<div dir="ltr"><div dir="ltr">On Sat, Nov 28, 2020 at 11:19 PM Giles Orr via talk <<a href="mailto:talk@gtalug.org">talk@gtalug.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Alex.<br>
<br>
On Sat, 28 Nov 2020 at 16:50, Alex Beamish via talk <<a href="mailto:talk@gtalug.org" target="_blank">talk@gtalug.org</a>> wrote:<br>
><br>
> Hi All,<br>
><br>
> This is probably a blindingly obvious question, but I'm a little stumped. I've done a little work for local business, setting up a Linux server (Ubuntu), developing some code and pushing it to github. It's all worked wonderfully until a few weeks ago, when he had someone in to do something to the network. Since then, Things Are Broken in ways that I don't understand.<br>
><br>
> When I try to do anything with github, I see the response<br>
><br>
> Received disconnect from 140.82.113.3 port 22:2: Connection blocked because server only allows public key authentication. Please contact your network administrator.<br>
><br>
> Because I was worried I'd borked my account, this afternoon I tried again, creating a brand-new account and ssh-ing in .. and still got the same result.<br>
><br>
> My github account works fine from my own machine, and also from my web provider (<a href="http://pair.com" rel="noreferrer" target="_blank">pair.com</a>), so I'm guessing there's something going on within my client's network. Suggestions gratefully received.<br>
<br>
I apologize if this is something you've already looked at, but the #1<br>
Google hit for "Connection blocked because server only allows public<br>
key authentication" does look relevant:<br>
<br>
<a href="https://superuser.com/questions/1466177/connection-blocked-because-server-only-allows-public-key-authentication-putty-f" rel="noreferrer" target="_blank">https://superuser.com/questions/1466177/connection-blocked-because-server-only-allows-public-key-authentication-putty-f</a></blockquote><div><br></div><div>Giles, Hugh,</div><div><br></div><div>Thank you both for your responses. I am beginning to suspect that there is some network thing that's breaking ssh.</div><div><br></div><div>From my own machine, the result of ssh -vT <a href="mailto:git@github.com">git@github.com</a> looks like this: it works fine.</div><div><br></div><div>OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020<br>debug1: Reading configuration data /home/tab/.ssh/config<br>debug1: /home/tab/.ssh/config line 22: Applying options for *<br>debug1: /home/tab/.ssh/config line 338: Applying options for *<br>debug1: /home/tab/.ssh/config line 339: Deprecated option "useroaming"<br>debug1: Reading configuration data /etc/ssh/ssh_config<br>debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files<br>debug1: /etc/ssh/ssh_config line 21: Applying options for *<br>debug1: Connecting to <a href="http://github.com">github.com</a> [140.82.113.3] port 22.<br>debug1: Connection established.<br>debug1: identity file /home/tab/.ssh/id_rsa type -1<br>debug1: identity file /home/tab/.ssh/id_rsa-cert type -1<br>debug1: identity file /home/tab/.ssh/id_dsa type -1<br>debug1: identity file /home/tab/.ssh/id_dsa-cert type -1<br>debug1: identity file /home/tab/.ssh/id_ecdsa type -1<br>debug1: identity file /home/tab/.ssh/id_ecdsa-cert type -1<br>debug1: identity file /home/tab/.ssh/id_ecdsa_sk type -1<br>debug1: identity file /home/tab/.ssh/id_ecdsa_sk-cert type -1<br>debug1: identity file /home/tab/.ssh/id_ed25519 type -1<br>debug1: identity file /home/tab/.ssh/id_ed25519-cert type -1<br>debug1: identity file /home/tab/.ssh/id_ed25519_sk type -1<br>debug1: identity file /home/tab/.ssh/id_ed25519_sk-cert type -1<br>debug1: identity file /home/tab/.ssh/id_xmss type -1<br>debug1: identity file /home/tab/.ssh/id_xmss-cert type -1<br>debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1<br>debug1: Remote protocol version 2.0, remote software version babeld-b85a2946<br>debug1: no match: babeld-b85a2946<br>debug1: Authenticating to <a href="http://github.com:22">github.com:22</a> as 'git'<br>debug1: SSH2_MSG_KEXINIT sent<br>debug1: SSH2_MSG_KEXINIT received<br>debug1: kex: algorithm: curve25519-sha256<br>debug1: kex: host key algorithm: rsa-sha2-512<br>debug1: kex: server->client cipher: <a href="mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a> MAC: <implicit> compression: none<br>debug1: kex: client->server cipher: <a href="mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a> MAC: <implicit> compression: none<br>debug1: expecting SSH2_MSG_KEX_ECDH_REPLY<br>debug1: Server host key: ssh-rsa SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8<br>debug1: Host '<a href="http://github.com">github.com</a>' is known and matches the RSA host key.