ssh public key auth not accepted
 

Hello,

on my server I have in /etc/ssh/sshd_config :

RSAAuthentication no
PubkeyAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no

When I try to ssh into the server with my private key, I get the following :

[Jonas@jonas ~]$ ssh -2 -v -p 2273 -l admin -i /home/Jonas/vpn\&ssh/id_rsa_admin XXX.XXX.XXX.226
OpenSSH_5.5p1, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to XXX.XXX.XXX.226 [XXX.XXX.XXX.226] port 2273.
debug1: Connection established.
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin type 1
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'XXX.XXX.XXX.226' is known and matches the RSA host key.
debug1: Found key in /home/Jonas/.ssh/known_hosts:10
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/Jonas/vpn&ssh/id_rsa_admin
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Why is permission denied ?

Read through the following link - make sure you have followed all the steps - http://oceanpark.com/notes/howto_ssh...orwarding.html - for example - Did you set "ForwardAgent yes" on your client system? There is nowhere near enough information in your post to do a proper diagnosis of your issue.

I have set ""ForwardAgent yes" in my /etc/ssh/ssh_config on my client.

I have changed the file .ssh/authorized_keys2 to .ssh/authorized_keys on my server.

All the other steps mentioned in the link I have done, except "keychain" I don't want that.

Still the same result.

How can I get more debugging information ??

Try option -vvv to increase the level of verbosity in the debug messages.

Here is more verbosity :


[Jonas@jonas ~]$ ssh -2 -vvv -p 2273 -l admin -i /home/Jonas/vpn\&ssh/id_rsa_admin XXX.XXX.XXX.226
OpenSSH_5.5p1, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXX.XXX.XXX.226 [XXX.XXX.XXX.226] port 2273.
debug1: Connection established.
debug3: Not a RSA1 key file /home/Jonas/vpn&ssh/id_rsa_admin.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin type 1
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss...00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 510/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: put_host_port: [XXX.XXX.XXX.226]:2273
debug3: put_host_port: [XXX.XXX.XXX.226]:2273
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug1: checking without port identifier
debug3: check_host_in_hostfile: host XXX.XXX.XXX.226 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host XXX.XXX.XXX.226 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 10
debug1: Host 'XXX.XXX.XXX.226' is known and matches the RSA host key.
debug1: Found key in /home/Jonas/.ssh/known_hosts:10
debug1: found matching key w/out port
debug2: bits set: 523/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/Jonas/vpn&ssh/id_rsa_admin (0x26b20b0)
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/Jonas/vpn&ssh/id_rsa_admin
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

http://www.jms1.net/code/rsync-backup.shtml

The top of this page talks about setting public key between servers. You might want to try starting over from scratch by deleting the ~/.ssh/authorized_keys and the id_dsa_backup.pub to get a clean start.

So I need to create the key files again ? OK if that's the only solution...

Check the logs in the server. It may indicate what the problem is. For example, if permissions of .ssh or the private key are too lax, the server will refuse to make a connection. Even the permissions of your home directory can cause problems.

The issue may not be indicated in the debug -vvv output.

After an upgrade, I wasn't able to ssh in, even though I had copied my ~/.ssh folder from backup. I found in the Release Notes that I needed to modify a line in /etc/ssh/sshd_config
from
AuthorizedKeysFile .ssh/authorized_keys
to
AuthorizedKeysFile %h/.ssh/authorized_keys

I've even had a failure to log in because the hostname part of the authorizedkeys file entry didn't match exactly with the first entry in /etc/hosts. I think I changed it from jschiwal@netcow to jschiwal@netcow.jesnet but don't remember for certain. This behavior may depend on the UseDNS setting.

I don't understand why ForwardAgent yes is being recommended in your case.

not saying it is the only way, but it will not hurt. how long will it take to recreate them? 2min tops...

So I have done the following :

created the keys on my client :

The result is 2 files :

I copy the file id_rsa.pub to my server and place it into the .ssh-directory as follow :

The result on the server :

After this I want to login as user "admin", using the id_rsa.pub key :

But still the same result :

Should be that simple, no ?!

Nope. You have to copy the public key into authorized_keys. Your private key should stay only on your local machine (private = not to be shared with anyone or with any other machine than yours).

I feel really stupid...

Now it works indeed ! I knew I needed the private key on my host, but still I copied the private key to the server...

Thanks !