Configure SSH in OVM image

Installation Issues
1

Hi,
I try to connect using ssh to my passbolt-pro-server, but I always get permission denied.
I checked the sshd_config file but I can’t find an error.
Any ideas what could be wrong except the sshd confg?
Thanks Chris

2

Hi @Chris :wave: and welcome to passbolt community forum :handshake:

As explained in our help page, default credentials are:

username: passbolt
password: admin

Are you sure you are trying to connect to the good machine ? Did you connect with IP or domain name ?

Can you put the full output of you ssh connection attempt with the -v parameter ? Here is mine:

$ ssh passbolt@127.1 -p22222 -v
OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/jc/.ssh/config
debug1: Reading configuration data /Users/jc/.ssh/config.d/vagrant.conf
debug1: /Users/jc/.ssh/config line 142: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/jc/.ssh/sockets/passbolt@127.1:22222" does not exist
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22222.
debug1: Connection established.
debug1: identity file /Users/jc/.ssh/id_rsa type -1
debug1: identity file /Users/jc/.ssh/id_rsa-cert type -1
debug1: identity file /Users/jc/.ssh/id_dsa type -1
debug1: identity file /Users/jc/.ssh/id_dsa-cert type -1
debug1: identity file /Users/jc/.ssh/id_ecdsa type -1
debug1: identity file /Users/jc/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/jc/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/jc/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/jc/.ssh/id_ed25519 type 3
debug1: identity file /Users/jc/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/jc/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/jc/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/jc/.ssh/id_xmss type -1
debug1: identity file /Users/jc/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
debug1: compat_banner: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 127.0.0.1:22222 as 'passbolt'
debug1: load_hostkeys: fopen /Users/jc/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:6YIM43XAlxVDVgTjGTdwGC8ORbVYwHk5vt7wrkUBj9k
debug1: load_hostkeys: fopen /Users/jc/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[127.0.0.1]:22222' is known and matches the ED25519 host key.
debug1: Found key in /Users/jc/.ssh/known_hosts:18
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/jc/.ssh/id_rsa
debug1: Will attempt key: /Users/jc/.ssh/id_dsa
debug1: Will attempt key: /Users/jc/.ssh/id_ecdsa
debug1: Will attempt key: /Users/jc/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/jc/.ssh/id_ed25519 ED25519 SHA256:PQJ/KwxdvzE0CEj8Ht79y5WkNFrOsVr79OqHy7Y925E
debug1: Will attempt key: /Users/jc/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/jc/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/jc/.ssh/id_rsa
debug1: Trying private key: /Users/jc/.ssh/id_dsa
debug1: Trying private key: /Users/jc/.ssh/id_ecdsa
debug1: Trying private key: /Users/jc/.ssh/id_ecdsa_sk
debug1: Offering public key: /Users/jc/.ssh/id_ed25519 ED25519 SHA256:PQJ/KwxdvzE0CEj8Ht79y5WkNFrOsVr79OqHy7Y925E
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/jc/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/jc/.ssh/id_xmss
debug1: Next authentication method: password
passbolt@127.0.0.1's password:
debug1: Authentication succeeded (password).
Authenticated to 127.0.0.1 ([127.0.0.1]:22222).
debug1: setting up multiplex master socket
debug1: channel 0: new [/Users/jc/.ssh/sockets/passbolt@127.1:22222]
debug1: control_persist_detach: backgrounding master process
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: id
debug1: multiplexing control connection
debug1: channel 1: new [mux-control]
debug1: channel 2: new [client-session]
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /Users/jc/.ssh/known_hosts for [127.0.0.1]:22222 / (none)
debug1: client_input_hostkeys: searching /Users/jc/.ssh/known_hosts2 for [127.0.0.1]:22222 / (none)
debug1: client_input_hostkeys: hostkeys file /Users/jc/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Sending environment.
debug1: channel 2: setting env LC_CTYPE = "UTF-8"
debug1: channel 2: setting env LC_TERMINAL = "iTerm2"
debug1: channel 2: setting env LC_TERMINAL_VERSION = "3.4.15"
debug1: mux_client_request_session: master session id: 2
Linux passbolt-pro 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
********************************************************************************

SSL
===
Welcome to your passbolt installation.
SSL setup is encouraged to make the webinstaller process secure as there is
sensitive information exchanged.

