Skip to Content

Error: User modify failed. Cannot modify user on this node: Authentication by SSH key failed!

How to solve the error occured while modifying Ezeelogin gateway user?


Synopsis: Provide step by step instructions to troubleshoot and resolve the error encountered while modifying Ezeelogin gateway user.


Step 1: The error 'User modify failed Cannot modify user on this node: Authentication by ssh key failed' would occur when the ezeelogin installed node has its public key missing in /root/.ssh/authorized_keys. To add the key, execute the following command

root@gateway ~]# cat /usr/local/etc/ezlogin/id_clkey.pub >> /root/.ssh/authorized_keys

Step 1.a: Run below command to check if the key is back in the file.

root@gateway ~]# cat /root/.ssh/authorized_keys

Run the following command to check if you have enabled the recommended sshd settings in /etc/ssh/sshd_config

root@ez:/home# sshd -T | grep -i 'AllowTcpForwarding\|PermitRootLogin\|PubkeyAuthentication\|PasswordAuthentication\|pubkeyacceptedalgorithms\|Port'

port 22
permitrootlogin yes
pubkeyauthentication yes
passwordauthentication yes
gatewayports no
allowtcpforwarding yes
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa

Step 2: Ensure that the port on which sshd is listening on the Ezeelogin gateway server is specified as the gateway port in Ezeelogin GUI under Settings -> General -> Miscellaneous -> Gateway SSH Port.
Step 3: Make sure PubkeyAuthentication is set to 'YES' in your sshd_config (sshd configuration) file. In Centos/RHEL/Fedora/Ubuntu it would be:

root@gateway ~]# vi /etc/ssh/sshd_config

#set PubkeyAuthentication to yes

PubkeyAuthentication yes

root@gateway ~]# service sshd restart

Step 4: Ensure that root login is permitted on the gateway server. You can check this by running the command:

ssh root@localhost

Step 4.a: If it does not log you in, edit /etc/ssh/sshd_config and set PermitRootLogin to yes.

root@gateway ~]# vi /etc/ssh/sshd_config

#Add the following lines to the end of  /etc/ssh/sshd_config to allow root login from localhost only

Match Address 127.0.0.1

PermitRootLogin yes

root@gateway ~]# service sshd restart

Step 4.b: After making the changes, ensure that you can log in as root by using the following command and entering the password:

ssh root@localhost

Step 5: Ensure that the web user (such as apache, nobody, etc.) that the web server (Apache/Nginx) runs has read access to the keys in the directory /usr/local/etc/ezlogin.

Make sure to grant the read privileges with the below command

chmod o+r /usr/local/etc/ezlogin/id_clkey
chmod o+r /usr/local/etc/ezlogin/id_clkey.pub
or
usermod -G <current_groupname_of_id_clkey_files> <webserver_user>

Step 6: Find out which key type is used by the server by running the below command.

root@gateway ~]# ssh-keygen -l -f /usr/local/etc/ezlogin/id_key.pub

4096 SHA256:n4lmX53/gwkKB4+nSQ30hZXxXK+DRG1LPc7N1KN/1Ag ezlogin (RSA)

Step 6.a: Open /etc/ssh/sshd_config file and append below line to enable RSA key type.

root@gateway ~]# vim /etc/ssh/sshd_config

PubkeyAcceptedKeyTypes +ssh-rsa

root@gateway ~]# systemctl restart sshd

Step 7: Check the log file /var/log/secure

root@gateway ~]# tail -f /var/log/secure

Refer below article if you get "userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms"

Related Articles

Error: User modify failed. Cannot modify user on other node: Authentication by SSH key failed!

Error: User modify failed Cannot modify user on this node: OS=FreeBSD: Command not found. OS: Undefined

Reset Ezeelogin keys used for privilege escalation