[ZBX-17301] Zabbix ssh.run authentication method issue Created: 2020 Feb 11  Updated: 2020 Jun 12  Resolved: 2020 Jun 12

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Proxy (P), Server (S)
Affects Version/s: 4.4.5
Fix Version/s: None

Type: Problem report Priority: Trivial
Reporter: Scott Nursten Assignee: Edgar Akhmetshin
Resolution: Incomplete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

CentOS Linux release 7.7.1908 (Core)
zabbix_proxy (Zabbix) 4.4.5
libssh2-1.8.0-3.el7.x86_64

Issue Links:
Sub-task
part of ZBX-17417 ssh.run with Server/Proxy linked to l... Closed

 Description   

Steps to reproduce:

  1. Enable password authentication on ssh server 
  2.  17708:20200211:161135.672 ssh_run() supported authentication methods:'publickey,password'
  3. ssh_run() works fine
  4. Disable password auth on ssh server (pubkey only)
  5. 17118:20200211:154935.628 ssh_run() supported authentication methods:'publickey'
    17118:20200211:154935.631 End of ssh_run():NOTSUPPORTED
    17118:20200211:154935.631 Item [www1.stride.ws:ssh.run[apache procs]] error: Public key authentication failed: Invalid signature for supplied public key, or bad username/public key combination

Result:
Can't login with pubkey when ONLY pubkey allowed (auth_pw & 4)

Can login with pubkey when pubkey & password allowed (auth_pw & 1) - even though no password set and using pubkey auth

Expected:
Can login with pubkey when ONLY pubkey allowed (auth_pw & 4)

Can login with pubkey when pubkey & password allowed (auth_pw & 1) - even though no password set and using pubkey auth

 Comments   
Comment by Edgar Akhmetshin [ 2020 Feb 12 ]

Hello Scott,

To use key based authentication for SSH items, changes to the Server/Proxy configuration are required.
You need to set SSHKeyLocation= option with correct full path to a folder where public and private keys will be located, example:

SSHKeyLocation=/home/zabbix/.ssh

Regards,
Edgar

Comment by Scott Nursten [ 2020 Feb 13 ]

That had been done. Like I said, the key-based authentication works but ONLY when I enable password logins on the ssh server. If I disable the ability to use passwords, Zabbix can no longer login - even though it's using keys and I never enter a password. The problem is clearly here: 

 

https://github.com/zabbix/zabbix/blob/master/src/zabbix_server/poller/checks_ssh.c 

 

If you look at lines 122 -> 228, you will see that there is a clear flaw in the logic ... if password is available as an authentication method it does the following to connect:

 

libssh2_userauth_password(session, item->username, item->password)

 

if you have the keys etc configured correctly (with no passphrase set and no password set)  it connects fine. 

 

If, on the server, password is not available as an auth method, then it uses

libssh2_userauth_publickey_fromfile (line 208). 

 

When it uses this method, even though everything works fine on the command line or when password is enabled as an auth method, you get the following error: 

[host:ssh.run[apache procs]] error: Public key authentication failed: Invalid signature for supplied public key, or bad username/public key combination

 

as per line 214 in the code. So, for some reason, libssh2_userauth_publickey_fromfile is failing even though it works fine on the cli. 

I believe if you carry out the testing that I have, you will get the same result.... 

 

 

Comment by Edgar Akhmetshin [ 2020 Feb 13 ]

Hello Scott,

Please provide SSH server version used and configuration file, also key type used (rsa, dsa, ecdsa, etc).

Regards,
Edgar

Comment by Scott Nursten [ 2020 Feb 14 ]

Hi Edgar,

openssh-server-7.4p1-21.73.amzn1.x86_64

 ----sshd_config----

 ChallengeResponseAuthentication yes
UsePAM yes
AuthorizedKeysFile     .ssh/authorized_keys
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
SyslogFacility AUTHPRIV
X11Forwarding yes
PrintLastLog yes
TCPKeepAlive yes
ClientAliveInterval 10
UsePrivilegeSeparation sandbox		# Default for new installations.
ClientAliveCountMax 3
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp	/usr/libexec/openssh/sftp-server
----sshd_config----

rsa keys.

With thanks
Scott

Comment by Edgar Akhmetshin [ 2020 Mar 02 ]

Hello Scott,

Tested 4.0.18 and 4.4.6 with the following sshd configuration file on CentOS7 (only pubkey example):

HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms [email protected]
Ciphers [email protected]
MACs [email protected]

GSSAPIAuthentication no
UsePrivilegeSeparation sandbox

UseDNS no
UsePAM yes
PrintMotd no
Compression no
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey
ChallengeResponseAuthentication no
AuthorizedKeysFile .ssh/authorized_keys

Currently no issues found from Zabbix side, please check your SSH keys/location for them used.

Regards,
Edgar

Comment by Edgar Akhmetshin [ 2020 Mar 24 ]

Could you also please provide output from the following command from Zabbix Server:

nmap --script ssh2-enum-algos -sV -p 22 <host_name_or_ip_address>

Regards,
Edgar

Generated at Sat Dec 13 21:51:55 EET 2025 using Jira 10.3.13#10030013-sha1:56dd970ae30ebfeda3a697d25be1f6388b68a422.