gitolite not working with sshd service - ssh

I'm trying to get gitolite to work and have been stuck for hours. CentOS 6 server on my LAN.
I finally got ssh -vvv gitolite to work with this config file
Host gitolite
User gitolite
HostName srv
Port 2002
IdentityFile ~/.ssh/srv_gitolite_openssh
BUT it only works when I do this on the server to debug
sudo service sshd stop
sudo /usr/sbin/sshd -Dd
When sshd is running as a service, the connection fails.
http://pastebin.com/UHVS1sSK
Why does it work when I manually run sshd, but not with sshd as a service? It seems to use the same sshd_config file, because it uses the same port number. Also, my username gitolite is in the AllowUsers part of the config.
The success case looks like this:
http://pastebin.com/x4TcrG4R
Update: Here are the server-side logs
fail as a service: http://pastebin.com/Xce2k2x5
success: http://pastebin.com/jYgiDhEm
highlights from the fail case are below. Shouldn't the "key_from_blob" be the same in both cases? I've tried removing the command part of the authorized_keys and it still fails as a service.
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x7f72b6e93350
debug1: temporarily_use_uid: 505/505 (e=0/0)
debug1: trying public key file /var/lib/gitolite/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 505/505 (e=0/0)
debug1: trying public key file /var/lib/gitolite/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for gitolite from 192.168.1.201 port 57488 ssh2
debug3: mm_answer_keyallowed: key 0x7f72b6e93350 is not allowed
debug3: mm_request_send entering: type 22
highlights from the success case:
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x7f4d79de18b0
debug1: temporarily_use_uid: 505/505 (e=0/0)
debug1: trying public key file /var/lib/gitolite/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/var/lib/gitolite/.ssh'
debug3: secure_filename: checking '/var/lib/gitolite'
debug3: secure_filename: terminating check at '/var/lib/gitolite'
debug2: key_type_from_name: unknown key type 'command="/var/lib/gitolite/bin/gitolite-shell'
debug3: key_read: missing keytype
debug2: user_key_allowed: check options: 'command="/var/lib/gitolite/bin/gitolite-shell gitolite",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBrEOo5blAUXXSwXdxUxTOhBDHcjw2OzxGg6Vu4drzmUYL5uPxjWLGzuzcNkrYmlVqXr5UBqeSbkZh9W/0lLMcmiv5FLdIQ+J2m5lqHsEJLS8FImfJxfo2/LvboFy0NFOxF8GaHxeIWFp+YmwAlogO9gi1zgXK99DGc15W/edYwCw==
'
debug1: matching key found: file /var/lib/gitolite/.ssh/authorized_keys, line 2
Found matching RSA key: ae:92:1d:a7:7b:ec:75:7a:19:ac:28:75:b0:cc:27:8f
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x7f4d79de18b0 is allowed

I suspect the keys are working in both cases.
But running sshd as a service is different than running it from the current session: see "Why would I use “service sshd reload” in preference to “service sshd restart”?".
The service cancels all inherited environment variables, and keep only PATH and TERM.
Gitolite uses a forced command registered in ~gitolite/.ssh/authorized_keys, and there must be an environment variable missing (when sshd is run as a service) which prevents the execution of the command.
There was a similar case with "public key authentication fails ONLY when sshd is daemon":
SELinux is likely the cause.
The .ssh dir is probably mislabeled.
Look at /var/log/audit/audit.log. It should be labeled ssh_home_t.
Check with ls -laZ. Run restorecon -r -vv /root/.ssh if need be.

