m not using any SD card), so no need (yet) to mount a volume for the nextcloud data.
The cron jobs I added are:
00 03 * * TUE,THU,SAT yunohost backup create
00 04 * * 0 find /home/yunohost.backup/archives/* -mtime +60 -exec rm {} \;

Hmokay, let’s naively try this :

grep -nr acl /etc/cron*

And maybe also ls -l /etc/cron.d

total 16
-rw-r--r--+ 1 root root  69 Feb 16 18:08 coturn_config_rotate
-rw-r--r--+ 1 root root  74 Feb 18 15:49 nextcloud
-rw-r--r--+ 1 root root 712 Dec 17  2018 php
-rw-r--r--+ 1 root root 205 Feb 16 14:07 yunohost-diagnosis

Nothing for grep -nr acl /etc/cron*

Wokay, let’s try this :

getfacl /etc/ssh/ssh_host_rsa_key

(in fact it looks like maybe every file in /etc has some acl set for some reason …)

getfacl: Removing leading '/' from absolute path names
# file: etc/ssh/ssh_host_rsa_key
# owner: root
# group: root
user::r--
user:turnserver:r-- #effective:---
group::---
mask::---
other::---

Oops…
I forgot to mention that I’ve also installed Galene to give it a try.

Well there it is : galene_ynh/Coturn_config_rotate.sh at testing · YunoHost-Apps/galene_ynh · GitHub

$app is not defined, so it evaluates to empty string and therefore applies the acl to the entirety of /etc/ … Not sure why that puts the permissions to 440 instead of 400 though, but probably related …

OK, I’ve uninstalled Galene.
So far no permission change in /etc/ssh, I’ll wait until tomorrow and post a reply either way.
Many thanks.

No connection reset issue anymore.
Uninstalling Galene has solved the problem.
Thanks again.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.