Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Also check the permissions on your home folder. 755 or 750 should work, 775 or 770 will cause this failure.
OpenSSH is foremost a security program, and it checks to see if someone other than you can modify files or folders it uses. If it can be modified by other people, it will not trust or use it.
Naturally, your HOME and ~/.ssh and contents of ~/.ssh should be owned by you. I see no reason to suspect it might not be, just thought I should mention this.
These are the permissions:
Code:
-bash-4.1$ namei -m /home/user/.ssh
f: /home/user/.ssh
drwxrwxr-x /
drwxr-xr-x home
drwxr-xr-x user
drwx------ .ssh
-bash-4.1$ ls -l /home/user/
total 8
drwxrwxr-x 2 user root 4096 Jul 13 2012 downloads
drwxrwxr-x 8 user root 4096 Jul 13 2012 rpm
-bash-4.1$ ls -l /home/user/.ssh
total 8
-rw------- 1 user root 397 Nov 19 20:27 authorized_keys
drwxr-xr-x 2 user root 4096 Nov 19 20:26 otherkeys
"user" is my user account and "root" is the group.
You need to do ls -la /home/user in order to see the (hidden) .ssh directory . . .
. . . although I see from the namei output that the permissions appear to be correct.
So far as I know, the permissions of the contents of this directory are unimportant, but for-the-record the permissions of authorized_keys that I expect to find are rw-rw-r-- or something like it.
Therefore, I would now carefully check the contents of the authorized_keys file, now suspecting that there might be something wrong with that.
But also, be sure to carefully check the various system logs . . .
Last edited by sundialsvcs; 11-28-2016 at 12:21 PM.
These are the permissions i got for the .ssh
drwx------ 3 user root 4096 Nov 19 20:27 .
drwxr-xr-x 7 user root 4096 Oct 14 17:08 ..
-rw------- 1 user root 397 Nov 19 20:27 authorized_keys
drwxr-xr-x 2 user root 4096 Nov 19 20:26 otherkeys
On the server you can launch a special instance of "sshd" with a different port and the watch real time for the duration of a single connection attempt.
Code:
sudo /usr/sbin/sshd -p 2228 -dd
Then try connecting from the client and watch what happens on the server. You can vary between -d, -dd, or -ddd to get less or more information. It will accept only one connection that way. If you succeed in connecting, then you will need to relaunch "sshd" again after disconnecting if you want to try again. Launching like that uses the sshd_config file you already have on the server, just with an override on the port so that the second instance of "sshd" does not interfere with what you already have running.
However, as I expressed in #8 above the client is incomplete and may be lacking the functionality you are attempting to use. What makes you sure that M$ fork of OpenSSH has completed the functionality needed to use keys?
That's my suspicion too, but with the distinction that there is no OpenSSH client for Windows. M$ is just using the name, in my opinion, incorrectly for their fork. Code (copyright) is one thing, but names (trademark) are another, and the latter does have to be actively defended or it is lost.
Anyway, if you have PuTTY, you can try that with keys, but from what I gather some special modification of the PuTTY keys needs to take place before you can actually log in.
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
PuTTY has command line utilities pscp and psftp. The keys generated puttygen are not in the same format as those created by ssh-keygen. See the howto below.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
