RSA keys not authenticating





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







4















Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]









share|improve this question























  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51


















4















Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]









share|improve this question























  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51














4












4








4








Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]









share|improve this question














Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]






server ssh authentication openssh






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 28 '17 at 4:12









Troy LiebelTroy Liebel

212




212













  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51



















  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51

















relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

– Yaron
Feb 28 '17 at 6:20





relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

– Yaron
Feb 28 '17 at 6:20













Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

– Jakuje
Feb 28 '17 at 6:51





Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

– Jakuje
Feb 28 '17 at 6:51










3 Answers
3






active

oldest

votes


















0














The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



Try chown -R troy:troy /home/troy/



Also I think you are missing a / in this part of sshd_config



AuthorizedKeysFile home/lenny/.ssh/authorized_keys






share|improve this answer


























  • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

    – Troy Liebel
    Feb 28 '17 at 4:33













  • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

    – m_krsic
    Feb 28 '17 at 4:39













  • Tried both versions in sshd_config home/lenny and ~/ - no change

    – Troy Liebel
    Feb 28 '17 at 4:47











  • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

    – Troy Liebel
    Feb 28 '17 at 4:59








  • 1





    The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

    – ridgy
    Feb 28 '17 at 10:35



















0














In my case the issues was with the incorrect shell exec.



journalctl -f
....
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
....


Changed /etc/passwd file for that user



vi /etc/passwd 
....
user:x:1000:1000::/home/user:/bin/bash
....





share|improve this answer































    0














    I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
    I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



    sudo ls -laZ <user-home>/.ssh



    of the directory (I'm assuming a lot of defaults on sshd_config).



    You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



    For example



    home="$(getent passwd <user> | cut -d: -f6)"
    sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
    sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


    In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



    More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






    share|improve this answer
























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f888033%2frsa-keys-not-authenticating%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys






      share|improve this answer


























      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35
















      0














      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys






      share|improve this answer


























      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35














      0












      0








      0







      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys






      share|improve this answer















      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Feb 28 '17 at 4:40

























      answered Feb 28 '17 at 4:27









      m_krsicm_krsic

      43329




      43329













      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35



















      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35

















      Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

      – Troy Liebel
      Feb 28 '17 at 4:33







      Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

      – Troy Liebel
      Feb 28 '17 at 4:33















      Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

      – m_krsic
      Feb 28 '17 at 4:39







      Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

      – m_krsic
      Feb 28 '17 at 4:39















      Tried both versions in sshd_config home/lenny and ~/ - no change

      – Troy Liebel
      Feb 28 '17 at 4:47





      Tried both versions in sshd_config home/lenny and ~/ - no change

      – Troy Liebel
      Feb 28 '17 at 4:47













      Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

      – Troy Liebel
      Feb 28 '17 at 4:59







      Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

      – Troy Liebel
      Feb 28 '17 at 4:59






      1




      1





      The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

      – ridgy
      Feb 28 '17 at 10:35





      The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

      – ridgy
      Feb 28 '17 at 10:35













      0














      In my case the issues was with the incorrect shell exec.



      journalctl -f
      ....
      Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
      ....


      Changed /etc/passwd file for that user



      vi /etc/passwd 
      ....
      user:x:1000:1000::/home/user:/bin/bash
      ....





      share|improve this answer




























        0














        In my case the issues was with the incorrect shell exec.



        journalctl -f
        ....
        Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
        ....


        Changed /etc/passwd file for that user



        vi /etc/passwd 
        ....
        user:x:1000:1000::/home/user:/bin/bash
        ....





        share|improve this answer


























          0












          0








          0







          In my case the issues was with the incorrect shell exec.



          journalctl -f
          ....
          Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
          ....


          Changed /etc/passwd file for that user



          vi /etc/passwd 
          ....
          user:x:1000:1000::/home/user:/bin/bash
          ....





          share|improve this answer













          In my case the issues was with the incorrect shell exec.



          journalctl -f
          ....
          Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
          ....


          Changed /etc/passwd file for that user



          vi /etc/passwd 
          ....
          user:x:1000:1000::/home/user:/bin/bash
          ....






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Feb 25 at 9:50









          nelaaronelaaro

          6,13242640




          6,13242640























              0














              I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
              I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



              sudo ls -laZ <user-home>/.ssh



              of the directory (I'm assuming a lot of defaults on sshd_config).



              You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



              For example



              home="$(getent passwd <user> | cut -d: -f6)"
              sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
              sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


              In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



              More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






              share|improve this answer




























                0














                I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
                I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



                sudo ls -laZ <user-home>/.ssh



                of the directory (I'm assuming a lot of defaults on sshd_config).



                You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



                For example



                home="$(getent passwd <user> | cut -d: -f6)"
                sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
                sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


                In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



                More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






                share|improve this answer


























                  0












                  0








                  0







                  I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
                  I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



                  sudo ls -laZ <user-home>/.ssh



                  of the directory (I'm assuming a lot of defaults on sshd_config).



                  You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



                  For example



                  home="$(getent passwd <user> | cut -d: -f6)"
                  sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
                  sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


                  In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



                  More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






                  share|improve this answer













                  I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
                  I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



                  sudo ls -laZ <user-home>/.ssh



                  of the directory (I'm assuming a lot of defaults on sshd_config).



                  You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



                  For example



                  home="$(getent passwd <user> | cut -d: -f6)"
                  sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
                  sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


                  In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



                  More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Mar 11 at 8:28









                  hanzo2001hanzo2001

                  1567




                  1567






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f888033%2frsa-keys-not-authenticating%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      How to change which sound is reproduced for terminal bell?

                      Can I use Tabulator js library in my java Spring + Thymeleaf project?

                      Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents