After upgrading linux9, I have been using mac’s terminal to log in, these are no problem, when I log in using software such as xshell, the session will end immediately. I am using the key file login method and the following is the log when restarting
.
Jul 25 22:15:48 localhost systemd[1]: Stopping OpenSSH server daemon...
Jul 25 22:15:48 localhost systemd[1]: sshd.service: Deactivated successfully.
Jul 25 22:15:48 localhost systemd[1]: Stopped OpenSSH server daemon.
Jul 25 22:15:48 localhost systemd[1]: Stopped target sshd-keygen.target.
Jul 25 22:15:48 localhost systemd[1]: Stopping sshd-keygen.target...
Jul 25 22:15:48 localhost systemd[1]: OpenSSH ecdsa Server Key Generation was skipped because all trigger condition checks failed.
Jul 25 22:15:48 localhost systemd[1]: OpenSSH ed25519 Server Key Generation was skipped because all trigger condition checks failed.
Jul 25 22:15:48 localhost systemd[1]: OpenSSH rsa Server Key Generation was skipped because all trigger condition checks failed.
Jul 25 22:15:48 localhost systemd[1]: Reached target sshd-keygen.target.
Jul 25 22:15:48 localhost systemd[1]: Starting OpenSSH server daemon...
Jul 25 22:15:48 localhost systemd[1]: Started OpenSSH server daemon.
Reading the error log for some reason when the server daemon tries to figure out what kind of key it is suppose to be using it fails all the checks so it can’t use a key to login. the config you are using I assume prohibits logging in using any other method so it doesn’t check so the program just reaches an end state and stops.
Need to figure out why the program is failing those checks, is there a further log based specifically on the keygen service? Or perhaps looking at the sshd-keygen.target file it is mentioning may lead to something worthwhile.
After pure installation of rockylinux9, I put the public key in .ssh/authorized_keys, log in and select the key to log in, and the prompt message is “The selected key is not registered in the remote host”
though this is only to make sure that the service restarts on boot.
sudo systemctl enable sshd-keygen@.service
the above command will at least solve that much of the problem
This is what I get in the log file. I’m no longer able to connect to server via ssh. It is configured to use key.
Dec 1 20:19:13 server systemd[1]: OpenSSH ecdsa Server Key Generation was skipped because all trigger condition checks failed.
Dec 1 20:19:13 server systemd[1]: OpenSSH ed25519 Server Key Generation was skipped because all trigger condition checks failed.
Dec 1 20:19:13 server systemd[1]: OpenSSH rsa Server Key Generation was skipped because all trigger condition checks failed.
Dec 1 20:19:13 server systemd[1]: Reached target sshd-keygen.target.
Dec 1 20:19:13 server systemd[1]: Starting OpenSSH server daemon…
Dec 1 20:19:13 server systemd[1]: Started OpenSSH server daemon.
Do you think these explain the inablility to log in?
systemd[1]: OpenSSH ecdsa Server Key Generation was skipped because all trigger condition checks failed.
systemd[1]: OpenSSH ed25519 Server Key Generation was skipped because all trigger condition checks failed.
systemd[1]: OpenSSH rsa Server Key Generation was skipped because all trigger condition checks failed.
systemd[1]: Reached target sshd-keygen.target.
No, they don’t. I get that same output from my machine and it is what I expect to get. That just tells that the machine does already have sshd host keys.
What you want to know is why communication between sshd and ssh client does fail.
Give option -v to ssh client. You should get much more verbose view on how the client experiences the connection attempt.
On the server, do look at the messages that sshd did log during the attempt. Probably the latest:
journalctl -xeu sshd
In case errors are not logged by sshd.service, look at:
journalctl -e
# or
less /var/log/secure
less /var/log/messages
I’m very grateful that you pointed out my mistake while trying to solve the problem. I was really thinking that the error message I mentioned above was the reason that I wasn’t being able to connect to server via ssh. Looking to the log files I couldn’t identify any other error message regarding sshd.
At last I took a look at the firewall and became aware that the ssh service port was changed back to the default 22 after the update. I wasn’t expecting that. After I change it back to my custom port the connection was established as before.
Thank you very much for your valuable help.
What means did you use to make sure that your port is not changed back to the default on the next update? If you just set the port under the “Run Time” status and don’t save it to “Permanent” then the settings won’t persist after a reboot.
Indeed. Change of stored firewall config by package update sounds outright scary. Such “feature change” would surely break many setups and should therefore be prominently documented in release notes. (Not that I had looked at them carefully.)
This is a feature of the Firewald GUI that is present in most graphical installs [Mate | Gnome] for RH since RH7. If you edit your firewall connections via the CLI then I think it avoids the confusing overhead of the GUI.
The firewalldpackage has its default config in /usr/lib/firewalld.
If one does use GUI applets or CLI tool (firewall-cmd), they both add customizations into /etc/firewalld. Content in /etc/firewalld overrides content in /usr/lib/firewalld.
If one manually adds config, one should put it into /etc/firewalld, where firewalld, GUI applets, and CLI tool should see the additions.
Package update can and does replace content in /usr/lib/firewalld. The expectation is that package update will not erase/modify content in /etc/firewalld and that syntax will not change. Hence, the customization of sshd-port should have remained unchanged and in effect.
Should the package update have modified /etc/firewalld, then all systems with custom firewall would have been affected by the update. The other option is that the customization was not properly made, and possibly still isn’t. Hence, future updates can break it again.
I changed the port number in the file ssh.xml which resides in the directory /usr/lib/firewalld/services/
after the change I reboot the system a couple of times to see if it persists. So far the change remains stable. My knowledge in these matters is very limited, I will pay attention next time and report if I see changes during updates.