Related

Should the ssh fingerprint change when the sshd port changes

After changing the sshd port in OpenSSH 8.2, I found that the ssh fingerprint changed. This surprised me since I had assumed it was just dependent on the public key.
What does the fingerprint depend on? Is the port part of it?
On closer examination it looks like the key changed from ssh-rsa to ecdsa-sha2-nistp256. It looks like the server has multiple key files. What determines which key is used and what might have caused a change?
I haven't found the official documentation, but ran into a similar confusion so just experimented a bit.
The hostnames in fingerprints (in .ssh/known_hosts) are hashed, but you can check them with ssh-keygen -H -F 'remote' (you'd see Host remote found...)
It seems that if you're using the default port (22), when you run ssh remote the first time, the fingerprint will only contain the hostname.
You can check this with ssh-keygen -H -F 'remote' (you'd see Host remote found...)
Now, if you change the sshd port on remote (say, to 1234), seems that ssh is still happy with it, because it tries matching against the hostname without the port.
You can see that with the -v flag:
$ ssh -v remote -p 1234
debug1: Authenticating to remote:1234 as 'user'
...
debug1: checking without port identifier
debug1: Host 'remote' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:11
However -- if the first time you ssh onto remote is with a custom port (ssh remote -p 1234), then it seems to remember the hostname with port:
ssh-keygen -H -F 'remote' -- doesn't result in anything
ssh-keygen -H -F '[remote]:1234' -- results in a match
The ssh output changes slightly too, it's checking both host and port now:
$ ssh -v remote -p 1234
...
debug1: Host '[remote]:1234' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:12
...
Now if you change the remote sshd port to something else, say back to 22, and run ssh remote, ssh won't be able to verify the host, because it only knows about [remote]:1234, not remote.
(I guess in theory it could still check all 65535 ports against .ssh/known_hosts and give a friendlier error message).
Regarding the key choice: same -v flag might be helpful here:
...
debug1: Will attempt key: /home/user/.ssh/id_rsa RSA <redacted> agent
debug1: Will attempt key: /home/user/.ssh/id_dsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user/.ssh/id_ed25519
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<redacted>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA <redacted> agent
debug1: Server accepts key: /home/user/.ssh/id_rsa RSA <redacted> agent
...

sshing using gcloud leads to agent refusal

I am trying to ssh in to a google compute engine using gcloud and this used to work fine. But for some reason I have been hitting a wall for a while now. It works fine from the console. The instance is box-standard default instance.
I keep getting
google compute ssh test
sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).
and more verbosely
google compute ssh test -vvv
...
bug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mike/.ssh/google_compute_engine
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fpSHA256:bW6Bpi2N67+MIGbRkfLRcdl5ghxQWOAtiRiYazy1JXU
debug3: sign_and_send_pubkey: RSA SHA256:bW6Bpi2N67+MIGbRkfLRcdl5ghxQWOAtiRiYazy1JXU
sign_and_send_pubkey: signing failed: agent refused operation
I have tried with a fresh project, but the same result. Re-installed google cloud sdk, same result. I must be missing some setting value, but I have no idea what I am missing. I have ssh keys (the standard ones created by gcloud, called google_compute_engine(.pub) in my .ssh directory.
Any suggestions would be appreciated.
Cheers, Mike
After trying loads of things, I found that
sudo apt-get autoremove gnome-keyring
ssh-add -D
a reboot resolved this.

ssh : Permission denied (publickey,gssapi-with-mic)

