Is it possible to implement reverse proxy SSH in Caddy（ngrok/Kadeessh）

richardson.ibm · November 29, 2023, 1:53am

thank you for your reply. In principle, adding the content of id_rsa.pub to .ssh/authorized_keys and logging in successfully through port 22 indicates that the configuration information is set correctly.

For the convenience of testing, this caddy server opened ports 22 and 8433 (caddy’s external port, it will go to http-6433 and ssh-2022).

After testing, it is possible to log in directly through port 22, but not through 8433.

This shows that kadeessh does not use the .ssh/authorized_keys configuration, so what does it read? Is there any way to debug and know the complete process?

Mohammed90 · November 29, 2023, 6:23pm

It definitely reads it. Kadeessh looks up the user’s $HOME, looks for .ssh/authorized_keys file in it, loads it, and compares the keys.

github.com

kadeessh/kadeessh/blob/d847b387f3c833f5c222b3da94c43c0a6e63f0e6/internal/authentication/os/pubkey.go#L58-L87


      
          	authKeysFiles := filepath.Join(u.HomeDir, ".ssh", "authorized_keys")
          	if _, err := os.Stat(authKeysFiles); err != nil && os.IsNotExist(err) {
          		return account{}, false, nil
          	}
          	authKeysBytes, err := os.ReadFile(authKeysFiles)
          	if err != nil {
          		return account{}, false, err
          	}
          	for len(authKeysBytes) > 0 {
          		key, _, _, rest, err := ssh.ParseAuthorizedKey(authKeysBytes)
          		if err != nil {
          			return account{}, false, err
          		}
          		if ssh.KeysEqual(key, pubkey) {
          			return account{
          				user: u,
          				permissions: &gossh.Permissions{
          					CriticalOptions: map[string]string{
          						"user": username,
          					},

This file has been truncated. show original

Are you sure the user caddyssh exists with that name?

richardson.ibm · November 30, 2023, 2:26am

But this is difficult to explain. Users using caddyssh can log in through the ordinary ssh port, but cannot pass Kadeessh. In other words, kadeessh and sshd both log in as “caddyssh” and use /home/caddyssh/.ssh/authorized_keys. Is there any debugging method to find out whether it has read this file?

Mohammed90 · December 1, 2023, 3:14pm

I’ve just pushed a branch with extra logging for the authentication parsing and key-matching. You can use that branch --with github.com/kadeessh/kadeessh@extra-logging.

As I’m sifting through the code, I realized there might be access issue preventing Kadeessh from accessing the authorized_keys file. What’s the file mode? Can you run ls -al /home/caddyssh/.ssh/authorized_keys?

P.S.: I truly appreciate your patience and happy to receive feedback on struggles with Kadeessh It’ll help me understand users struggles

richardson.ibm · December 2, 2023, 2:17am

caddyssh@iZbp1fs:~/.config/caddy$ ls -al /home/caddyssh/.ssh/authorized_keys
-rw------- 1 caddyssh caddyssh 1184 Nov 29 09:44 /home/caddyssh/.ssh/authorized_keys

richardson.ibm · December 2, 2023, 2:21am

I try to add +r for authorized_keys，


caddyssh@iZbp1fs:~/.config/caddy$ chmod +r /home/caddyssh/.ssh/authorized_keys
caddyssh@iZbp1fs:~/.config/caddy$ ls -al /home/caddyssh/.ssh/authorized_keys
-rw-r--r-- 1 caddyssh caddyssh 1184 Nov 29 09:44 /home/caddyssh/.ssh/authorized_keys

richardson.ibm · December 2, 2023, 2:52am

I use extra-logging branch,the log like this.


2023/12/02 02:33:13.347 INFO    ssh.authentication.flows.public_key     authentication start    {"providers_count": 1, "remote_address": "127.0.0.1:32836", "username": "caddyssh", "key_type": "ssh-rsa"}
2023/12/02 02:33:13.348 INFO    ssh.authentication.flows.public_key     authentication successful       {"provider": "os", "user_id": "1001", "username": "caddyssh", "key_type": "ssh-rsa"}
2023/12/02 02:33:13.423 INFO    ssh.ask.pty.allow        asking for permission   {"session_id": "9a06004b9f4c16c192955b5ed3c15931206ece2d66fefba49f60d0b3fa1d5264", "local_address": "127.0.0.1:2020", "client_version": "SSH-2.0-JSCH", "user": "caddyssh", "terminal": "xterm"}
2023/12/02 02:33:13.423 INFO    ssh.tunnel_server       session ended   {"user": "caddyssh", "remote_ip": "127.0.0.1:32836", "session_id": "9a06004b9f4c16c192955b5ed3c15931206ece2d66fefba49f60d0b3fa1d5264"}

