I have setup OpenSSH on an Ubuntu 8.04 server. I am using Putty on a Windows box to connect to the server. I have two accounts on the box. Each account has a /home directory. One of the accounts is the main account that was setup when Ubuntu was installed. The other account is a user account that I created from the command line.

I generated an SSH key pair. I copied the public key to the .ssh/authorized_keys file. I set the permissions for the file and the directory.

I can connect to the box just fine using the default "admin" account that was setup as part of the Ubuntu install process.

When I try to connect using the other user account, Putty returns the error "The server rejected our key."

The permissions for .ssh and everything else for the two accounts are configured identically.

After a lot of troubleshooting my best guess is that it is some sort of account permission problem? The "admin" account can sudo, the account that SSH is having problems with can't.

Please help. I've been beating my head against this thing for four or five hours at this point. I've even generated new keys and the issue persists.

The way to troubleshoot problems like this is by reviewing your system logs. I'm not really familiar with Ubuntu systems, but some guesses about the logs you may need to check are /var/log/secure, /var/log/auth (or similar), /var/log/messages.

You're looking for chatter from sshd.

Thanks for the tip. There are some error messages in there that do not seem to match up with reality. In particular the error

"User <user> from <ip> not allowed because not listed in AllowUsers"

The <user> is listed under AllowUsers in sshd_config.

I think that I see part of the problem. The two lines below are for the valid login.

Apr 26 13:24:50 subversion sshd[10513]: pam_winbind(sshd:setcred): user 'itadmin' OK
Apr 26 13:25:25 subversion sshd[10632]: pam_winbind(sshd:account): user 'itadmin' granted access

The next two lines are for the failed account.

Apr 26 13:31:06 subversion sshd[10632]: pam_winbind(sshd:setcred): user 'itadmin' OK
Apr 26 13:32:05 subversion sshd[10732]: Failed password for <user> from <ip> port 54842 ssh2

It seems like sshd is using the 'itadmin' account as part of its setcred function. As long as the account logging on matches the setcred account, everything is good. If the two don't match, it fails.

I haven't used pam_winbind, but I am presuming you have explicitly configured it and are intentionally using it..?

I'm not sure yet if the "AllowUsers" message is a red herring or is related to the problem cause. (Check not only AllowUsers in sshd_config, but also DenyUsers, AllowGroups, and DenyGroups, just for grins. Also make sure that if you're using the form USER@HOST, that HOST is correct.)

So, it seems like the answer is to grant the new user access to whatever facility pam_winbind is checking. Just like itadmin...

I did setup winbind intentionally. The box in question is part of an Active Directory domain and is hosting a Subversion repository. I had to setup winbind and Samba so that the backup software could access the repository.

The new user is setup in Active Directory and winbind should recognize it as a valid account. I think it really has something to do with that setcred function. I have posted a question to the SecureShell mailing list. I'm hoping that one of the developers has some clue.

One more obvious thing then while you're waiting for a reply on the mailing list. Make sure you've reloaded or restarted the sshd daemon after adding the new user to AllowUsers.

I could see a situation where you added it and forgot to bounce the daemon, which would cause the sshd "AllowUsers" chatter you described.