[GTALUG] Network issues with github

Alex Beamish talexb at gmail.com
Sun Nov 29 22:59:25 EST 2020 

On Sat, Nov 28, 2020 at 11:19 PM Giles Orr via talk <talk at gtalug.org> wrote:

> Hi Alex.
>
> On Sat, 28 Nov 2020 at 16:50, Alex Beamish via talk <talk at gtalug.org>
> wrote:
> >
> > Hi All,
> >
> > This is probably a blindingly obvious question, but I'm a little
> stumped. I've done a little work for local business, setting up a Linux
> server (Ubuntu), developing some code and pushing it to github. It's all
> worked wonderfully until a few weeks ago, when he had someone in to do
> something to the network. Since then, Things Are Broken in ways that I
> don't understand.
> >
> > When I try to do anything with github, I see the response
> >
> >   Received disconnect from 140.82.113.3 port 22:2: Connection blocked
> because server only allows public key authentication. Please contact your
> network administrator.
> >
> > Because I was worried I'd borked my account, this afternoon I tried
> again, creating a brand-new account and ssh-ing in .. and still got the
> same result.
> >
> > My github account works fine from my own machine, and also from my web
> provider (pair.com), so I'm guessing there's something going on within my
> client's network. Suggestions gratefully received.
>
> I apologize if this is something you've already looked at, but the #1
> Google hit for "Connection blocked because server only allows public
> key authentication" does look relevant:
>
>
> https://superuser.com/questions/1466177/connection-blocked-because-server-only-allows-public-key-authentication-putty-f


Giles, Hugh,

Thank you both for your responses. I am beginning to suspect that there is
some network thing that's breaking ssh.

>From my own machine, the result of ssh -vT git at github.com looks like this:
it works fine.

OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/tab/.ssh/config
debug1: /home/tab/.ssh/config line 22: Applying options for *
debug1: /home/tab/.ssh/config line 338: Applying options for *
debug1: /home/tab/.ssh/config line 339: Deprecated option "useroaming"
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to github.com [140.82.113.3] port 22.
debug1: Connection established.
debug1: identity file /home/tab/.ssh/id_rsa type -1
debug1: identity file /home/tab/.ssh/id_rsa-cert type -1
debug1: identity file /home/tab/.ssh/id_dsa type -1
debug1: identity file /home/tab/.ssh/id_dsa-cert type -1
debug1: identity file /home/tab/.ssh/id_ecdsa type -1
debug1: identity file /home/tab/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tab/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/tab/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/tab/.ssh/id_ed25519 type -1
debug1: identity file /home/tab/.ssh/id_ed25519-cert type -1
debug1: identity file /home/tab/.ssh/id_ed25519_sk type -1
debug1: identity file /home/tab/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/tab/.ssh/id_xmss type -1
debug1: identity file /home/tab/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version babeld-b85a2946
debug1: no match: babeld-b85a2946
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa
SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/tab/.ssh/known_hosts:3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/tab/.ssh/music2012 RSA
SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent
debug1: Will attempt key: /home/tab/.ssh/id_rsa
debug1: Will attempt key: /home/tab/.ssh/id_dsa
debug1: Will attempt key: /home/tab/.ssh/id_ecdsa
debug1: Will attempt key: /home/tab/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/tab/.ssh/id_ed25519
debug1: Will attempt key: /home/tab/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/tab/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<
ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,
ecdsa-sha2-nistp256-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,
rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,
ssh-dss-cert-v01 at openssh.com
,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tab/.ssh/music2012 RSA
SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent
debug1: Server accepts key: /home/tab/.ssh/music2012 RSA
SHA256:JzHBQSQHReaDXiXIEO4W3QtW/cqqoab6xuWt2V4eP30 agent
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([140.82.113.3]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = en_CA.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi talexb! You've successfully authenticated, but GitHub does not provide
shell access.
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2856, received 2468 bytes, in 0.1 seconds
Bytes per second: sent 26439.1, received 22847.2
debug1: Exit status 1

I have 'ForwardAgent yes' in my ~/.ssh/config, so when I ssh to my client's
machine, my authentication comes with me. But on that machine, the response
to the same test is now different than it was three weeks ago:

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/web/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [140.82.112.4] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/web/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version babeld-b85a2946
debug1: no match: babeld-b85a2946
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa
SHA256:CJ1i1swJd0SjXdfpoh7CCQrmOp04K4zor8rYP1NlegA
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for github.com has changed,
and the key for the corresponding IP address 140.82.112.4
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:CJ1i1swJd0SjXdfpoh7CCQrmOp04K4zor8rYP1NlegA.
Please contact your system administrator.
Add correct host key in /home/web/.ssh/known_hosts to get rid of this
message.
Offending RSA key in /home/web/.ssh/known_hosts:10
  remove with:
  ssh-keygen -f "/home/web/.ssh/known_hosts" -R "github.com"
RSA host key for github.com has changed and you have requested strict
checking.
Host key verification failed.

To make sure that my account wasn't broken in some other way, this weekend
I created another brand new account on my client's machine and tried the
same test command -- I got the same result.

I also tried ssh'ing to my web provider (pair.com) and then tried the same
test command -- and got pretty much the same good response I got from my
local machine. This tells me that my keys and my github account are working
fine -- it's just something on my client's network that is interfering with
the traffic.

Because I know enough about ssh to get my job done, but not a lot more, I
wanted to confirm I wasn't missing something really obvious, some config
file switch that needed changing. Again, thank you all for your patience
with me on this.

Cheers,

Alex

-- 
Alex Beamish

Software Developer / https://ca.linkedin.com/in/alex-beamish-5111ba3
Speaker Wrangler / Toronto Perlmongers / http://to.pm.org/
Chair, Sponsorship Committee, TPF / https://www.perlfoundation.org/
Baritone, Operations Manager / Toronto Northern Lights, 2013 Champions /
www.northernlightschorus.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20201129/14bdd521/attachment.html>

More information about the talk mailing list