RSA keys not authenticating





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







4















Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 

≫  ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40

OpenSSH_7.4p1, OpenSSL 1.0.2k  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "xxx.xxx.xxx.229" port xxx40

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.

debug1: Connection established.

debug1: identity file .ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file .ssh/id_rsa-cert type -1

debug1: identity file /home/troy/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/troy/.ssh/id_rsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256@libssh.org

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.

debug1: Found key in /home/troy/.ssh/known_hosts:5

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent

debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: .ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Offering RSA public key: /home/troy/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la

total 12

drwx------.  2 lenny lenny 4096 Feb 27 21:49 .

drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..

-rw-------.  1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 

≫  ls -la

total 20

drwx------  2 troy users 4096 Feb 27 21:53 .

drwx------ 30 troy users 4096 Feb 27 23:03 ..

-rw-------  1 troy users 1679 Feb 27 20:32 id_rsa

-rw-r--r--  1 troy users  394 Feb 27 20:32 id_rsa.pub

-rw-r--r--  1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config

# Package generated configuration file

# See the sshd_config(5) manpage for details



# What ports, IPs and protocols we listen for

Port xxx40 

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes



# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 1024



# Logging

SyslogFacility AUTH

LogLevel INFO



# Authentication:

LoginGraceTime 120

PermitRootLogin prohibit-password

StrictModes yes



RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile  home/lenny/.ssh/authorized_keys



# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes



# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no



# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords

PasswordAuthentication no



# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes



# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes



X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no



#MaxStartups 10:30:60

#Banner /etc/issue.net



# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



Subsystem sftp /usr/lib/openssh/sftp-server



# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]





server ssh authentication openssh







share|improve this question























  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51


















4















Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 

≫  ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40

OpenSSH_7.4p1, OpenSSL 1.0.2k  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "xxx.xxx.xxx.229" port xxx40

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.

debug1: Connection established.

debug1: identity file .ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file .ssh/id_rsa-cert type -1

debug1: identity file /home/troy/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/troy/.ssh/id_rsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256@libssh.org

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.

debug1: Found key in /home/troy/.ssh/known_hosts:5

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent

debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: .ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Offering RSA public key: /home/troy/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la

total 12

drwx------.  2 lenny lenny 4096 Feb 27 21:49 .

drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..

-rw-------.  1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 

≫  ls -la

total 20

drwx------  2 troy users 4096 Feb 27 21:53 .

drwx------ 30 troy users 4096 Feb 27 23:03 ..

-rw-------  1 troy users 1679 Feb 27 20:32 id_rsa

-rw-r--r--  1 troy users  394 Feb 27 20:32 id_rsa.pub

-rw-r--r--  1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config

# Package generated configuration file

# See the sshd_config(5) manpage for details



# What ports, IPs and protocols we listen for

Port xxx40 

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes



# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 1024



# Logging

SyslogFacility AUTH

LogLevel INFO



# Authentication:

LoginGraceTime 120

PermitRootLogin prohibit-password

StrictModes yes



RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile  home/lenny/.ssh/authorized_keys



# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes



# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no



# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords

PasswordAuthentication no



# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes



# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes



X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no



#MaxStartups 10:30:60

#Banner /etc/issue.net



# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



Subsystem sftp /usr/lib/openssh/sftp-server



# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]





server ssh authentication openssh







share|improve this question























  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51














4












4








4








Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 

≫  ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40

OpenSSH_7.4p1, OpenSSL 1.0.2k  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "xxx.xxx.xxx.229" port xxx40

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.

debug1: Connection established.

debug1: identity file .ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file .ssh/id_rsa-cert type -1

debug1: identity file /home/troy/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/troy/.ssh/id_rsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256@libssh.org

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.

debug1: Found key in /home/troy/.ssh/known_hosts:5

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent

debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: .ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Offering RSA public key: /home/troy/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la

total 12

drwx------.  2 lenny lenny 4096 Feb 27 21:49 .

drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..