To start the SSL setup process you can type:

dpkg-reconfigure passbolt-pro-server

Select NO to mysql configuration
Select YES to nginx configuration

Database
=========
This instance has created on boot mariadb random credentials for:

- root user
- passbolt user with access to passbolt database

You can access the above credentials on the file:

- /root/.mysql_credentials

Change them if required.

********************************************************************************
To delete this message of the day: rm -rf /etc/update-motd.d/99-passbolt
Last login: Mon Apr 25 14:52:01 2022 from 10.0.2.2
passbolt@passbolt-pro:~$

Best,

3

Hi JC. Heres my debug output.

chrisl@MacBook-Pro ~ % ssh passbolt@xxx.xxx.xxx.228 -v
OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to xxx.xxx.xxx.228 [xxx.xxx.xxx.228] port 22.
debug1: Connection established.
debug1: identity file /Users/chrisl/.ssh/id_rsa type 0
debug1: identity file /Users/chrisl/.ssh/id_rsa-cert type -1
debug1: identity file /Users/chrisl/.ssh/id_dsa type -1
debug1: identity file /Users/chrisl/.ssh/id_dsa-cert type -1
debug1: identity file /Users/chrisl/.ssh/id_ecdsa type -1
debug1: identity file /Users/chrisl/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/chrisl/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/chrisl/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/chrisl/.ssh/id_ed25519 type 3
debug1: identity file /Users/chrisl/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/chrisl/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/chrisl/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/chrisl/.ssh/id_xmss type -1
debug1: identity file /Users/chrisl/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: compat_banner: match: OpenSSH_7.2 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to xxx.xxx.xxx.228:22 as 'passbolt'
debug1: load_hostkeys: fopen /Users/chrisl/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:AwRR4xjeqtocgPlGld6SBmTXjcJosIubjg8r3XihUN0
debug1: load_hostkeys: fopen /Users/chrisl/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xxx.xxx.xxx.228' is known and matches the ED25519 host key.
debug1: Found key in /Users/chrisl/.ssh/known_hosts:6
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /Users/chrisl/.ssh/id_rsa RSA SHA256:9q/jHQFHcesnxMkcUW5WpUYn6ud7E886cUaoR0tkqG0
debug1: Will attempt key: /Users/chrisl/.ssh/id_dsa 
debug1: Will attempt key: /Users/chrisl/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/chrisl/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/chrisl/.ssh/id_ed25519 ED25519 SHA256:3+IppErUWYW654MwYvWAGZlAZYcKyLmiQjfp6CUCGvo
debug1: Will attempt key: /Users/chrisl/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/chrisl/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/chrisl/.ssh/id_rsa RSA SHA256:9q/jHQFHcesnxMkcUW5WpUYn6ud7E886cUaoR0tkqG0
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Trying private key: /Users/chrisl/.ssh/id_dsa
debug1: Trying private key: /Users/chrisl/.ssh/id_ecdsa
debug1: Trying private key: /Users/chrisl/.ssh/id_ecdsa_sk
debug1: Offering public key: /Users/chrisl/.ssh/id_ed25519 ED25519 SHA256:3+IppErUWYW654MwYvWAGZlAZYcKyLmiQjfp6CUCGvo
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Trying private key: /Users/chrisl/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/chrisl/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: password
passbolt@xxx.xxx.xxx.228's password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
Permission denied, please try again.
passbolt@xxx.xxx.xxx.228's password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
Permission denied, please try again.
passbolt@xxx.xxx.xxx.228's password: 
Received disconnect from xxx.xxx.xxx.228 port 22:2: Too many authentication failures
Disconnected from xxx.xxx.xxx.228 port 22

I used the creds from the help page. :slight_smile:
Thanks Chris.

4

Is it a new passbolt server created with our latest image, or an old OVA image where credentials might have been changed ?

Our OVA uses Debian as base system. Latest OVA uses Debian 11 with openssh 8.4 as you can see in my debugging output:

In yours, the remote ssh version is 7.2, who is not provided in Debian since a while.
Debian 9 is using SSH 7.4 and Debian 10 SSH 7.9.

So I guess you are not trying to connect to the correct server.

Best,

5

Very strange. It’s the newest OVA.
Do you know if I can check if this is the key on the server:

debug1: Server host key: ssh-ed25519 SHA256:AwRR4xjeqtocgPlGld6SBmTXjcJosIubjg8r3XihUN0

Thanks Chris

6

My fault - I am using this image on a hyper-v server and the vm was connected to the wrong network. It works now. Thanks for pointing me to the solutions :slight_smile:

7

Cool, thank you for the feedback :+1: