I wanted to access the other Ubuntu system in order to establish my Hadoop cluster but I don't which password I should enter in order to get the access.
I've tried confirming the connection by sending a ping to other system and it shows that everything alright.
and every time I try this:-
ssh 192.168.43.196
It shows the following:-
karan#192.168.43.196's password:
Permission denied, please try again.
karan#192.168.43.196's password:
Permission denied, please try again.
karan#192.168.43.196's password:
karan#192.168.43.196: Permission denied (publickey, password).
I tried my root password and the other system's too
I tried the following commands too but nothing worked, all end up with same password thing.
ssh-copy-id 192.168.43.196
ssh -v root#192.168.43.196
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no account#192.168.43.196
This is what my sshd_config looks like
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Came across an SSH key based issue :
SSH Client : HALP-GRDB
SSH Server (has 2 IPs for management & service) : 10.100.113.55 and
10.100.114.55
SSH to the Server IP 10.100.113.55
[root#HALP-GRDB .ssh]# ssh rapid#10.100.113.55
The authenticity of host '10.100.113.55 (10.100.113.55)' can't be established.
ECDSA key fingerprint is c8:d7:70:6c:1b:13:99:d8:76:0b:dc:25:84:a1:e7:86.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.100.113.55' (ECDSA) to the list of known hosts.
rapid#10.100.113.55's password:
[rapid#HALP-MSERV1 ~]$
All is good and am able to login via ECDSA Key
Now SSH to the alternate IP 10.100.114.55
Things get weirder ,
And RSA key has been asked for auth
> [root#HALP-GRDB .ssh]# ssh rapid#10.100.114.55 The authenticity of
> host '10.100.114.55 (10.100.114.55)' can't be established. RSA key
> fingerprint is c8:b7:31:02:75:b5:48:12:ef:9a:d7:95:91:0d:c0:f5. Are
> you sure you want to continue connecting (yes/no)? yes Warning:
> Permanently added '10.100.114.55' (RSA) to the list of known hosts.
> ################################################################################
> !!!!! WARNING !!!!!
> For authorized use only!
> Any unauthorized use of this system is unlawful.
> Any use of this system may be logged or monitored without further notice.
> !!!!! WARNING !!!!!
> ################################################################################ User Authentication Password: User Authentication Password: User
> Authentication Password:
Authentication Password:
Authentication Password:
Received disconnect from 10.100.114.55: 2:
> The connection is closed by SSH server
And even after entering the correct password , am kicked out
Server side sshd_config file :
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
PermitRootLogin no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 600
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Server side ssh_config file :
[root#HALP-MSERV1 .ssh]# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64#openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
#
# Uncomment this if you want to use .local domain
# Host *.local
# CheckHostIP no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
Appreciate your expert opinions for the rectification of the same .
Thanks !!
I have read and watch lots of tutorials and I can't get it work.
In CentOS 7 I have done the following:
I have created the /.ssh folder with 700 in permissions and me as the owner
$ mkdir .ssh
$ chmod 700 .ssh/
Then I cd to it
$ cd .ssh
I proceeded to generate the key
$ ssh-keygen
I have chosen the passphrase
Then I created inside the .ssh/ folder the authorized_keys file
$ nano authorized_keys
I pasted the content of id_rsa.pub inside of it.
Then I proceeded to edit the sshd_config
$ sudo nano /etc/ssh/sshd_config
And changed the following values
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
I saved and exited. I restarted sshd
$ sudo systemctl restart sshd.service
Then I downloaded both id_rsa and id_rsa.pub files to my local desktop computer.
I tried lots of times to connect via SSH using the cmder software in Windows as follows:
λ ssh -i C:\Users\MyUsername\path\to\id_rsa.pub username#serverAddress
And the server indeed asks me for the passphrase but it is always wrong! It doesn't work and the it passes to the default username password login
:(
Why isn't the key passphrase not working? What am I missing in the set up???
I tried the same in Ubuntu and it is not working either.
ssh -i C:\Users\MyUsername\path\to\id_rsa.pub username#serverAddress
Do you give id_rsa.pub to ssh command ? You have to give id_rsa, the secret key.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
Heyho,
I have a kind of weird problem with an ubuntu server that runs open ssh-server.
Everything configuration wise is working except for one thing. I cannot connect via putty with my .ppk key to the server, right after it booted.
I get a "server refused our key". Since the thing is currently running in Virtual Box I still have access over the direct login. So I login with my user and my password and instantly log out again.
Now I can connect via putty and the .ook key. And I have no Idea why. Either I missed some explanation somewhere or I screwed up something somewhere with the configs. If anybody can point me in the right direction I'd be grateful!
sshd_config:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes no
RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin yes
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
AllowTcpForwarding yes
The key is in the decribed place and everything, and as said, I can connect just fine after logging in directly on the VM after a reboot, but no matter what I try I cannot get it to connect without that one login.
