Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I installed OpenSSH for Windows 10 x64 and followed the instructions to create public and private keys and its stores in my user home folder .ssh.
I copied the public key to authorized keys in centos /home/user/.ssh
I have also set the sshd_config file correctly to
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
When I use command prompt and type ssh user@mysite.com it keep saying permission denied with the following error:
C:\Windows\system32>ssh user@mysite.com
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
C:\Windows\system32>ssh -v user@mysite.com
OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to mysite.com [86.121.11.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/myusername/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to mysite.com:22 as 'falko'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:fgAzsfHHU3+ujXQEqxGu1/6S+sELr9PG0E1TV8TWR1w
debug1: Host 'xxxxxx' is known and matches the RSA host key.
debug1: Found key in /home/myusername/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myusername/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/myusername/.ssh/id_dsa
debug1: Trying private key: /home/myusername/.ssh/id_ecdsa
debug1: Trying private key: /home/myusername/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
On my centos machine i checked /home/user/.ssh and set chmode 700 authorized_keys
Which computer is the client and which is the server? If the CentOS computer is the server the public key is saved to the ~/.ssh/authorized_keys file and permission's should be 600.
For windows ssh clients you can use PuTTy or sftp GUI clients WinSCP or Fillezilla.
Which computer is the client and which is the server? If the CentOS computer is the server the public key is saved to the ~/.ssh/authorized_keys file and permission's should be 600.
For windows ssh clients you can use PuTTy or sftp GUI clients WinSCP or Fillezilla.
Computer I am using is windows 10 x64 which is the client and i got OPENSSH server installed for this machine from mls-software.com/opensshd.html
Server I am connecting to is Centos 6.
I did chmod authorized_keys to 600 still giving me the same error...
For the public key to be usable, it must be appended to the .ssh/authorized_keys file on the Linux computer and/or on other hosts you log into. If an authorized_keys file does not exist in your Linux computer’s home .ssh directory, create it. Also create a directory named “otherkeys“. The public key (ending in .pub) should be copied to “/home/username/.ssh/otherkeys” on the Linux computer using a USB drive, another medium, or remotely through Windows file sharing, SCP, or with SSH if it’s already working. Make sure to only copy the key and not move it.
After transferring the public key, at the Linux PC, open a terminal window or remotely connect to it and navigate to the .ssh folder in your home directory, and append the public key using the command below:
cat otherkeys/id_rsa.pub >> authorized_keys
Note: the key can also be cut and pasted into the authorized_keys file using a text editor
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
AllowUsers falko root Nibraz
AllowGroups root
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /home/user/.ssh/authorized_keys
#AuthorizedKeysFile /etc/ssh/user/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
And this is how I created the RSA keys:
Code:
From the Windows PC
Step 1 – Generate Public Keys for the Windows PC
On the Windows PC, open a CMD window and type in the following command and hit ENTER to create a RSA key of 2048-bits (the default). The -t option specifies the type of key:
ssh-keygen -t rsa
Note: If you get a command is not recognized error, your path is incorrect. In this case, change to the bin folder where OpenSHH is installed to run the command.
When the command is executed, you will be prompted for a location to save the keys, and then for a passphrase as shown below. Hit ENTER to accept the default locations and to set NO passphrase.
Output:
Generating public/private rsa key pair
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa
Your public key has been saved in /home/username/.ssh/id_rsa.pub
The public key will be saved as .ssh/id_rsa.pub and your private key saved as .ssh/id_rsa in your home folder. The home directory was setup for the user(s) when OpenSSH was installed and configured.
As far as I know that is not OpenSSH but a fork by M$ using a similar name and it is missing a lot of functionality. Check the fork's project pages to see if the functionality is even there yet: https://github.com/PowerShell/Win32-OpenSSH/
Strategically, trademarks and service marks have to be actively defended so given the silence to date, this could end in tears and loss. But take that with a grain of salt since I am neither a lawyer nor involved with the upstream project.
As far as I know that is not OpenSSH but a fork by M$ using a similar name and it is missing a lot of functionality. Check the fork's project pages to see if the functionality is even there yet: https://github.com/PowerShell/Win32-OpenSSH/
Did you verify you could connect to the server using passwords?
What you posted should work but from your previous post the key is not being accepted.
Connecting with password works fine but not with publickey authenication.
This is what was recommeneded to install.
mls-software.com/opensshd.html
It seems to work if I just connect with CMD by password authenication.
I just cant seem to figure out why its not working for publickey.
I have also tried using PUTTYGEN to generate RSA keys and uploading this to server and connecting via putty with publickey but this is also giving me the exact same error as my original post with permission denied error.
Almost always this is caused by the permissions of the $HOME/.ssh directory not being 700 = rwx------.
If the directory does not have these exact permissions, and contain an authorized_keys file, and contain the presented key within that file, the certificate will be refused.
Also be sure that an "ssh-agent" daemon is running in your session, since this is what manages the presentation of keys to the server.
Almost always this is caused by the permissions of the $HOME/.ssh directory not being 700 = rwx------.
If the directory does not have these exact permissions, and contain an authorized_keys file, and contain the presented key within that file, the certificate will be refused.
Also be sure that an "ssh-agent" daemon is running in your session, since this is what manages the presentation of keys to the server.
Also check the permissions on your home folder. 755 or 750 should work, 775 or 770 will cause this failure.
OpenSSH is foremost a security program, and it checks to see if someone other than you can modify files or folders it uses. If it can be modified by other people, it will not trust or use it.
Naturally, your HOME and ~/.ssh and contents of ~/.ssh should be owned by you. I see no reason to suspect it might not be, just thought I should mention this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