<br>debug1: Found key in /home/tab/.ssh/known_hosts:3<br>debug1: rekey out after 134217728 blocks<br>debug1: SSH2_MSG_NEWKEYS sent<br>debug1: expecting SSH2_MSG_NEWKEYS<br>debug1: SSH2_MSG_NEWKEYS received<br>debug1: rekey in after 134217728 blocks<br>debug1: Will attempt key: /home/tab/.ssh/music2012 RSA SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent<br>debug1: Will attempt key: /home/tab/.ssh/id_rsa <br>debug1: Will attempt key: /home/tab/.ssh/id_dsa <br>debug1: Will attempt key: /home/tab/.ssh/id_ecdsa <br>debug1: Will attempt key: /home/tab/.ssh/id_ecdsa_sk <br>debug1: Will attempt key: /home/tab/.ssh/id_ed25519 <br>debug1: Will attempt key: /home/tab/.ssh/id_ed25519_sk <br>debug1: Will attempt key: /home/tab/.ssh/id_xmss <br>debug1: SSH2_MSG_EXT_INFO received<br>debug1: kex_input_ext_info: server-sig-algs=<<a href="mailto:ssh-ed25519-cert-v01@openssh.com">ssh-ed25519-cert-v01@openssh.com</a>,<a href="mailto:ecdsa-sha2-nistp521-cert-v01@openssh.com">ecdsa-sha2-nistp521-cert-v01@openssh.com</a>,<a href="mailto:ecdsa-sha2-nistp384-cert-v01@openssh.com">ecdsa-sha2-nistp384-cert-v01@openssh.com</a>,<a href="mailto:ecdsa-sha2-nistp256-cert-v01@openssh.com">ecdsa-sha2-nistp256-cert-v01@openssh.com</a>,<a href="mailto:rsa-sha2-512-cert-v01@openssh.com">rsa-sha2-512-cert-v01@openssh.com</a>,<a href="mailto:rsa-sha2-256-cert-v01@openssh.com">rsa-sha2-256-cert-v01@openssh.com</a>,<a href="mailto:ssh-rsa-cert-v01@openssh.com">ssh-rsa-cert-v01@openssh.com</a>,<a href="mailto:ssh-dss-cert-v01@openssh.com">ssh-dss-cert-v01@openssh.com</a>,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss><br>debug1: SSH2_MSG_SERVICE_ACCEPT received<br>debug1: Authentications that can continue: publickey<br>debug1: Next authentication method: publickey<br>debug1: Offering public key: /home/tab/.ssh/music2012 RSA SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent<br>debug1: Server accepts key: /home/tab/.ssh/music2012 RSA SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent<br></div><div>debug1: Authentication succeeded (publickey).<br>Authenticated to <a href="http://github.com">github.com</a> ([140.82.113.3]:22).<br>debug1: channel 0: new [client-session]<br>debug1: Entering interactive session.<br>debug1: pledge: network<br>debug1: Requesting authentication agent forwarding.<br>debug1: Sending environment.<br>debug1: Sending env LANG = en_CA.UTF-8<br>debug1: client_input_channel_req: channel 0 rtype exit-status reply 0<br>Hi talexb! You've successfully authenticated, but GitHub does not provide shell access.<br>debug1: channel 0: free: client-session, nchannels 1<br>Transferred: sent 2856, received 2468 bytes, in 0.1 seconds<br>Bytes per second: sent 26439.1, received 22847.2<br>debug1: Exit status 1<br></div><div><br></div><div>I have 'ForwardAgent yes' in my ~/.ssh/config, so when I ssh to my client's machine, my authentication comes with me. But on that machine, the response to the same test is now different than it was three weeks ago:</div><div><br></div><div>OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017<br>debug1: Reading configuration data /home/web/.ssh/config<br>debug1: Reading configuration data /etc/ssh/ssh_config<br>debug1: /etc/ssh/ssh_config line 19: Applying options for *<br>debug1: Connecting to <a href="http://github.com">github.com</a> [140.82.112.4] port 22.<br>debug1: Connection established.