i'm use centos 5.9.
after installing gitlab by this link ssh not working.
before install gitlab ssh correctly working.
i'm using this server localy and other services such as elastix and apache,mysql installed on server.
appeare this error :
OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.88.23 [192.168.88.23] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4* compat 0x00000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.88.23:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01#openssh.com,ssh-rsa-cert-v00#openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01#openssh.com,ecdsa-sha2-nistp384-cert-v01#openssh.com,ecdsa-sha2-nistp521-cert-v01#openssh.com,ssh-ed25519-cert-v01#openssh.com,ssh-dss-cert-v01#openssh.com,ssh-dss-cert-v00#openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: chacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se
debug2: kex_parse_kexinit: chacha20-poly1305#openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm#openssh.com,hmac-ripemd160-etm#openssh.com,hmac-sha1-96-etm#openssh.com,hmac-md5-96-etm#openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm#openssh.com,umac-128-etm#openssh.com,hmac-sha2-256-etm#openssh.com,hmac-sha2-512-etm#openssh.com,hmac-sha1-etm#openssh.com,umac-64#openssh.com,umac-128#openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm#openssh.com,hmac-ripemd160-etm#openssh.com,hmac-sha1-96-etm#openssh.com,hmac-md5-96-etm#openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib#openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib#openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc#lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160#openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib#openssh.com
debug2: kex_parse_kexinit: none,zlib#openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 3111/6144
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:7J6JOe94H9PedNKlx6yG/wMy6ZYC8iB74WdOVGDgY7A
debug1: Host '192.168.88.23' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 3102/6144
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil)),
debug2: key: /root/.ssh/id_dsa ((nil)),
debug2: key: /root/.ssh/id_ecdsa ((nil)),
debug2: key: /root/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic).
Setting 700 to .ssh and 600 to authorized_keys solved the issue.
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
I had the same issue while using vagrant. So from my Mac I was trying to ssh to a vagrant box (CentOS 7)
Solved it by amending the /etc/ssh/sshd_config PasswordAuthentication yes then re-started the service using sudo systemctl restart sshd
Hope this helps.
Setting PasswordAuthentication to yes, is not the best way to go ,
is not as secure as using private and public keys for authentication !
First make sure that that you have the fallowing permissions set, on the server side.
First check your home dir (SERVER SIDE)
[vini#random ~]$ ls -ld ~
drwx------. 3 vini vini 127 Nov 23 15:29 /home/vini
if it is not like this, run
chmod 0700 /home/your_home
Now check .ssh folder
[vini#random ~]$ ls -ld /home/vini/.ssh/
drwx------. 2 vini vini 29 Nov 23 15:28 /home/vini/.ssh/
if it is not looking like this, run
chmod 0700 /home/your_home/.ssh
now make sure that authorized_keys looks like this
[vini#venon ~]$ ls -ld /home/vini/.ssh/authorized_keys
-rw-------. 1 vini vini 393 Nov 23 15:28 /home/vini/.ssh/authorized_keys
or just run
chmod 0600 /home/your_home/.ssh/authorized_keys
After that go to /etc/ssh/sshd_config
For best security set
PermitRootLogin no
PubkeyAuthentication yes
keep as yes for testing purposes
PasswordAuthentication yes
Make sure that
ChallengeResponseAuthentication no
Comment those lines for GSSAPI
# #GSSAPIAuthentication yes
# #GSSAPICleanupCredentials no
Make sure that is set to UsePAM yes
UsePAM yes
now restart sshd service
systemctl restart sshd
on the client side
cd /home/your_home/.ssh
generate new keys; setting a password is optional but is a good idea
ssh-keygen -t rsa -b 2048
copy pub key to your server
ssh-copy-id -i id_rsa.pub user_name#server_ip
start ssh agent
eval $(ssh-agent)
ssh-add /home/user/.ssh/your_private_key
now your are good to go !
ssh user_name#server_ip
if everything works just fine
make a backup of your private key and then deny PasswordAuthentication
PasswordAuthentication no
Restart you server
now anyone trying to ssh into your server, without your keys should get
vini#random: Permission denied (publickey).
keep script kids away from your business, and good luck
As everybody else has already said you need to edit /etc/ssh/sshd_config and change PasswordAuthentication no to PasswordAuthentication yes
I ran into this problem setting up a Vagrant box - so therefore it makes sense to script this and do it automatically in a shell provisioner:
sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config;
sudo systemctl restart sshd;
The isssue is the username for most publickey errors on centos instances on AWS.
For Permission denied (publickey,gssapi-keyex,gssapi-with-mic):
its pretty simple. Just change your username from centos to ec2-user and the issue is solved.
Thank me later :)
please make sure following changes should be uncommented, which I did and got succeed in centos7
vi /etc/ssh/sshd_config
1.PubkeyAuthentication yes
2.PasswordAuthentication yes
3.GSSAPIKeyExchange no
4.GSSAPICleanupCredentials no
systemctl restart sshd
ssh-keygen
chmod 777 /root/.ssh/id_rsa.pub
ssh-copy-id -i /root/.ssh/id_rsa.pub user#ipaddress
thank you all and good luck
I had the same problem. In my case, macOS doesn't load my SSH keys, but I fix it with:
ssh-add <SSH private key>
ssh-add <SSH public key>
I couldn't connect to a Droplet on DigitalOcean, but the subsequent commands work for me.
You can go to the forum here.
According to the line debug1: Authentications that can continue: publickey,gssapi-with-mic , ssh password authentication is disabled and apparently you are not using public key authentication.
Login to your server using console and open /etc/ssh/sshd_config file with an editor with root user and look for line PasswordAuthentication then set it's value to yes and finally restart sshd service.
Tried a lot of things, it did not help.
It get access in a simple way:
eval $(ssh-agent) > /dev/null
killall ssh-agent
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa
Note that at the end of the ssh-add -L output must be not a path to the key, but your email.
In Centos 7
Error : publickey,gssapi-keyex,gssapi-with-mic
Ans : Root access to vi /etc/ssh/sshd_config and change the PasswordAuthentication ( no ) to yes.
2 . Restart the sshd services
root> systemctl restart sshd.service
Logon into local id via putty without key.
