RSA keys not authenticating
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
4
Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.
Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.
Things that I have tried:
- verifying permissions
- regenerating keys
- transferring public keys using ssh-copy-id and directly via copy and paste
- different client machines
- running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)
- and a whole lot of googling that has led to here
The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.
Here is the -vvv when trying to auth:
➜ /home/troy
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
And here is ~/.ssh on the desktop:
lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys
And the ~/.ssh on the laptop:
➜ /home/troy/.ssh
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts
And the sshd_config on the desktop:
lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
And here is the relevant info in /var/log/auth.log on the desktop:
Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]
server ssh authentication openssh
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
add a comment |
4
Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.
Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.
Things that I have tried:
- verifying permissions
- regenerating keys
- transferring public keys using ssh-copy-id and directly via copy and paste
- different client machines
- running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)
- and a whole lot of googling that has led to here
The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.
Here is the -vvv when trying to auth:
➜ /home/troy
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
And here is ~/.ssh on the desktop:
lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys
And the ~/.ssh on the laptop:
➜ /home/troy/.ssh
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts
And the sshd_config on the desktop:
lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
And here is the relevant info in /var/log/auth.log on the desktop:
Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]
server ssh authentication openssh
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
relevant ssh log should be found in/var/log/auth.logor/var/log/secure- please add it to your question, it help identify the problem.
– Yaron
Feb 28 '17 at 6:20
Tun onLogLevel DEBU3insshd_config, restart the service, try to connect and then paste related parts of the log.
– Jakuje
Feb 28 '17 at 6:51
add a comment |
4
4
4
Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.
Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.
Things that I have tried:
- verifying permissions
- regenerating keys
- transferring public keys using ssh-copy-id and directly via copy and paste
- different client machines
- running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)
- and a whole lot of googling that has led to here
The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.
Here is the -vvv when trying to auth:
➜ /home/troy
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
And here is ~/.ssh on the desktop:
lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys
And the ~/.ssh on the laptop:
➜ /home/troy/.ssh
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts
And the sshd_config on the desktop:
lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
And here is the relevant info in /var/log/auth.log on the desktop:
Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]
server ssh authentication openssh
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
Just trying to get a basic setup of openSSH going on an Ubuntu box to work remotely. Main issue: RSA keys fail auth. ssh DOES work using the password for auth, but I would much rather limit it to only allow ssh keys for auth.
Note that I refer to desktop and laptop. Desktop: machine acting as server. Laptop: machine acting as client.
Things that I have tried:
- verifying permissions
- regenerating keys
- transferring public keys using ssh-copy-id and directly via copy and paste
- different client machines
- running restorecon -Rv ~/.ssh (even though most posts say this applies mainly to CentOS, may as well try everything)
- and a whole lot of googling that has led to here
The relevant things I can think to include are the -vvv when attempting to connect on the laptop, the permissions of ~/.ssh on both machines, sshd_config on desktop, relevant entries in var/log/auth.log on the desktop. Obviously, if there is anything else that I can include that could help anyone resolve this issue, I will gladly provide relevant info.
Here is the -vvv when trying to auth:
➜ /home/troy
≫ ssh -vvv -i .ssh/id_rsa lenny@xxx.xxx.xxx.229 -p xxx40
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xxx.xxx.xxx.229" port xxx40
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxx.xxx.xxx.229 [xxx.xxx.xxx.229] port xxx40.
debug1: Connection established.
debug1: identity file .ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file .ssh/id_rsa-cert type -1
debug1: identity file /home/troy/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/troy/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.229:xxx40 as 'lenny'
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:M57GEOh/5elIh2RU446bRCamJ21QosRFOYaYx8u5Za4
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: put_host_port: [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug3: hostkeys_foreach: reading file "/home/troy/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/troy/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from [xxx.xxx.xxx.229]:xxx40
debug1: Host '[xxx.xxx.xxx.229]:xxx40' is known and matches the ECDSA host key.
debug1: Found key in /home/troy/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: .ssh/id_rsa (0x55a0c58221f0), explicit, agent
debug2: key: /home/troy/.ssh/id_rsa (0x55a0c582fe00), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/troy/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
And here is ~/.ssh on the desktop:
lenny@Timubukuntu:~/.ssh$ ls -la
total 12
drwx------. 2 lenny lenny 4096 Feb 27 21:49 .
drwxr-x---. 21 lenny lenny 4096 Feb 27 22:16 ..
