How can I get sshd to tell me why it's failing public key authentications?
On the server side, set the log level to DEBUG3
. On the client side, connect with the -vvv
option (which gives you DEBUG3
on the client side as well).
Related videos on Youtube
einpoklum
Made my way from the Olympus of Complexity Theory, Probabilistic Combinatorics and Property Testing to the down-to-earth domain of Heterogeneous and GPU Computing, and now I'm hoping to bring the gospel of GPU and massive-regularized parallelism to DBMS architectures. I've post-doc'ed at the DB architecture group in CWI Amsterdam to do (some of) that. I subscribe to most of Michael Richter's critique of StackOverflow; you might want to take the time to read it. If you listen closely you can hear me muttering "Why am I not socratic again already?"
Updated on September 18, 2022Comments
-
einpoklum over 1 year
I'm using OpenSSH 6.9p1 (on Lubuntu) as my SSH server. When trying to connect to it (using an SSH client in Cygwin), I keep being reverted to password authentication, despite having properly generated my keys, put them in the authorized key file on the server, checked the permissions etc.
So, I look in
/var/log/auth.log
to see what the server says. I find this:Nov 1 09:50:10 er-thinkpad sshd[16148]: Accepted password for joeuser from 192.168.2.6 port 53325 ssh2 Nov 1 09:50:10 er-thinkpad sshd[16148]: pam_unix(sshd:session): session opened for user joeuser by (uid=0) Nov 1 09:50:10 er-thinkpad systemd-logind[590]: New session 497 of user joeuser.
... and nothing before that first line about the public key authentication failure. Ok, let's increase the verbosity maybe. So I change
LogLevel
fromINFO
toVERBOSE
and try again. Now I get:Nov 1 09:53:12 er-thinkpad sshd[16269]: Connection from 192.168.2.6 port 53349 on 192.168.2.2 port 22 Nov 1 09:53:12 er-thinkpad sshd[16269]: Failed publickey for joeuser from 192.168.2.6 port 53349 ssh2: RSA SHA256:removedthis Nov 1 09:53:12 er-thinkpad sshd[16269]: Failed publickey for joeuser from 192.168.2.6 port 53349 ssh2: ECDSA SHA256:removedthis Nov 1 09:53:15 er-thinkpad sshd[16269]: Accepted password for joeuser from 192.168.2.6 port 53349 ssh2 Nov 1 09:53:15 er-thinkpad sshd[16269]: pam_unix(sshd:session): session opened for user joeuser by (uid=0) Nov 1 09:53:15 er-thinkpad systemd-logind[590]: New session 499 of user joeuser. Nov 1 09:53:15 er-thinkpad sshd[16269]: User child is on pid 16271 Nov 1 09:53:15 er-thinkpad sshd[16271]: Starting session: shell on pts/5 for joeuser from 192.168.2.6 port 53349
So great, it failed, but why did it fail? How can I get sshd to tell me that?
PS - Just so you know, here's what the client sees:
debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/joeuser/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Skipping ssh-dss key /home/joeuser/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes debug1: Offering ECDSA public key: /home/joeuser/.ssh/id_ecdsa debug1: Authentications that can continue: publickey,password debug1: Trying private key: /home/joeuser/.ssh/id_ed25519 debug1: Next authentication method: password
-
einpoklum over 8 yearsI mistakenly assumed DEBUG would only add, well, debugging-related log messages rather than useful information, but I guess I should have seen that coming.
-
EEAA over 8 years@einpoklum So what was the problem?
-
einpoklum over 8 yearsline breaks in the
authorized_keys2
entry (which looked like wrapping). -
piksel bitworks almost 5 years@einpoklum Thanks, that was it for me too. So frustrating!
-
Der_Meister about 2 yearsIt was a problem with SELinux for me.