I looks like the authentication is ok, but permission is not ok,

this is my config

.....
    },
    "ssh": {
      "grace_period": "2s",
      "servers": {
        "tunnel_server": {
          "address": "tcp/127.0.0.1:2020",
          "pty": {
                "pty": "allow"
          },
          "configs": [
            {
              "config": {
                "loader": "provided",
                "signer": {
                  "module": "fallback"
                },
                "authentication": {
                  "public_key": {
                    "providers": {
                      "os": {}
                    }
                  }
                }
              }
            }
          ],
          "localforward": {
            "forward": "allow"
          }
        }
      }
    }
  }

richardson.ibm · December 2, 2023, 3:02am

Is it possible to record the contents of the key sent by the client? So we can learn more. I found that using ssh -J with the -i parameter to log in did not pass the authentication, but using the ssh client could pass the authentication (but still unable to log in)

this is my ssh command 's log


INFO    ssh.authentication.flows.public_key     authentication start    {"providers_count": 1, "remote_address": "127.0.0.1:52782", "username": "caddyssh", "key_type": "ssh-rsa"}
2023/12/02 02:58:34.325 INFO    ssh.authentication.flows.public_key     authentication failed   {"provider": "os", "username": "caddyssh", "key_type": "ssh-rsa"}
2023/12/02 02:58:34.325 WARN    ssh.authentication.flows.public_key     invalid credentials     {"username": "caddyssh", "key_type": "ssh-rsa"}

and，this is ssh client’s log


2023/12/02 03:03:00.098 INFO    ssh.authentication.flows.public_key     authentication start    {"providers_count": 1, "remote_address": "127.0.0.1:58266", "username": "caddyssh", "key_type": "ssh-rsa"}
2023/12/02 03:03:00.098 INFO    ssh.authentication.flows.public_key     authentication successful       {"provider": "os", "user_id": "1001", "username": "caddyssh", "key_type": "ssh-rsa"}
2023/12/02 03:03:00.177 INFO    ssh.ask.pty.allow       asking for permission   {"session_id": "8c1ae701ea15ff59d0634538cc5cf33e077e1fd9b277a78aa531ed108768702e", "local_address": "127.0.0.1:2020", "client_version": "SSH-2.0-JSCH_FinalShell_257", "user": "caddyssh", "terminal": "xterm"}
2023/12/02 03:03:00.177 INFO    ssh.tunnel_server       session ended   {"user": "caddyssh", "remote_ip": "127.0.0.1:58266", "session_id": "8c1ae701ea15ff59d0634538cc5cf33e077e1fd9b277a78aa531ed108768702e"}

so I want kown what’s the key file content I use for caddy

Mohammed90 · December 2, 2023, 1:55pm

You can add -vvv to your ssh command.

That said, are both servers/users (on caddyssh on jumpsrv01 and richardson on destsrv01) using the same ssh key?

richardson.ibm · December 3, 2023, 1:41am

use -vvv ，I can see it use another key file.

The key to the problem is how to log in correctly after successful authentication. Just don’t use the jump method, it can log in correctly, complete process

Mohammed90 · December 5, 2023, 8:21am

This is the root to your problem. Why is your SSH client using another key? Either the ssh client you’re using is misbehaving or there’s misonfiguration. I’m not familiar with Jsch, so I’m not sure what could have gone wrong.

richardson.ibm · December 6, 2023, 3:58pm

In fact, I no longer use the ssh client during the test, but only use the ssh command of the mac, but the problem is still the same. It is strange that the -J parameter is no longer expected. The current demand is to simply achieve this effect, and also access 8433 Port, which can be used for ssh login or http access

Mohammed90 · December 7, 2023, 12:46pm

What do you mean? If you’re establishing a jump connection, it’s always expected. If we have the full information in this thread, then this command should work correctly:

ssh -i (client's id_rsa) -J caddyssh@jumpsrv01:8443 richardson@destsrv01:22

If you’re using different key for the jumpsrv01 server than the destsrv01 server, then you will have to customize your ~/.ssh/config on your client machine; see answer here:

system · January 6, 2024, 12:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.