LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-19-2016, 02:56 PM   #1
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Rep: Reputation: 18
ssh publickey authenication failing


Hi

I installed OpenSSH for Windows 10 x64 and followed the instructions to create public and private keys and its stores in my user home folder .ssh.

I copied the public key to authorized keys in centos /home/user/.ssh

I have also set the sshd_config file correctly to
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no

When I use command prompt and type ssh user@mysite.com it keep saying permission denied with the following error:
Code:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I enabled ssh -v and got the below errros:
Code:
C:\Windows\system32>ssh user@mysite.com
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

C:\Windows\system32>ssh -v user@mysite.com
OpenSSH_7.3p1, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to mysite.com [86.121.11.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/myusername/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/myusername/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to mysite.com:22 as 'falko'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:fgAzsfHHU3+ujXQEqxGu1/6S+sELr9PG0E1TV8TWR1w
debug1: Host 'xxxxxx' is known and matches the RSA host key.
debug1: Found key in /home/myusername/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myusername/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/myusername/.ssh/id_dsa
debug1: Trying private key: /home/myusername/.ssh/id_ecdsa
debug1: Trying private key: /home/myusername/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
On my centos machine i checked /home/user/.ssh and set chmode 700 authorized_keys


I attached a picture.


Any help on this?

thanks
Attached Thumbnails
Click image for larger version

Name:	q.PNG
Views:	43
Size:	14.7 KB
ID:	23575  

Last edited by michaelk; 12-07-2016 at 04:57 AM.
 
Old 11-19-2016, 04:02 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,405

Rep: Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550
Which computer is the client and which is the server? If the CentOS computer is the server the public key is saved to the ~/.ssh/authorized_keys file and permission's should be 600.

For windows ssh clients you can use PuTTy or sftp GUI clients WinSCP or Fillezilla.
 
Old 11-19-2016, 05:01 PM   #3
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by michaelk View Post
Which computer is the client and which is the server? If the CentOS computer is the server the public key is saved to the ~/.ssh/authorized_keys file and permission's should be 600.

For windows ssh clients you can use PuTTy or sftp GUI clients WinSCP or Fillezilla.
Computer I am using is windows 10 x64 which is the client and i got OPENSSH server installed for this machine from mls-software.com/opensshd.html

Server I am connecting to is Centos 6.

I did chmod authorized_keys to 600 still giving me the same error...
 
Old 11-19-2016, 10:11 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,405

Rep: Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550
Just to make sure you did copy id_rsa.pub to the authorized_keys file on the server?
 
Old 11-20-2016, 07:23 AM   #5
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Hi Micheal

This is what I followed:

Quote:
Step 2 – Transfer Public Key to Linux PC

For the public key to be usable, it must be appended to the .ssh/authorized_keys file on the Linux computer and/or on other hosts you log into. If an authorized_keys file does not exist in your Linux computer’s home .ssh directory, create it. Also create a directory named “otherkeys“. The public key (ending in .pub) should be copied to “/home/username/.ssh/otherkeys” on the Linux computer using a USB drive, another medium, or remotely through Windows file sharing, SCP, or with SSH if it’s already working. Make sure to only copy the key and not move it.

After transferring the public key, at the Linux PC, open a terminal window or remotely connect to it and navigate to the .ssh folder in your home directory, and append the public key using the command below:

cat otherkeys/id_rsa.pub >> authorized_keys

Note: the key can also be cut and pasted into the authorized_keys file using a text editor
The key is copied in properly but it wont work...
 
Old 11-20-2016, 07:46 AM   #6
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
This is my SSHD config file:
Code:
 #	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:
AllowUsers falko root Nibraz
AllowGroups root
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	/home/user/.ssh/authorized_keys
#AuthorizedKeysFile	/etc/ssh/user/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

And this is how I created the RSA keys:
Code:
From the Windows PC
Step 1  Generate Public Keys for the Windows PC

On the Windows PC, open a CMD window and type in the following command and hit ENTER to create a RSA key of 2048-bits (the default). The -t option specifies the type of key:

ssh-keygen -t rsa

Note: If you get a command is not recognized error, your path is incorrect. In this case, change to the bin folder where OpenSHH is installed to run the command.

When the command is executed, you will be prompted for a location to save the keys, and then for a passphrase as shown below. Hit ENTER to accept the default locations and to set NO passphrase.