-rw-------. 1 lenny lenny 1146 Feb 27 20:35 authorized_keys
And the ~/.ssh on the laptop:
➜ /home/troy/.ssh
≫ ls -la
total 20
drwx------ 2 troy users 4096 Feb 27 21:53 .
drwx------ 30 troy users 4096 Feb 27 23:03 ..
-rw------- 1 troy users 1679 Feb 27 20:32 id_rsa
-rw-r--r-- 1 troy users 394 Feb 27 20:32 id_rsa.pub
-rw-r--r-- 1 troy users 1416 Feb 27 15:13 known_hosts
And the sshd_config on the desktop:
lenny@Timubukuntu:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port xxx40
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
And here is the relevant info in /var/log/auth.log on the desktop:
Feb 27 22:52:31 Timubukuntu sshd[1901]: Connection closed by 67.20.206.135 port 36566 [preauth]
server ssh authentication openssh
server ssh authentication openssh
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
asked Feb 28 '17 at 4:12
Troy LiebelTroy Liebel
212
212
relevant ssh log should be found in/var/log/auth.logor/var/log/secure- please add it to your question, it help identify the problem.
– Yaron
Feb 28 '17 at 6:20
Tun onLogLevel DEBU3insshd_config, restart the service, try to connect and then paste related parts of the log.
– Jakuje
Feb 28 '17 at 6:51
add a comment |
relevant ssh log should be found in/var/log/auth.logor/var/log/secure- please add it to your question, it help identify the problem.
– Yaron
Feb 28 '17 at 6:20
Tun onLogLevel DEBU3insshd_config, restart the service, try to connect and then paste related parts of the log.
– Jakuje
Feb 28 '17 at 6:51
relevant ssh log should be found in
/var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.– Yaron
Feb 28 '17 at 6:20
relevant ssh log should be found in
/var/log/auth.log or /var/log/secure - please add it to your question, it help identify the problem.– Yaron
Feb 28 '17 at 6:20
Tun on
LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.– Jakuje
Feb 28 '17 at 6:51
Tun on
LogLevel DEBU3 in sshd_config, restart the service, try to connect and then paste related parts of the log.– Jakuje
Feb 28 '17 at 6:51
add a comment |
3 Answers
3
active
oldest
votes
0
The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise
Try chown -R troy:troy /home/troy/
Also I think you are missing a / in this part of sshd_config
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy
– Troy Liebel
Feb 28 '17 at 4:33
Can you trychown'ing it totroy:troyinstead oftroy:users. Can you also try changing this part ofsshd_config,AuthorizedKeysFile home/lenny/.ssh/authorized_keystoAuthorizedKeysFile ~/.ssh/authorized_keys
– m_krsic
Feb 28 '17 at 4:39
Tried both versions in sshd_confighome/lennyand~/- no change
– Troy Liebel
Feb 28 '17 at 4:47
Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.
– Troy Liebel
Feb 28 '17 at 4:59
1
The default for the entry insshd_confisAuthorizedKeysFile %h/.ssh/authorized_keys, where%hmeans home directory. Try to set it that way, or comment the line.
– ridgy
Feb 28 '17 at 10:35
|
show 1 more comment
0
In my case the issues was with the incorrect shell exec.
journalctl -f
....
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
....
Changed /etc/passwd file for that user
vi /etc/passwd
....
user:x:1000:1000::/home/user:/bin/bash
....
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
add a comment |
0
I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with
sudo ls -laZ <user-home>/.ssh
of the directory (I'm assuming a lot of defaults on sshd_config).
You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.
For example
home="$(getent passwd <user> | cut -d: -f6)"
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"
In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.
More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f888033%2frsa-keys-not-authenticating%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise
Try chown -R troy:troy /home/troy/
Also I think you are missing a / in this part of sshd_config
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy
– Troy Liebel
Feb 28 '17 at 4:33
Can you trychown'ing it totroy:troyinstead oftroy:users. Can you also try changing this part ofsshd_config,AuthorizedKeysFile home/lenny/.ssh/authorized_keystoAuthorizedKeysFile ~/.ssh/authorized_keys
– m_krsic
Feb 28 '17 at 4:39
Tried both versions in sshd_confighome/lennyand~/- no change
– Troy Liebel
Feb 28 '17 at 4:47
Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.
