[GH-ISSUE #401] SCP Failure - Error 255 #109

New issue

Open

opened 2026-05-07 00:19:04 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented 2026-05-07 00:19:04 +02:00

Owner

Copy link

Originally created by @KarlAustin on GitHub (Jun 30, 2023).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/401

Hi,

Having trouble with SCP. SSH via the bastion works fine.

BASTION_SCP_EXTRA_ARGS="-v" scp -P 2222 -S ~/.bastion/scp_helper1 -i ~/.ssh/id_ed25519 a-local-file username@10.99.1.1:/home/username

Results in:

OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to bastion1.example.org [192.168.99.1] port 22.
debug1: Connection established.
debug1: identity file /home/localuser/.ssh/id_ed25519 type 3
debug1: identity file /home/localuser/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1
debug1: match: OpenSSH_8.9p1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to bastion1.example.org:22 as 'KarlAustin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:nGDbyi2hY4u2nDQcfvA1JZhLX0a1d8umjx1LhUd0SqA
debug1: Host 'bastion1.example.org' is known and matches the ED25519 host key.
debug1: Found key in /home/localuser/.ssh/known_hosts:85
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/localuser/.ssh/id_ed25519 ED25519 SHA256:jXXd48b6FgW33arWYxN3ds7PbrY1flRJX+Aaph+7iQL explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
*------------------------------------------------------------------------------*
|THIS IS A PRIVATE COMPUTER SYSTEM, UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.|
|ALL CONNECTIONS ARE LOGGED. IF YOU ARE NOT AUTHORIZED, DISCONNECT NOW.        |
*------------------------------------------------------------------------------*
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/localuser/.ssh/id_ed25519 ED25519 SHA256:jXXd48b6FgW33arWYxN3ds7PbrY1flRJX+Aaph+7iQL explicit
debug1: Server accepts key: /home/localuser/.ssh/id_ed25519 ED25519 SHA256:jXXd48b6FgW33arWYxN3ds7PbrY1flRJX+Aaph+7iQL explicit
Enter passphrase for key '/home/localuser/.ssh/id_ed25519':
debug1: Authentication succeeded (publickey).
Authenticated to bastion1.example.org ([192.168.99.1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /home/bastionUser/.ssh/authorized_keys2:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /home/bastionUser/.ssh/authorized_keys2:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: Sending env LANG = C.UTF-8
debug1: Sending command: --user username --port 2222 --host 172.168.99.1 --osh scp --scp-cmd scp#-t#/home/username
>>> Hello bastionUser, transferring your file through the bastion to username@172.168.99.1:2222...
username@172.168.99.1: Permission denied (publickey).

Error launching transfer: Command exited with status 255
lost connection
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 2348, received 3308 bytes, in 0.8 seconds
Bytes per second: sent 2940.8, received 4143.2
debug1: Exit status 100

I can see by enabling debug logging in sshd on the server I am scp'ing to that the key is accepted:

Accepted key ED25519 SHA256:<hash> found at /home/username/.ssh/authorized_keys:1

I then see:

Postponed publickey for username from <bastion-ip> port 54364 ssh2 [preauth]
Connection closed by authenticating user username <bastion-ip> port 54364 [preauth]

What I never see is a prompt to decrypt the group ssh key for the group this server is in. So I'm guessing that's where the issue lies?

Is there a way to fix this?

Originally created by @KarlAustin on GitHub (Jun 30, 2023). Original GitHub issue: https://github.com/ovh/the-bastion/issues/401 Hi, Having trouble with SCP. SSH via the bastion works fine. ``` BASTION_SCP_EXTRA_ARGS="-v" scp -P 2222 -S ~/.bastion/scp_helper1 -i ~/.ssh/id_ed25519 a-local-file username@10.99.1.1:/home/username ``` Results in: ``` OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to bastion1.example.org [192.168.99.1] port 22. debug1: Connection established. debug1: identity file /home/localuser/.ssh/id_ed25519 type 3 debug1: identity file /home/localuser/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 debug1: match: OpenSSH_8.9p1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to bastion1.example.org:22 as 'KarlAustin' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:nGDbyi2hY4u2nDQcfvA1JZhLX0a1d8umjx1LhUd0SqA debug1: Host 'bastion1.example.org' is known and matches the ED25519 host key. debug1: Found key in /home/localuser/.ssh/known_hosts:85 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/localuser/.ssh/id_ed25519 ED25519 SHA256:jXXd48b6FgW33arWYxN3ds7PbrY1flRJX+Aaph+7iQL explicit debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com> debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised) debug1: SSH2_MSG_SERVICE_ACCEPT received *------------------------------------------------------------------------------* |THIS IS A PRIVATE COMPUTER SYSTEM, UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.| |ALL CONNECTIONS ARE LOGGED. IF YOU ARE NOT AUTHORIZED, DISCONNECT NOW. | *------------------------------------------------------------------------------* debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/localuser/.ssh/id_ed25519 ED25519 SHA256:jXXd48b6FgW33arWYxN3ds7PbrY1flRJX+Aaph+7iQL explicit debug1: Server accepts key: /home/localuser/.ssh/id_ed25519 ED25519 SHA256:jXXd48b6FgW33arWYxN3ds7PbrY1flRJX+Aaph+7iQL explicit Enter passphrase for key '/home/localuser/.ssh/id_ed25519': debug1: Authentication succeeded (publickey). Authenticated to bastion1.example.org ([192.168.99.1]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Remote: /home/bastionUser/.ssh/authorized_keys2:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /home/bastionUser/.ssh/authorized_keys2:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Sending environment. debug1: Sending env LANG = C.UTF-8 debug1: Sending command: --user username --port 2222 --host 172.168.99.1 --osh scp --scp-cmd scp#-t#/home/username >>> Hello bastionUser, transferring your file through the bastion to username@172.168.99.1:2222... username@172.168.99.1: Permission denied (publickey). Error launching transfer: Command exited with status 255 lost connection debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK Transferred: sent 2348, received 3308 bytes, in 0.8 seconds Bytes per second: sent 2940.8, received 4143.2 debug1: Exit status 100 ``` I can see by enabling debug logging in sshd on the server I am scp'ing to that the key is accepted: ```Accepted key ED25519 SHA256:<hash> found at /home/username/.ssh/authorized_keys:1``` I then see: ``` Postponed publickey for username from <bastion-ip> port 54364 ssh2 [preauth] Connection closed by authenticating user username <bastion-ip> port 54364 [preauth] ``` What I never see is a prompt to decrypt the group ssh key for the group this server is in. So I'm guessing that's where the issue lies? Is there a way to fix this?

BreizhHardware referenced this issue 2026-05-07 00:19:57 +02:00

[PR #109] [CLOSED] feat: add PIV support and policy #244

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#109

No description provided.