-rw-------.  1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 

≫  ls -la

total 20

drwx------  2 troy users 4096 Feb 27 21:53 .

drwx------ 30 troy users 4096 Feb 27 23:03 ..

-rw-------  1 troy users 1679 Feb 27 20:32 id_rsa

-rw-r--r--  1 troy users  394 Feb 27 20:32 id_rsa.pub

-rw-r--r--  1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config

# Package generated configuration file

# See the sshd_config(5) manpage for details



# What ports, IPs and protocols we listen for

Port xxx40 

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes



# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 1024



# Logging

SyslogFacility AUTH

LogLevel INFO



# Authentication:

LoginGraceTime 120

PermitRootLogin prohibit-password

StrictModes yes



RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile  home/lenny/.ssh/authorized_keys



# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes



# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no



# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords

PasswordAuthentication no



# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes



# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes



X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no



#MaxStartups 10:30:60

#Banner /etc/issue.net



# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



Subsystem sftp /usr/lib/openssh/sftp-server



# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]





server ssh authentication openssh







share|improve this question














Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.



Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.



Things that I have tried:




  • verifying permissions

  • regenerating keys

  • transferring public keys using ssh-copy-id and directly via copy and paste

  • different client machines

  • running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)

  • and a whole lot of googling that has led to here


The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.



Here is the -vvv when trying to auth:



➜  /home/troy 

≫  ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40

OpenSSH_7.4p1, OpenSSL 1.0.2k  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "xxx.xxx.xxx.229" port xxx40

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.

debug1: Connection established.

debug1: identity file .ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file .ssh/id_rsa-cert type -1

debug1: identity file /home/troy/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/troy/.ssh/id_rsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256@libssh.org

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5

debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40

debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.

debug1: Found key in /home/troy/.ssh/known_hosts:5

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent

debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: .ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Offering RSA public key: /home/troy/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


And here is ~/.ssh on the desktop:



lenny@Timubukuntu:~/.ssh$ ls -la

total 12

drwx------.  2 lenny lenny 4096 Feb 27 21:49 .

drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..

-rw-------.  1 lenny lenny 1146 Feb 27 20:35 authorized_keys


And the ~/.ssh on the laptop:



➜  /home/troy/.ssh 

≫  ls -la

total 20

drwx------  2 troy users 4096 Feb 27 21:53 .

drwx------ 30 troy users 4096 Feb 27 23:03 ..

-rw-------  1 troy users 1679 Feb 27 20:32 id_rsa

-rw-r--r--  1 troy users  394 Feb 27 20:32 id_rsa.pub

-rw-r--r--  1 troy users 1416 Feb 27 15:13 known_hosts


And the sshd_config on the desktop:



lenny@Timubukuntu:/etc/ssh$ cat sshd_config

# Package generated configuration file

# See the sshd_config(5) manpage for details



# What ports, IPs and protocols we listen for

Port xxx40 

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes



# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 1024



# Logging

SyslogFacility AUTH

LogLevel INFO



# Authentication:

LoginGraceTime 120

PermitRootLogin prohibit-password

StrictModes yes



RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile  home/lenny/.ssh/authorized_keys



# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes



# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no



# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords

PasswordAuthentication no



# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes



# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes



X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no



#MaxStartups 10:30:60

#Banner /etc/issue.net



# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



Subsystem sftp /usr/lib/openssh/sftp-server



# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes


And here is the relevant info in /var/log/auth.log on the desktop:



Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]





server ssh authentication openssh




server ssh authentication openssh






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 28 '17 at 4:12









Troy LiebelTroy Liebel

212




212













  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51



















  • relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

    – Yaron
    Feb 28 '17 at 6:20











  • Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

    – Jakuje
    Feb 28 '17 at 6:51

















relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

– Yaron
Feb 28 '17 at 6:20





relevant ssh log should be found in /var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.

– Yaron
Feb 28 '17 at 6:20













Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

– Jakuje
Feb 28 '17 at 6:51





Tun on LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.

