SSH access with keys but not with password

[rica01]

Hello.

I am trying to set up a configuration of a cluster using pen in order to bypass server and log users directly on servers beyond such a server:

                    +-----login-0
                    |
surtr------meta-----+
                    |
                    +-----login-1

Surtr is my firewall. Meta is the one i want to bypass and login-x are the ones where the users should land.

Pen is installed in meta and works but only if I use my ssh-rsa keys from the client computer from where I want to connect.

This, although secure, does not work for us, since we need to be sure our users can log in from any computer, not just the ones with their keys.

What can I do? Any help would be welcomed!

Thanks everyone.

-Ricardo
CNCA
[email protected]

[UlricE]

SSH through Pen with password authentication certainly works, it has been used that way for many years in several places that I am aware of without a problem. If you use the -v option to ssh, it should tell you why it fails.

One snag that may catch you is that if the backend servers have different host keys, ssh will complain. Example:

    .---------.
    | debtest |
    `---------´
         |.1
------------------- 192.168.1.0/24
         |.2
     .-------.
     | test1 |
     `-------´
         |.1
------------------- 192.168.2.0/24
    |.2       |.3
.-------. .-------.
| test3 | | test4 |
`-------´ `-------´

On test1:

pen -rdf 2222 192.168.2.2:22 192.168.2.3:22

On debtest:

ulric@debtest:~/Git/pen$ ssh -p 2222 test1
ulric@test1's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Thu Sep 22 14:50:53 2016 from 192.168.2.1
ulric@test4:~$ logout
Connection to test1 closed.
ulric@debtest:~/Git/pen$ ssh -p 2222 test1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
ac:80:f9:35:7b:28:7a:73:12:48:6c:f7:b4:be:89:79.
Please contact your system administrator.
Add correct host key in /home/ulric/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/ulric/.ssh/known_hosts:51
  remove with: ssh-keygen -f "/home/ulric/.ssh/known_hosts" -R [test1]:2222
ECDSA host key for [test1]:2222 has changed and you have requested strict checking.
Host key verification failed.

So that doesn't work, because the hosts have different host keys.
Make sure the host keys are identical, then restart the ssh service on test3 and test4.

ulric@debtest:~/Git/pen$ ssh -p 2222 test1
Warning: Permanently added the ECDSA host key for IP address '[192.168.1.2]:2222' to the list of known hosts.
ulric@test1's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Thu Sep 22 14:59:22 2016 from 192.168.2.1
ulric@test4:~$ logout
Connection to test1 closed.
ulric@debtest:~/Git/pen$ ssh -p 2222 test1
ulric@test1's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Thu Sep 22 14:55:47 2016 from 192.168.2.1
ulric@test3:~$

Success.