As a few others have mentioned, make sure you are using the right private key when you ssh into your server. I had multiple ssh private keys set up in my directory, so it was defaulting to a different key. To ssh with the correct key call it out in your CLI call ssh centos#IP-ADDRESS -i YOUR-PATH-TO-KEY, in my case the path was ~/.ssh/id_rsa
Nobody has mention this in. above answers so i am mentioning it.
This error can also come if you're in the wrong folder or path of your pem file is not correct. I was having similar issue and found that my pem file was not there from where i am executing the ssh command
cd KeyPair
ssh -i Keypair.pem ec2-user#244.255.255.255
I know this is an old question, but thought I'd add my fix in the pot.
I was getting the same error trying to connect to Amazon Linux from Ubuntu. The solution was to simply change this:
ssh-add -c <key_location>.pem
to this:
ssh-add "<key_location>.pem"
... pretty simple change there got me in.
fixed by setting GSSAPIAuthentication to no in /etc/ssh/sshd_config
Maybe you should assign the public key to the authorized_keys, the simple way to do this is using ssh-copy-id -i your-pub-key-file user#dest.
And I think this will clearify the cause of posted problem, actualy this is bug of pssh itself (contains inside "askpass-client.py"). It is pssh's lib file. And there is documented issue for -A case:
https://code.google.com/archive/p/parallel-ssh/issues/80
There are two possible resolutions to use version of pssh containing this bug in case you forced to use passphrase for private key access:
Correct your "askpass-client.py" as described in link listed before in my post.
Using your favorite pass keeper.
Thnks for attention, hope it helps!
I try
rm ~/.ssh/id_rsa.pub
then it work!
First a password login has to be established to remote machine
Firstly make a password login
you have to enable a password login by enabling the property ie) PasswordAuthentication yes in sshd_config file.Then restart the sshd service and copy the pub key to remote server (aws ec2 in my case), key will be copied without any error
Without password login works if and only if password login is made first
copy the pub key contents to authorised keys, cat xxx.pub >> ~/.ssh/authorized_keys
This can happen if you are missing the correct id_rsa key set up in authorized_keys for an AWS instance.
Exact error I got (this article came up when I googled the error):
ec2-user#X.X.X.X: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Note: If you have many keys, you have to either specify the key on the ssh command line or else add it to you ssh-agent keys (see ssh-add -l). Only the first 6 keys from ssh-agent may work - the default sshd MaxAuthTries config value is 6.
Hope, this will help someone. Problem I encountered is, I was completely using wrong key with the IP. Make sure you are using the right key for the right IP
For me it is a completely mistake, someone copy paste the key into the same row with another key, after separating them into two different lines then it works again, so check if your authorized_key file has similar mistakes !
I had same issue Permission denied (publickey, gssapi-keyex, gssapi-with-mic) earlier.
I had to go /etc/ssh/sshd_config to add the user user into AllowUsers section, then restarted sshd service.
Let me share with you how I did it and I am sure you will find good answer here.
Make sure the following
Step 1. You have Public DNS (IPv4) from aws E.g ec2-IPV4.us-east-2.compute.amazonaws.com
Step 2. You remember where your your_secret_key_is.pem E.g its better to keep it far from root of the known folders like Downloads, Desktop or Documents
Step 3 Open terminal and add the command sudo ssh -v -i path-to-key.pem ec2-user#host
ec2-user is important because it for some linux server it is the username
sudo it needs permission to execute
host It is Amazon Public DNS (IPv4) (copy step 1)
Find more info here
Permission denied (publickey)
seems like an issue generated by the ssh client rather than the ssh server in my case.
Here's what caused my problem and how I solved.
The problem source is I used sudo to generate the keys like this:
sudo ssh-keygen -t ed25519 -f ~/.ssh/serverA_ed25519_key
This automatically set the owner of these key files to root only, so my current user doesn't have permission to read the keys.
Now solution #1 is change the file ownership to your current user. This's what I did.
sudo chown CURRENT_USER ~/.ssh/serverA_ed25519_key
Solution #2 would be just run ssh client with sudo when you try to connect to the ssh server.
Finally, a trick to find the source of problem with ssh client.
ssh -v -o IdentitiesOnly=yes -i ~/.ssh/serverA_ed25519_key me#serverA
This let me focus on the problem by:
show verbose info by -v flag.
the -o option and -i ~/.ssh/serverA_ed25519_key force ssh client to try with this key ONLY, not all the keys you have.
I also have this error info : Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Using cmd: ssh -i "~/.ssh/old.pem" user#ip cause the error.
Problem is old.pem has been deprecated, after changing to newest pem file,
the error disappears.
In my case, I was using wrong username. Fixed that and the issue got resolved.
The issue is simple, the owner for the key should be one in case if windows ( Just remove other users and keep only one or deny other users permissions) for linux/Mac just do a chmod 400 as this will only give read permission only to the user and no permission to groups or public.
I run into this strange error whiles connecting from my Mac(host) to a CentOS(7.9) guest. I had to explicitly passed the key file to the ssh client ssh root#ip -i private_key_file before connection was successful.
Earlier on, I had enabled the following after the usual key generation with ssh-keygen and copying with ssh-copy-id
PermitRootLogin yes #Logging in with root, it was set by default
PasswordAuthentication no
I decided against using the default name provided by ssh-keygen though the generated file was saved at the same location as the default.
I left the other default values untouched.
Don't forget to restart sshd on the remote machine.
I got Sucess !!
I've copied my ssh_keys from my other machine and tryed to log to my AWS EC2, but it failed:
sign_and_send_pubkey: signing failed for RSA "/home/xxxx/.ssh/my_rsa" from agent: agent refused operation
ec2-user#bla-blah-blah.zzzzz.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The solution was:
cd $HOME/.ssh
ls -l
-r-x------ 1 xxxx xxxx 1766 May 4 09:13 id_rsa
-r-x------ 1 xxxx xxxx 405 May 4 09:13 id_rsa.pub
-rw-r--r-- 1 xxxx xxxx 444 May 6 17:18 known_hosts
Optional command:
rm known_hosts
chmod 400 id*
ssh -i ./id_rsa.pub ec2-user#bla-blah-blah.zzzzz.amazonaws.com
Last login: Fri May 6 19:09:48 2022 from 123.456.77.9
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
Just run this to add your key to localhost of current user.
ssh-copy-id localhost