– Jakuje
Feb 28 '17 at 6:51










3 Answers
3






active

oldest

votes


















0














The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



Try chown -R troy:troy /home/troy/



Also I think you are missing a / in this part of sshd_config



AuthorizedKeysFile home/lenny/.ssh/authorized_keys






share|improve this answer


























  • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

    – Troy Liebel
    Feb 28 '17 at 4:33













  • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

    – m_krsic
    Feb 28 '17 at 4:39













  • Tried both versions in sshd_config home/lenny and ~/ - no change

    – Troy Liebel
    Feb 28 '17 at 4:47











  • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

    – Troy Liebel
    Feb 28 '17 at 4:59








  • 1





    The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

    – ridgy
    Feb 28 '17 at 10:35



















0














In my case the issues was with the incorrect shell exec.



journalctl -f

....

Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist

....


Changed /etc/passwd file for that user



vi /etc/passwd 

....

user:x:1000:1000::/home/user:/bin/bash

....





share|improve this answer































    0














    I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
    I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



    sudo ls -laZ <user-home>/.ssh



    of the directory (I'm assuming a lot of defaults on sshd_config).



    You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



    For example



    home="$(getent passwd <user> | cut -d: -f6)"
    
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
    
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


    In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



    More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






    share|improve this answer
























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f888033%2frsa-keys-not-authenticating%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys






      share|improve this answer


























      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35
















      0














      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys






      share|improve this answer


























      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35














      0












      0








      0







      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys






      share|improve this answer















      The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise



      Try chown -R troy:troy /home/troy/



      Also I think you are missing a / in this part of sshd_config



      AuthorizedKeysFile home/lenny/.ssh/authorized_keys







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Feb 28 '17 at 4:40

























      answered Feb 28 '17 at 4:27









      m_krsicm_krsic

      43329




      43329













      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35



















      • Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

        – Troy Liebel
        Feb 28 '17 at 4:33













      • Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

        – m_krsic
        Feb 28 '17 at 4:39













      • Tried both versions in sshd_config home/lenny and ~/ - no change

        – Troy Liebel
        Feb 28 '17 at 4:47











      • Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

        – Troy Liebel
        Feb 28 '17 at 4:59








      • 1





        The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

        – ridgy
        Feb 28 '17 at 10:35

















      Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

      – Troy Liebel
      Feb 28 '17 at 4:33







      Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy

      – Troy Liebel
      Feb 28 '17 at 4:33















      Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

      – m_krsic
      Feb 28 '17 at 4:39







      Can you try chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys

      – m_krsic
      Feb 28 '17 at 4:39















      Tried both versions in sshd_config home/lenny and ~/ - no change

      – Troy Liebel
      Feb 28 '17 at 4:47





      Tried both versions in sshd_config home/lenny and ~/ - no change

      – Troy Liebel
      Feb 28 '17 at 4:47













      Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

      – Troy Liebel
      Feb 28 '17 at 4:59







      Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.

      – Troy Liebel
      Feb 28 '17 at 4:59






      1




      1





      The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

      – ridgy
      Feb 28 '17 at 10:35





      The default for the entry in sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.

      – ridgy
      Feb 28 '17 at 10:35













      0














      In my case the issues was with the incorrect shell exec.



      journalctl -f
      
....
      
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
      
....


      Changed /etc/passwd file for that user



      vi /etc/passwd 
      
....
      
user:x:1000:1000::/home/user:/bin/bash
      
....





      share|improve this answer




























        0














        In my case the issues was with the incorrect shell exec.



        journalctl -f
        
....
        
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
        
....


        Changed /etc/passwd file for that user



        vi /etc/passwd 
        
....
        
user:x:1000:1000::/home/user:/bin/bash
        
....





        share|improve this answer


























          0












          0








          0







          In my case the issues was with the incorrect shell exec.



          journalctl -f
          
....
          
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
          
....


          Changed /etc/passwd file for that user



          vi /etc/passwd 
          
....
          
user:x:1000:1000::/home/user:/bin/bash
          
....





          share|improve this answer













          In my case the issues was with the incorrect shell exec.



          journalctl -f
          
....
          