– Troy Liebel
Feb 28 '17 at 4:59
1
The default for the entry insshd_confisAuthorizedKeysFile %h/.ssh/authorized_keys, where%hmeans home directory. Try to set it that way, or comment the line.
– ridgy
Feb 28 '17 at 10:35
|
show 1 more comment
0
The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise
Try chown -R troy:troy /home/troy/
Also I think you are missing a / in this part of sshd_config
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy
– Troy Liebel
Feb 28 '17 at 4:33
Can you trychown'ing it totroy:troyinstead oftroy:users. Can you also try changing this part ofsshd_config,AuthorizedKeysFile home/lenny/.ssh/authorized_keystoAuthorizedKeysFile ~/.ssh/authorized_keys
– m_krsic
Feb 28 '17 at 4:39
Tried both versions in sshd_confighome/lennyand~/- no change
– Troy Liebel
Feb 28 '17 at 4:47
Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.
– Troy Liebel
Feb 28 '17 at 4:59
1
The default for the entry insshd_confisAuthorizedKeysFile %h/.ssh/authorized_keys, where%hmeans home directory. Try to set it that way, or comment the line.
– ridgy
Feb 28 '17 at 10:35
|
show 1 more comment
0
0
0
The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise
Try chown -R troy:troy /home/troy/
Also I think you are missing a / in this part of sshd_config
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
The home directory can't be writable by anyone but the user for key permissions to work. The file will be ignored otherwise
Try chown -R troy:troy /home/troy/
Also I think you are missing a / in this part of sshd_config
AuthorizedKeysFile home/lenny/.ssh/authorized_keys
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
edited Feb 28 '17 at 4:40
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
answered Feb 28 '17 at 4:27
m_krsicm_krsic
43329
43329
Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy
– Troy Liebel
Feb 28 '17 at 4:33
Can you trychown'ing it totroy:troyinstead oftroy:users. Can you also try changing this part ofsshd_config,AuthorizedKeysFile home/lenny/.ssh/authorized_keystoAuthorizedKeysFile ~/.ssh/authorized_keys
– m_krsic
Feb 28 '17 at 4:39
Tried both versions in sshd_confighome/lennyand~/- no change
– Troy Liebel
Feb 28 '17 at 4:47
Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.
– Troy Liebel
Feb 28 '17 at 4:59
1
The default for the entry insshd_confisAuthorizedKeysFile %h/.ssh/authorized_keys, where%hmeans home directory. Try to set it that way, or comment the line.
– ridgy
Feb 28 '17 at 10:35
|
show 1 more comment
Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy
– Troy Liebel
Feb 28 '17 at 4:33
Can you trychown'ing it totroy:troyinstead oftroy:users. Can you also try changing this part ofsshd_config,AuthorizedKeysFile home/lenny/.ssh/authorized_keystoAuthorizedKeysFile ~/.ssh/authorized_keys
– m_krsic
Feb 28 '17 at 4:39
Tried both versions in sshd_confighome/lennyand~/- no change
– Troy Liebel
Feb 28 '17 at 4:47
Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.
– Troy Liebel
Feb 28 '17 at 4:59
1
The default for the entry insshd_confisAuthorizedKeysFile %h/.ssh/authorized_keys, where%hmeans home directory. Try to set it that way, or comment the line.
– ridgy
Feb 28 '17 at 10:35
Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy
– Troy Liebel
Feb 28 '17 at 4:33
Permissions on both troy and home good, same on the remote server, ran that command just for good measure drwxr-xr-x 4 root root 4096 Feb 1 20:45 home drwx------ 30 troy users 4096 Feb 27 23:33 troy
– Troy Liebel
Feb 28 '17 at 4:33
Can you try
chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys– m_krsic
Feb 28 '17 at 4:39
Can you try
chown 'ing it to troy:troy instead of troy:users . Can you also try changing this part of sshd_config, AuthorizedKeysFile home/lenny/.ssh/authorized_keys to AuthorizedKeysFile ~/.ssh/authorized_keys– m_krsic
Feb 28 '17 at 4:39
Tried both versions in sshd_config
home/lenny and ~/ - no change– Troy Liebel
Feb 28 '17 at 4:47
Tried both versions in sshd_config
home/lenny and ~/ - no change– Troy Liebel
Feb 28 '17 at 4:47
Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.
