Error: User modify failed. Cannot modify user on this node: Authentication by SSH key failed!
Error: User modify failed. Cannot modify user on this node: Authentication by SSH key failed!
1. The error 'User modify failed Cannot modify user on this node: Authentication by ssh key failed' would occur when the ezeelogin installed node has its public key missing in /root/.ssh/authorized_keys. To add the key, execute the following command
root@gateway ~]# cat /usr/local/etc/ezlogin/id_clkey.pub >> /root/.ssh/authorized_keys
Check if the key is back in the file.
root@gateway ~]# cat /root/.ssh/authorized_keys
Run the following command to check if you have enabled the recommended sshd settings in /etc/ssh/sshd_config
root@ez:/home# sshd -T | grep -i 'AllowTcpForwarding\|PermitRootLogin\|PubkeyAuthentication\|PasswordAuthentication\|pubkeyacceptedalgorithms\|Port'
port 22
permitrootlogin yes
pubkeyauthentication yes
passwordauthentication yes
gatewayports no
allowtcpforwarding yes
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],sk-e[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
2. Also, make sure that the port sshd is listening on the servers is given as the gateway port in Settings->General->Miscellaneous->Gateway SSH port
3. Also, make sure PubkeyAuthentication is set to 'YES' in your sshd_config (sshd configuration) file. In Centos/RHEL/Fedora it would be
root@gateway ~]# vi /etc/ssh/sshd_config
#set PubkeyAuthentication to yes
PubkeyAuthentication yes
root@gateway ~]# service sshd restart
4. Also, make sure root login is permitted on the gateway server.
You can check this by doing
ssh root@localhost
and it should log you in else edit /etc/ssh/sshd_config and set PermitRootLogin yes
root@gateway ~]# vi /etc/ssh/sshd_config
#Add the following lines to the end of /etc/ssh/sshd_config to allow root login from localhost only
Match Address 127.0.0.1
PermitRootLogin yes
root@gateway ~]# service sshd restart
and make sure you are able to authenticate with the command
ssh root@localhost
Make sure you are able to login after entering the password.
5. Also, make sure that the web user(apache, nobody, etc) that the webserver(apache/nginx) runs as is able to read the keys in the dir /usr/local/etc/ezlogin.
Make sure to grant the read privileges to
chmod o+r /usr/local/etc/ezlogin/id_clkey
chmod o+r /usr/local/etc/ezlogin/id_clkey.pub
or
usermod -G <current_groupname_of_id_clkey_files> <webserver_user>
6. Find out which key type is used by the server by running the below command.
root@gateway ~]# ssh-keygen -l -f /usr/local/etc/ezlogin/id_key.pub
4096 SHA256:n4lmX53/gwkKB4+nSQ30hZXxXK+DRG1LPc7N1KN/1Ag ezlogin (RSA)
Open /etc/ssh/sshd_config file and append below line to enable RSA key type.
root@gateway ~]# vim /etc/ssh/sshd_config
PubkeyAcceptedKeyTypes +ssh-rsa
root@gateway ~]# systemctl restart sshd
7. Check the log file /var/log/secure
root@gateway ~]# tail -f /var/log/secure
Refer below article if you get "userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms"
8. Reset Ezeelogin keys used for privilege escalation
Related Articles