The authorized_keys permission denied only if I create the file when I mount the disk from other OS

Env:
VM A : the machine I want to access with out password
VM B : I want to access VM A without password from the machine
Problem Description:
As I want to access VM A from VM B without password, I want first inject VM B's public key into VM A, but I still need password if I use ssh-copy, so I try to inject the file by mount.
The steps:
Start VM A from LiveCD
Mount VM A's root disk(contains the OS)
Create an authorized_keys file under ${mount_point}/root/.ssh/
Cat the VM B's public key into the authorized_keys file
Stop the VM A and remove the LiveCD then start the VM A again
Access the VM A from VM B by command
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PasswordAuthentication=no root#9.112.224.130
Results:
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1645
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
But after I did following commands, it works (file mode are all 600 and not difference with diff command)
mv authorized_keys authorized_keys_bak
cp authorized_keys_bak authorized_keys
so I try to inject it again, but for this time, I create an empty authorized_keys file before start from LiveCD, and skip the step 3, other step are all the same, for this time the VM B can access VM A without password
Questions:
The property for authorized_keys and authorized_keys_bak are all the same, why one works, one not works?
I authorized_keys can works only when I create the file not mount from LiveCD?
ssh-copy-id will ask you password one time to inject the keys into remote system.
Logs which you have shown is from ssh client. We would need ssh server logs as well to check why ssh server is not able to verify user credentials.
From client logs, we can say, it has tried for publickey based (without password) authentication but it failed (means rejected by server). So remaining method is "keyboard-interactive" (which is supported by server) but client doesn't support it so no authentication method to try so it failed.
Can you also check following things for working & non-working scenerio
check user's publickey on client and server which is used for authentication
on client -> /users//.ssh/id_rsa.pub
on server -> /etc/ssh/authorized_keys (check entry for your username)

