How can I get sshd to tell me why it's failing public key authentications?

ssh logging authentication public-key

25,597

On the server side, set the log level to DEBUG3. On the client side, connect with the -vvv option (which gives you DEBUG3 on the client side as well).

25,597

einpoklum

Made my way from the Olympus of Complexity Theory, Probabilistic Combinatorics and Property Testing to the down-to-earth domain of Heterogeneous and GPU Computing, and now I'm hoping to bring the gospel of GPU and massive-regularized parallelism to DBMS architectures. I've post-doc'ed at the DB architecture group in CWI Amsterdam to do (some of) that. I subscribe to most of Michael Richter's critique of StackOverflow; you might want to take the time to read it. If you listen closely you can hear me muttering "Why am I not socratic again already?"

Updated on September 18, 2022

Comments

einpoklum over 1 year

I'm using OpenSSH 6.9p1 (on Lubuntu) as my SSH server. When trying to connect to it (using an SSH client in Cygwin), I keep being reverted to password authentication, despite having properly generated my keys, put them in the authorized key file on the server, checked the permissions etc.

So, I look in /var/log/auth.log to see what the server says. I find this:

Nov  1 09:50:10 er-thinkpad sshd[16148]: Accepted password for joeuser from 192.168.2.6 port 53325 ssh2
Nov  1 09:50:10 er-thinkpad sshd[16148]: pam_unix(sshd:session): session opened for user joeuser by (uid=0)
Nov  1 09:50:10 er-thinkpad systemd-logind[590]: New session 497 of user joeuser.

... and nothing before that first line about the public key authentication failure. Ok, let's increase the verbosity maybe. So I change LogLevel from INFO to VERBOSE and try again. Now I get:

Nov  1 09:53:12 er-thinkpad sshd[16269]: Connection from 192.168.2.6 port 53349 on 192.168.2.2 port 22
Nov  1 09:53:12 er-thinkpad sshd[16269]: Failed publickey for joeuser from 192.168.2.6 port 53349 ssh2: RSA SHA256:removedthis
Nov  1 09:53:12 er-thinkpad sshd[16269]: Failed publickey for joeuser from 192.168.2.6 port 53349 ssh2: ECDSA SHA256:removedthis
Nov  1 09:53:15 er-thinkpad sshd[16269]: Accepted password for joeuser from 192.168.2.6 port 53349 ssh2
Nov  1 09:53:15 er-thinkpad sshd[16269]: pam_unix(sshd:session): session opened for user joeuser by (uid=0)
Nov  1 09:53:15 er-thinkpad systemd-logind[590]: New session 499 of user joeuser.
Nov  1 09:53:15 er-thinkpad sshd[16269]: User child is on pid 16271
Nov  1 09:53:15 er-thinkpad sshd[16271]: Starting session: shell on pts/5 for joeuser from 192.168.2.6 port 53349

So great, it failed, but why did it fail? How can I get sshd to tell me that?

PS - Just so you know, here's what the client sees:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/joeuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Skipping ssh-dss key /home/joeuser/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
debug1: Offering ECDSA public key: /home/joeuser/.ssh/id_ecdsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/joeuser/.ssh/id_ed25519
debug1: Next authentication method: password

einpoklum over 8 years

I mistakenly assumed DEBUG would only add, well, debugging-related log messages rather than useful information, but I guess I should have seen that coming.
EEAA over 8 years

@einpoklum So what was the problem?
einpoklum over 8 years

line breaks in the authorized_keys2 entry (which looked like wrapping).
piksel bitworks almost 5 years

@einpoklum Thanks, that was it for me too. So frustrating!
Der_Meister about 2 years

It was a problem with SELinux for me.