This has been answered many times and is more suitable for AskUbuntu.
In short, you have encrypted home folder (even with your AuthorizedKeysFile) and therefore the server can't authenticate you. One possibility is to move the authorized keys somewhere else (AuthorizedKeysFile /etc/ssh/%u/authorized_keys) and decrypt your home folder upon login or just remove the encryption. Official documentation describes it well.
I'm unable to login to SSH because of the following error in /var/log/secure (according to the debug logs):
Dec 19 18:01:05 hostname sshd[25119]: debug1: trying public key file /root/.ssh/authorized_keys
Dec 19 18:01:05 hostname sshd[25119]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': Permission denied
I have the following permissions set on root
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod go-wrx ~
ls -lah gives the following output for those directories:
drwx------. 6 root root 4.0K Dec 19 17:46 root
drwx------. 2 root root 4.0K Dec 19 17:41 .ssh
-rw-------. 1 root root 416 Dec 19 17:12 authorized_keys
I know the key I'm using is correct, as I just setup another server with it without any problems.
I'm running: CentOS release 6.4 (Final)
I've added my sshd config in case there's something misconfigured in there that might be causing the issue:
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel DEBUG
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Any ideas would be much appreciated.
If the permissions are correct, SELinux might still be preventing sshd from opening the file.
Try fixing the labels inside the .ssh directory (and maybe $HOME):
restorecon -FRvv ~/.ssh
If the user account uses non-standard home path, default labels for the path need to be added to the local configuration first:
semanage fcontext -a -t ssh_home_t "/srv/custom/\.ssh(/.*)?"
(I'm intentionally not suggesting disabling SELinux or setting it to the permissive mode.)
In case if SELinux enabled:
$ getenforce
Enforcing
to temporary enable pub-key ssl login to non-standard user home directory location run:
$ sudo chcon -t ssh_home_t /srv/jenkins/.ssh/authorized_keys /srv/jenkins/.ssh
$ ls -ldZ /srv/jenkins/.ssh/authorized_keys /srv/jenkins/.ssh/
drwxr-xr-x. jenkins jenkins system_u:object_r:ssh_home_t:s0 /srv/jenkins/.ssh/
-rw-r--r--. jenkins jenkins system_u:object_r:ssh_home_t:s0 /srv/jenkins/.ssh/authorized_keys
See https://linux.die.net/man/8/ssh_selinux for the details.
To make SELinux settings permanent run:
$ sudo semanage fcontext -a -t ssh_home_t /srv/jenkins/.ssh/authorized_keys
$ sudo semanage fcontext -a -t ssh_home_t /srv/jenkins/.ssh
$ sudo restorecon -R -v /srv/jenkins/.ssh/
You hit this if you are on modern RHEL, Oracle Linux, CentOS.
I was struggling to use key authentication as well.
Could not open authorized keys '/home/myUserName/.ssh/authorized_keys2': Permission denied
Had checked all the above things when I ended up here (first link on google).
I realize that this is an old post but I will add it here in case somebody else has the same problem as me and end up here.
I had owner of the authorized_keys file to "root", so changing it with:
chown myUserName authorized_keys2
Solved it for me.
I've spent a good couple hours with this crap. Reading loads of illuminated solutions to the issue, here is a boil down of what none of them say clearly.
Sumarizing.
The following applies to these files:
~/.ssh/
~/.ssh/authorized_keys
Ownership
The owner and group must be the logging user.
Permissions
Group and public permissions must be set to 0 (no permissions). Yes! sshd thinks you're stupid by default.
And of course, the owner must be allowed to read.
Note. Permissions such as 777 give the same error as 000, even though it is an application policy to not open the file. This was probably the biggest source of confusion during this whole endeavour.
Users
All logging users must exist. By logging users we mean:
The user sent with the url ssh root#localhost
Or, the user in the public key present on the client machine (~/.ssh/id_rsa.pub in the client, not in the server)
Check the /home directory permissions. It should be
drwxr-xr-x. 9 root root 113 Jun 28 22:57 home
and then your home directory detail:
drwxr----- 5 user group 124 May 18 17:00 User
drwx------ 2 user group 29 May 18 12:05 .ssh
-rw------- 1 user group 2235 Jun 28 23:09 authorized_keys
My error messages in logs
/var/log/secure > sshd[22565]: error: Received disconnect from X.X.X.X: 14: No supported authentication methods available [preauth]
On client side
ssh user#X.X.X.X
Permission denied (publickey).
ssh -vvv user#X.X.X.X
...
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
On server side
service sshd stop
run sshd debug mode:
/usr/sbin/sshd -ddd
...
debug1: trying public key file /home/USER/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/USER/.ssh/authorized_keys': Permission denied
...
A couple ideas to check:
Can you cat authorized_keys? What does the file look like?