CentOS scp without password not working

I have been trying to connect from one EC2 instance to another using ssh public keys and have been having a very tough time.
Here is the scenario:
I need to have box 2 scp a file from box 1 in a script. This script will need to be able to scp without a password so I need to setup public keys.
On box 2 I ran ssh-keygen –t rsa and generated id_rsa and id_rsa.pub
I copied id_rsa.pub to box 1
I moved id_rsa.pub to .ssh and ran cat id_rsa.pug >> authorized_keys
I changed permissions of all .ssh directory to 700 on both boxes and the files themselves to 600.
I have changed the sshd_config settings on box 1 to:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
And then restarted ssh
/sbin/service sshd restart
When I try to scp or ssh into box1 from box1 I get the error:
Address 67.22.33.1 maps to ec2-67-22-33-1.compute-1.amazonaws.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
tomcat#tomcat1.****.com's password:
Any ideas?
I made that change and tried scp to tomcat1 and it failed. Here is the output:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to tomcat1.****.com [67.22.33.15] port 22.
debug1: Connection established.
debug1: identity file /home/tomcat/.ssh/identity type -1
debug1: identity file /home/tomcat/.ssh/id_rsa type 1
debug1: identity file /home/tomcat/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'tomcat1.****.com (67.22.33.15)' can't be established.
RSA key fingerprint is 5a:3e:fe:be:b8:0e:05:63:bf:ab:c8:4f:e5:91:db:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'tomcat1.****.com,67.22.33.15' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/tomcat/.ssh/identity
debug1: Offering public key: /home/tomcat/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/tomcat/.ssh/id_dsa
debug1: Next authentication method: password
Your authorized keys line should be
AuthorizedKeysFile %h/.ssh/authorized_keys
The server is looking in the wrong directory for your server.
UPDATE - FIXED IT
restorecon -R -v -d /root/.ssh
This is a known issue with RH where directories get mislabelled and PAM prevends sshd from reading authorized_hosts when run as init script. You'll see the errors if you stumble across /var/log/audit/audit.log. Rare it seems but painful when it happens!
More details at https://bugzilla.redhat.com/show_bug.cgi?id=499343
ORIGINAL POST
I've just hit what looks like exactly this problem. I had a poorly tuned VirtualBox (I hadn't told vbox to use 64bit) -- which when I cloned and restarted (in vbox RedHat 64-bit mode), started asking me for a password.
The original image was fine -- with identical settings -- so I think the suggestion of being networking-related might be relevant, or else to do with server keys.
The weird thing however is that if on the box, I kill the sshd process which autostarted, then manually run /usr/sbin/sshd as root, I can log in passwordless fine. A silly workaround, but usable.
So it is an /etc/init.d/sshd issue. But I haven't been able to track down what it is ... have tried chucking out most of the stuff in that script but it still prompts for password when invoked as /etc/init.d/sshd start but not when at /usr/sbin/sshd.
Maybe these comments can help, and someone can then help further!?
Try removing box1 IP from ~/.ssh/known_hosts, so it renews. Perhaps ssh disables key authentication due to possible 'man in the middle' attack.
If it won't help, add line
GSSAPIAuthentication no
in your /etc/ssh/ssh_config file.
I think this link will solve your problem and I use it to solve my ssh not login problem. The keypoint is to run
ssh root#node02 'restorecon -R -v /root/.ssh'
this command will fix SE
http://blog.firedaemon.com/2011/07/27/passwordless-root-ssh-public-key-authentication-on-centos-6/
After following previous steps I had to set the permission to ".." in the .ssh folder:
Once I had for ~/.ssh:
drwx------ 2 build build 4096 Nov 4 14:35 .
drwx------ 6 build build 4096 Nov 4 14:34 ..
-rw------- 1 build build 400 Nov 4 14:35 authorized_keys
It worked!
Thanks. Damian
I had the exact same problem and have been scratching my head for an entire afternoon.
It turned out to be a small sshd_config file issue.
first, change access mod on .ssh folder of the remote host to user access only.
chmod 700 ~/.ssh
next, go to /etc/ssh/sshd_config, change StrictModes yes to StrictModes no. If it's commented out, then specifically add StrictModes no into the file.
That solved the issue.
And one more thing I just found, I had to edit the .ssh/authorized_keys file to and make hostname fully qualified. Otherwise, I couldn't use the fully qualified name in the scp/ssh command. Now both fully qualified (like "host.company.com") & the relative name ("host") work, given that both hosts are in the "company.com" domain. ssh-keygen created the public key file with just the hostname.