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
          
....


          Changed /etc/passwd file for that user



          vi /etc/passwd 
          
....
          
user:x:1000:1000::/home/user:/bin/bash
          
....






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Feb 25 at 9:50









          nelaaronelaaro

          6,13242640




          6,13242640























              0














              I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
              I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



              sudo ls -laZ <user-home>/.ssh



              of the directory (I'm assuming a lot of defaults on sshd_config).



              You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



              For example



              home="$(getent passwd <user> | cut -d: -f6)"
              
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
              
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


              In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



              More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






              share|improve this answer




























                0














                I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
                I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



                sudo ls -laZ <user-home>/.ssh



                of the directory (I'm assuming a lot of defaults on sshd_config).



                You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



                For example



                home="$(getent passwd <user> | cut -d: -f6)"
                
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
                
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


                In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



                More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






                share|improve this answer


























                  0












                  0








                  0







                  I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
                  I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



                  sudo ls -laZ <user-home>/.ssh



                  of the directory (I'm assuming a lot of defaults on sshd_config).



                  You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



                  For example



                  home="$(getent passwd <user> | cut -d: -f6)"
                  
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
                  
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


                  In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



                  More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/






                  share|improve this answer













                  I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
                  I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with



                  sudo ls -laZ <user-home>/.ssh



                  of the directory (I'm assuming a lot of defaults on sshd_config).



                  You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.



                  For example



                  home="$(getent passwd <user> | cut -d: -f6)"
                  
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
                  
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"


                  In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.



                  More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Mar 11 at 8:28









                  hanzo2001hanzo2001

                  1567




                  1567






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f888033%2frsa-keys-not-authenticating%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Biblatex bibliography style without URLs when DOI exists (in Overleaf with Zotero bibliography)

                      Image
                      2 2 I have a Zotero bibliography in Overleaf. I use biblatex . usepackage[backend=biber,citestyle=authoryear]{biblatex} addbibresource{zoteroALH.bib} Bibliography entries look like: @book{de_saint-gervais_uniformization_2016, title = {Uniformization of {Riemann} {Surfaces}}, isbn = {978-3-03719-145-3}, url = {https://www.ems-ph.org/books/book.php?proj_nr=198&srch=series%7Chem}, urldate = {2019-02-03}, author = {de Saint-Gervais, Paul Henri}, year = {2016}, doi = {10.4171/145} } In the bibliography down the paper the reference shows like this: There is the DOI, great, but also the URL which is unnecessary when the DOI is there. How can I remove the URL when the DOI is present? biblatex bibliographies overleaf zote
                      Read more

                      ComboBox Display Member on multiple fields

                      Image
                      2 I'm trying to set the .DisplayMember property of a ComboBox in C#, but I want to bind it to multiple columns in the .DataSouce . My SQL looks like this: SELECT PersNbr, PersFirstName, PersMiddleName, PersLastName FROM Pers WHERE PersNbr = :persNbr; I'm saving this query in a DataTable so each column selected has it's own column in the Datatable . I want to make the .DisplayMember a combination of PersFirstName + PersMiddleName + PersLastName so their full name appears like this: comboBox.DisplayMemeber = "PersFirstName" + "PersMiddleName" + "PersLastName" I know I can just to this on the query: SELECT PersNbr, (PersFirstName || PersMiddleName || PersLastName) PersName and then just do this: comboBox.DisplayMember = "PersName"; but I
                      Read more

                      Is it possible to collect Nectar points via Trainline?

                      Image
                      2 Since I am not eligible for any Railcard, the only available discount/bonus scheme is Nectar Card for me. GWR, SWR, LNER and Virgin Trains allow to collect Nectar points and I have already linked a card to my GWR account. A friend suggested me to use Trainline App, because it can search for bus tickets either. I had a look at the application, but could not see any option for Nectar. Is there a way to collect Nectar points when I buy tickets via Trainline? uk trains loyalty-programs trainline share | improve this question asked Dec 2 '18 at 15:50 ahmedus 3,224 5 19 49
                      Read more