Is your sshd configured to allow root login? This is generally frowned upon,
Are you doing it as root or as a sudoer?
Don't do chmod on ~/.ssh/.... Try to write the exact path: /root/.ssh/..., since sometimes (when using su etc), the ~ can be setup incorrectly. Check and post the permissions again for the full path without using ~ in the command.
Once you are absolutely sure the permissions are OK, check if your sshd is actually running under user root: ps -A u | grep sshd.
A couple of things to double-check:
Are you sure you copied the PUBLIC key to the authorized_keys, not
the private key? :-)
Do cat -tv authorized_keys. Any ^M characters at the end of each line? Do a dos2unix on authorized_keys
Did you restart the ssh daemon after making
configuration changes?
I encountered this same issue and got it solved by changing both .ssh and authorized_keys's owner at the same time:
chown MyUsername:Myusername .ssh
chown MyUsername:Myusername .ssh/authorized_keys
Thanks to #niclaslindgren.
And BTW, it's no matter with whether there is ^M in authorized_keys or not, I had tested and proved it, it works with both the ways
I'm going to throw my answer in here as well since I just wasted the last hour trying to figure out a workaround for another hour I wasted previously on Azure.
This does not work:
AuthorizedKeyFiles ~/.ssh/authorized_keys
Generating server-side logs using an alternate port (i.e. /usr/sbin/sshd -ddd -p 12345) reveals the following when using the above configuration:
debug1: trying public key file /root/.ssh/authorized_keys
debug1: Could not open authorized keys '/root/.ssh/authorized_keys': Permission denied
Either of these are correct, however:
AuthorizedKeyFiles /home/%u/.ssh/authorized_keys
AuthorizedKeyFiles .ssh/authorized_keys
See also: https://www.ssh.com/ssh/authorized_keys/openssh
For me it was also changing ownership, but not just of authorized_keys but also of the .sdd directory:
chown -R user:user ./home/user/.ssd
In my case, home directories are on NFS, which means that ~/.ssh is also on NFS.
Found this answer, and indeed running the following (as root) solved the problem:
setsebool -P use_nfs_home_dirs 1
There is a set of generic steps if one has to find the reason why sshd is refusing to accept a connection or keys.
The details below are for a systemd based system but alternative systems users would be able to find their way easily.
How to debug sshd systematically?
Start watching the journal
journalctl -u sshd -f
Set sshd logging to debug mode in /etc/ssh/sshd_config
LogLevel DEBUG
Restart the daemon to let the change take effect
systemctl restart sshd
We are set on the server side.
Try the client connection now
ssh -o IdentitiesOnly=yes -v -i ~/.ssh/key_to_the_kingdom king#kingdom.gov
IdentitiesOnly disables trying other than the identity specified.
-v to increase the client verbosity so one can see if the client is doing what is expected. (Is able to find and use the key on the client system, is able to negotiate the encryption algorithm, etc.)
(Not posting an example for the client.)
On the server (kingdom.gov in our example), we should see something like the following in the debug mode log:
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: userauth-request for user king service ssh-connection method none [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: attempt 0 failures 0 [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: PAM: initializing for "king"
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: PAM: setting PAM_RHOST to "75.73.78.71"
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: PAM: setting PAM_TTY to "ssh"
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: userauth-request for user king service ssh-connection method publickey [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: attempt 1 failures 0 [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:0hjXPXkM8d91W2D8bg3fcapifm5QJd7QV9wwOEMU1 [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: temporarily_use_uid: 112233/10 (e=0/0)
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: trying public key file /home/king/.ssh/authorized_keys
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: Could not open authorized keys '/home/king/.ssh/authorized_keys': Permission denied
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: restore_uid: 0/0
Jul 14 12:46:39 kingdom.gov sshd[4665]: Failed publickey for king from 83.69.65.84 port 52756 ssh2: RSA SHA256:0hjXPXkM8d91W2D8bg3fcapifm5QJd7QV9wwOEMU1
In my case, the problem was in SELinux not allowing to use authorized_keys stored in the NFS home directory.
You may be asking: How can I check the permissions? What is the identity sshd uses to access the files?
Look at temporarily_use_uid: 112233/10 in the log above. There should be correct UID and primary GID for the user.
In my case, these values were taken from the name service (LDAP) and were as expected.
If the client user identity is incorrect, look into the name service configuration and resolve this issue first.
The directory and file ownership and permissions were as expected (at least u=x for ~ and ~/.ssh directories, at least u=r for authorized_keys, if owned by the user).
It was clear the reason must be in something like SELinux.
Let's check it:
getsebool use_nfs_home_dirs
use_nfs_home_dirs --> off
For that case, the answer by Nadav Aharoni resolves the problem.
setsebool -P use_nfs_home_dirs 1
Cleanup
Restore LogLevel DEBUG in sshd_config to the previous value. (Or comment it out to restore the default.)
systemctl restart sshd