<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_rsa type -1<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_rsa-cert type -1<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_dsa type -1<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_dsa-cert type -1<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_ecdsa type -1<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_ecdsa-cert type -1<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_ed25519 type -1<br>debug1: key_load_public: No such file or directory<br>debug1: identity file /home/web/.ssh/id_ed25519-cert type -1<br>debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3<br>debug1: Remote protocol version 2.0, remote software version babeld-b85a2946<br>debug1: no match: babeld-b85a2946<br>debug1: Authenticating to <a href="http://github.com:22">github.com:22</a> as 'git'<br>debug1: SSH2_MSG_KEXINIT sent<br>debug1: SSH2_MSG_KEXINIT received<br>debug1: kex: algorithm: curve25519-sha256<br>debug1: kex: host key algorithm: rsa-sha2-512<br>debug1: kex: server->client cipher: <a href="mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a> MAC: <implicit> compression: none<br>debug1: kex: client->server cipher: <a href="mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a> MAC: <implicit> compression: none<br>debug1: expecting SSH2_MSG_KEX_ECDH_REPLY<br>debug1: Server host key: ssh-rsa SHA256:CJ1i1swJd0SjXdfpoh7CCQrmOp04K4zor8rYP1NlegA<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>The RSA host key for <a href="http://github.com">github.com</a> has changed,<br>and the key for the corresponding IP address 140.82.112.4<br>is unknown. This could either mean that<br>DNS SPOOFING is happening or the IP address for the host<br>and its host key have changed at the same time.<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @<br>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br>IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!<br>Someone could be eavesdropping on you right now (man-in-the-middle attack)!<br>It is also possible that a host key has just been changed.<br>The fingerprint for the RSA key sent by the remote host is<br>SHA256:CJ1i1swJd0SjXdfpoh7CCQrmOp04K4zor8rYP1NlegA.<br>Please contact your system administrator.<br>Add correct host key in /home/web/.ssh/known_hosts to get rid of this message.<br>Offending RSA key in /home/web/.ssh/known_hosts:10<br> remove with:<br> ssh-keygen -f "/home/web/.ssh/known_hosts" -R "<a href="http://github.com">github.com</a>"<br>RSA host key for <a href="http://github.com">github.com</a> has changed and you have requested strict checking.<br>Host key verification failed.<br></div><div><br></div><div>To make sure that my account wasn't broken in some other way, this weekend I created another brand new account on my client's machine and tried the same test command -- I got the same result.</div><div><br></div><div>I also tried ssh'ing to my web provider (<a href="http://pair.com">pair.com</a>) and then tried the same test command -- and got pretty much the same good response I got from my local machine. This tells me that my keys and my github account are working fine -- it's just something on my client's network that is interfering with the traffic.</div><div><br></div><div>Because I know enough about ssh to get my job done, but not a lot more, I wanted to confirm I wasn't missing something really obvious, some config file switch that needed changing. Again, thank you all for your patience with me on this.</div><div><br></div><div>Cheers,</div><div><br></div><div>Alex</div><div><br></div></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><font size="2">Alex Beamish</font></div><div dir="ltr"><font size="2"><br></font></div><div dir="ltr"><font size="2">Software Developer / <span style="background-color:rgb(246,246,246);color:rgb(51,51,51);font-family:helvetica,freesans,"liberation sans",helmet,arial,sans-serif"><a href="https://ca.linkedin.com/in/alex-beamish-5111ba3" target="_blank">https://ca.linkedin.com/in/alex-beamish-5111ba3</a></span><br></font></div><div><font size="2">Speaker Wrangler / Toronto Perlmongers / <a href="http://to.pm.org/" target="_blank">http://to.pm.org/</a></font></div><div>Chair, Sponsorship Committee, TPF / <a href="https://www.perlfoundation.org/" target="_blank">https://www.perlfoundation.org/</a></div><div dir="ltr"><font size="2">Baritone, Operations Manager / Toronto Northern Lights, 2013 Champions / <a href="http://www.northernlightschorus.com" target="_blank">www.northernlightschorus.com</a></font></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div>