– Troy Liebel
Feb 28 '17 at 4:59
Triple checked the permissions again. It all seems to line up with what everyone says they should be. And I tried multiple clients, with the correct permissions. And for what it's worth, this ssh key does work with git (not sure if that is indicative of anything in this situation). Thanks for the advice though.
– Troy Liebel
Feb 28 '17 at 4:59
1
1
The default for the entry in
sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.– ridgy
Feb 28 '17 at 10:35
The default for the entry in
sshd_conf is AuthorizedKeysFile %h/.ssh/authorized_keys, where %h means home directory. Try to set it that way, or comment the line.– ridgy
Feb 28 '17 at 10:35
|
show 1 more comment
0
In my case the issues was with the incorrect shell exec.
journalctl -f
....
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
....
Changed /etc/passwd file for that user
vi /etc/passwd
....
user:x:1000:1000::/home/user:/bin/bash
....
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
add a comment |
0
In my case the issues was with the incorrect shell exec.
journalctl -f
....
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
....
Changed /etc/passwd file for that user
vi /etc/passwd
....
user:x:1000:1000::/home/user:/bin/bash
....
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
add a comment |
0
0
0
In my case the issues was with the incorrect shell exec.
journalctl -f
....
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
....
Changed /etc/passwd file for that user
vi /etc/passwd
....
user:x:1000:1000::/home/user:/bin/bash
....
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
In my case the issues was with the incorrect shell exec.
journalctl -f
....
Feb 25 11:45:54 59a02b89e0f6 sshd: User user not allowed because shell /usr/bin/env /bin/bash does not exist
....
Changed /etc/passwd file for that user
vi /etc/passwd
....
user:x:1000:1000::/home/user:/bin/bash
....
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
answered Feb 25 at 9:50
nelaaronelaaro
6,13242640
6,13242640
add a comment |
add a comment |
0
I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with
sudo ls -laZ <user-home>/.ssh
of the directory (I'm assuming a lot of defaults on sshd_config).
You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.
For example
home="$(getent passwd <user> | cut -d: -f6)"
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"
In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.
More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
add a comment |
0
I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with
sudo ls -laZ <user-home>/.ssh
of the directory (I'm assuming a lot of defaults on sshd_config).
You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.
For example
home="$(getent passwd <user> | cut -d: -f6)"
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"
In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.
More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
add a comment |
0
0
0
I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with
sudo ls -laZ <user-home>/.ssh
of the directory (I'm assuming a lot of defaults on sshd_config).
You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.
For example
home="$(getent passwd <user> | cut -d: -f6)"
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"
In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.
More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
I had this problem on CentOS 7. I am a regular Debian-based Linux user so I was a fish out of the water. I noticed that in some of the servers it worked and in just one it didn't. The audit.log said nothing useful and the secure.log did not give anything either.
I found that the only real difference was some security context differences on files and directories between those that worked and those that didn't. Get the security with
sudo ls -laZ <user-home>/.ssh
of the directory (I'm assuming a lot of defaults on sshd_config).
You should see some ssh_home_t and user_home_t attributes. If you don't, use the chcon command to add the missing attributes.
For example
home="$(getent passwd <user> | cut -d: -f6)"
sudo chcon -R unconfined_u:object_r:ssh_home_t:s0 "$home".ssh
sudo chcon unconfined_u:object_r:user_home_t:s0 "$home"
In my case, my suspicion is that the user was created in a non standard way. His home was a directory in /var/lib.
More info in: https://www.linuxquestions.org/questions/linux-security-4/selinux-preventing-ssh-login-with-~-ssh-authorized_keys-4175469538/
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
answered Mar 11 at 8:28
hanzo2001hanzo2001
1567
1567
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f888033%2frsa-keys-not-authenticating%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
relevant ssh log should be found in
/var/log/auth.logor/var/log/secure- please add it to your question, it help identify the problem.– Yaron
Feb 28 '17 at 6:20
Tun on
LogLevel DEBU3insshd_config, restart the service, try to connect and then paste related parts of the log.– Jakuje
Feb 28 '17 at 6:51