ssh (and git) authentication issues on external port/ip (local ip works fine)

Question

I am trying to set up a git repository on a server machine that is remote-accessible over the internet.

I have succeeded in getting git working over local/internal IP addresses. Within local LAN, I have private-key-based authentication working for SSH (password logins disabled), and I can clone, push, and pull successfully using Git and SSH, e.g.;

ssh USER@192.168.1.xxx
[-> accepts public key, gives me a remote console prompt as "USER", etc]

git clone git+ssh://USER@192.168.1.xxx//gitdir/project.git
[-> creates a local clone as desired, commits and push work, no problems seemingly]

However, I am now trying to access this machine via an external/internet IP in the same way, and I don't understand the behavior it's giving me.

• I have enabled port forwarding on my router for port 22 to the server machine.
• I have opened port 22 in software on "UFW" on the server machine.

• As far as I can tell, I have no settings on my router, SSH configs, or UFW that would block any specific web address or otherwise cause problems on either my local machine or the server. The server should accept a connection from any external address accessing via port 22, and both my local machine and the server allow outgoing connections in general.

• I am using Ubuntu 17.04 on the local machine, if that matters.

• Both the server and the local machine are currently on the same LAN/connected to the same router.

• I have DISABLED "ChallengeResponseAuthentication" and "PasswordAuthentication", and have ENABLED "PubkeyAuthentication" in my "sshd_config".

• I have quadruple-checked that I was using the correct IP, and used copy-paste rather than manual typing. Unless I am truly missing something, I am attempting to connect to the correct machine.

For a direct SSH login, I get this (using the -v flag):

LOCALUSER@LOCALMACHINE:~$ ssh -v -i ~/.ssh/[PRIVATE_KEY] USER@[IP6_EXTERNAL_IP]
OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /home/[HOME]/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to [IP6_EXTERNAL_IP] [[IP6_EXTERNAL_IP]] port 22.
debug1: Connection established.
debug1: identity file /home/[HOME]/.ssh/[PRIVATE_KEY] type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/[HOME]/.ssh/[PRIVATE_KEY]-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Ubuntu-10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Ubuntu-10
debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x04000000
debug1: Authenticating to [IP6_EXTERNAL_IP] as 'USER'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:[SHA_HASH]
debug1: Host '[IP6_EXTERNAL_IP]' is known and matches the ECDSA host key.
debug1: Found key in /home/[HOME]/.ssh/known_hosts:4
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: /home/[HOME]/.ssh/[PRIVATE_KEY]
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
USER@[IP6_EXTRNAL_IP]'s password: 

...and no password I supply works. I don't know why the server is even asking for a password, I disabled password logins globally in "sshd_config", and I have triple-checked that there is no exception to that for this user, as well.

Git similarly asks for my remote user's password when I try to clone from the server via the external IP (because it's working through SSH of course), if I do the following to set it to use an external IP, instead of the original local IP:

git remote set-url origin ssh+git://USER@[REMOTE_IP]//gitdir/project.git

Any help understanding what I'm missing here would be much appreciated; thanks.

Answer 1

Figured it out:

I am unclear as to why, but my system does not like it when I try to access my server via an external public ip, from inside my own LAN. I assume this is because of some kind of packet confusion as the local machine and the server machine share the same public ip via the router (confirmation on this would be appreciated).

When I tried to connect from another network, things worked correctly and as expected. I am asked for my public key and immediately rejected with no password prompt if I don't supply the right one, and both SSH and git via SSH seem to work as desired over the internet after I change my repo source to use the public ip. Any further details were covered by editing ~/.ssh/config to set key identities and hosts.

Marking as solved. Thank you.