Output:

Generating public/private rsa key pair
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa
Your public key has been saved in /home/username/.ssh/id_rsa.pub

The public key will be saved as .ssh/id_rsa.pub and your private key saved as .ssh/id_rsa in your home folder. The home directory was setup for the user(s) when OpenSSH was installed and configured.
Thanks for helping
 
Old 11-21-2016, 05:42 AM   #7
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,405

Rep: Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550Reputation: 3550
Did you verify you could connect to the server using passwords?

What you posted should work but from your previous post the key is not being accepted.
 
Old 11-21-2016, 06:13 AM   #8
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,049
Blog Entries: 3

Rep: Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521
Quote:
Originally Posted by nibraz View Post
I installed OpenSSH for Windows 10 x64
As far as I know that is not OpenSSH but a fork by M$ using a similar name and it is missing a lot of functionality. Check the fork's project pages to see if the functionality is even there yet:
https://github.com/PowerShell/Win32-OpenSSH/

Strategically, trademarks and service marks have to be actively defended so given the silence to date, this could end in tears and loss. But take that with a grain of salt since I am neither a lawyer nor involved with the upstream project.
 
Old 11-21-2016, 07:43 AM   #9
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181
Quote:
Originally Posted by Turbocapitalist View Post
As far as I know that is not OpenSSH but a fork by M$ using a similar name and it is missing a lot of functionality. Check the fork's project pages to see if the functionality is even there yet:
https://github.com/PowerShell/Win32-OpenSSH/
But there is also "Putty."
 
Old 11-22-2016, 04:02 AM   #10
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by michaelk View Post
Did you verify you could connect to the server using passwords?

What you posted should work but from your previous post the key is not being accepted.
Connecting with password works fine but not with publickey authenication.

This is what was recommeneded to install.
mls-software.com/opensshd.html

It seems to work if I just connect with CMD by password authenication.
I just cant seem to figure out why its not working for publickey.

I have also tried using PUTTYGEN to generate RSA keys and uploading this to server and connecting via putty with publickey but this is also giving me the exact same error as my original post with permission denied error.


Thanks
 
Old 11-23-2016, 08:54 AM   #11
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
bump
 
Old 11-23-2016, 09:25 AM   #12
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655Reputation: 1655
No need to bump your own post. The forum does it automatically.
 
Old 11-23-2016, 12:41 PM   #13
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181
Almost always this is caused by the permissions of the $HOME/.ssh directory not being 700 = rwx------.

If the directory does not have these exact permissions, and contain an authorized_keys file, and contain the presented key within that file, the certificate will be refused.

Also be sure that an "ssh-agent" daemon is running in your session, since this is what manages the presentation of keys to the server.
 
1 members found this post helpful.
Old 11-28-2016, 06:45 AM   #14
nibraz
Member
 
Registered: Oct 2008
Posts: 219

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by sundialsvcs View Post
Almost always this is caused by the permissions of the $HOME/.ssh directory not being 700 = rwx------.

If the directory does not have these exact permissions, and contain an authorized_keys file, and contain the presented key within that file, the certificate will be refused.

Also be sure that an "ssh-agent" daemon is running in your session, since this is what manages the presentation of keys to the server.

The home/.ssh folder is set to chmod 700.

ssh agent is already running also follwed their steps from below
http://www.mls-software.com/opensshd.html

thanks

Last edited by nibraz; 11-28-2016 at 06:49 AM.
 
Old 11-28-2016, 06:58 AM   #15
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,421

Rep: Reputation: 1485Reputation: 1485Reputation: 1485Reputation: 1485Reputation: 1485Reputation: 1485Reputation: 1485Reputation: 1485Reputation: 1485Reputation: 1485
Also check the permissions on your home folder. 755 or 750 should work, 775 or 770 will cause this failure.
OpenSSH is foremost a security program, and it checks to see if someone other than you can modify files or folders it uses. If it can be modified by other people, it will not trust or use it.

Naturally, your HOME and ~/.ssh and contents of ~/.ssh should be owned by you. I see no reason to suspect it might not be, just thought I should mention this.

Last edited by wpeckham; 11-28-2016 at 06:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ssh authenication failure screwzm Linux - Networking 5 11-15-2012 08:06 AM
SSH: Permission denied (publickey). clapclash Linux - Networking 6 10-19-2012 06:49 AM
Trying to think of a way to ssh without interactivity and not using the publickey... trist007 Linux - Newbie 3 07-30-2010 08:26 AM
ssh publickey authentication spx2 Linux - Security 11 01-11-2008 05:27 AM
Trouble configuring SSH publickey pioniere Linux - Security 4 02-25-2005 02:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration