Skip to Content

Error: User modify failed. Cannot modify user on this node: Authentication by SSH key failed!

Error: User modify failed. Cannot modify user on this node: Authentication by SSH key failed!

1. The error 'User modify failed Cannot modify user on this node: Authentication by ssh key failed' would occur when the ezeelogin installed node has its public key missing in /root/.ssh/authorized_keys. To add the key, execute the following command

[email protected] ~]# cat /usr/local/etc/ezlogin/id_clkey.pub >> /root/.ssh/authorized_keys

     Check if the key is back in the file.

[email protected] ~]# cat /root/.ssh/authorized_keys

Run the following command to check if you have enabled the recommended sshd settings in /etc/ssh/sshd_config

[email protected]:/home# sshd -T | grep -i 'AllowTcpForwarding\|PermitRootLogin\|PubkeyAuthentication\|PasswordAuthentication\|pubkeyacceptedalgorithms\|Port'

port 22
permitrootlogin yes
pubkeyauthentication yes
passwordauthentication yes
gatewayports no
allowtcpforwarding yes
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa

 

2. Also, make sure that the port sshd is listening on the servers is given as the gateway port in Settings->General->Miscellaneous->Gateway SSH port

3. Also, make sure PubkeyAuthentication is set to 'YES' in your sshd_config (sshd configuration) file. In Centos/RHEL/Fedora it would be

[email protected] ~]# vi /etc/ssh/sshd_config

#set PubkeyAuthentication to yes

PubkeyAuthentication yes

[email protected] ~]# service sshd restart

4. Also, make sure root login is permitted on the gateway server.

You can check this by doing

and it should log you in else edit /etc/ssh/sshd_config and set  PermitRootLogin yes

[email protected] ~]# vi /etc/ssh/sshd_config

#Add the following lines to the end of  /etc/ssh/sshd_config to allow root login from localhost only

Match Address 127.0.0.1

PermitRootLogin yes

[email protected] ~]# service sshd restart

and make sure you are able to authenticate with the command

Make sure you are able to login after entering the password.
5. Also, make sure that the web user(apache, nobody, etc) that the webserver(apache/nginx) runs as is able to read the keys in the dir /usr/local/etc/ezlogin.
  Make sure to grant the read privileges to

chmod o+r /usr/local/etc/ezlogin/id_clkey
chmod o+r /usr/local/etc/ezlogin/id_clkey.pub
or
usermod -G <current_groupname_of_id_clkey_files> <webserver_user>

6. Find out which key type is used by the server by running the below command.

[email protected] ~]# ssh-keygen -l -f /usr/local/etc/ezlogin/id_key.pub

4096 SHA256:n4lmX53/gwkKB4+nSQ30hZXxXK+DRG1LPc7N1KN/1Ag ezlogin (RSA)

     Open /etc/ssh/sshd_config file and append below line to enable RSA key type.

[email protected] ~]# vim /etc/ssh/sshd_config

PubkeyAcceptedKeyTypes +ssh-rsa

[email protected] ~]# systemctl restart sshd

7. Check the log file /var/log/secure

[email protected] ~]# tail -f /var/log/secure

Refer below article if you get "userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms"

8. Reset Ezeelogin keys used for privilege escalation

 

Related Articles