Public Key authentication failed

ssh authentication
109,636

Solution 1

This bit looks like we used your private key to attempt a cryptographic login, then we had to try others because it was not accepted:

debug1: Trying private key: /home/leetom/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 68:51:b6:ed:cc:c2:54:f4:xx:15:41:d7:f5:4a:0e:da
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password

The simplest problem could be in your copying over of the public key, because I get the same response trying to authenticate with a key that I know the other end doesn't have here.

Rather than manually copying the id over, why not try ssh-copy-id - enter your password and it will update authorized_keys. That should (a) definitely select the same key as ssh should be selecting, (b) ensure you haven't accidentally added any formatting errors.

If that works for you, compare the line added to authorized_keys by ssh-copy-id and hopefully you'll understand what went wrong.

Solution 2

Permissions could be another sort of problem causing publickey authentication failures: check that your ~ and ~/.ssh directories are not readable by anybody except for your user (chmod 700 ~ && chmod 700 ~/.ssh could fix that).

EDIT: permissions 750 for ~ should be okay too.

Solution 3

Sometimes you need to provide the private key explicitly with -i

Example: ssh -i /root/.ssh/id_rsa2 user@remote

Solution 4

By chance, when creating the authorized_keys file, have you misspelled your filename (since you have spelled it as authorzied_keys in the question (i and z exchanged), there is a possibility you have named the file the same way) In the ssh config file, the name of the file is specifically mentioned as 

AuthorizedKeysFile %h/.ssh/authorized_keys

Hence, you need to be particular that the filename is the same. So just verify the filename.

Share:
109,636

Related videos on Youtube

leetom
Author by

leetom

Updated on September 18, 2022

Comments

  • leetom
    leetom over 1 year

    I am using ubuntu 13.10, and the server runs ubuntu 12.04. I had generate private and public keys using ssh-keygen, and put id_rsa.pub to server side and added it to authorzied_keys accordding to the method I found on the Internet. But, I still have to input password while I am trying to login. I have set the home dir to 700, .ssh dir to 700, authorzied_keys file to 600, and I have checke sshd_config file, and nothing happened.

    The debug infomation (with -vvv option) and sshd_config is as following, and nothing listed in server's auth.log file.

    I even have updated openssh-server openssh-client on both client and server side.

    Is there anything else I have to do? Thanks for any infomation.

    debug3: load_hostkeys: loading entries for host "[xxx.101.15.62]:2222" from file "/home/leetom/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/leetom/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "[xxx.101.15.62]:2222" from file "/home/leetom/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/leetom/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug1: Host '[xxx.101.15.62]:2222' is known and matches the ECDSA host key.
debug1: Found key in /home/leetom/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/leetom/.ssh/id_rsa ((nil)),
debug2: key: /home/leetom/.ssh/id_dsa ((nil)),
debug2: key: /home/leetom/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/leetom/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 68:51:b6:ed:cc:c2:54:f4:xx:15:41:d7:f5:4a:0e:da
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/leetom/.ssh/id_dsa
debug3: no such identity: /home/leetom/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/leetom/.ssh/id_ecdsa
debug3: no such identity: /home/leetom/.ssh/id_ecdsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

    and the sshd_config

    # Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
  • leetom
    leetom over 10 years
    It works, thank you very much! It turns out that I had a typo with the authorized_keys filename. I had tried every method and checked the filename many times (I read something about filename typo), but... The eyes won't work well while I am sleepy...
  • Asaf
    Asaf about 10 years
    Using ssh-copy-id made the trick for me
  • IO.Nathan
    IO.Nathan over 8 years
    This works perfectly... unless you have a Mac. :)
  • Greg
    Greg over 8 years
    @Fixee brew install ssh-copy-id if you use homebrew
  • UlfR
    UlfR about 8 years
    Is this really true? The permissions of ~/ should not matter, the default in Ubuntu is usually 755 on home directories and it works for me.
  • AntonioK
    AntonioK about 8 years
    I really faced that using (at remote host) CentOS 7 and both OpenSSH_6.4 and OpenSSH_6.6.1. Doing just chmod 700 ~ have solved my problem.
  • UlfR
    UlfR about 8 years
    Good for you! But: According to this: askubuntu.com/a/69867/31749 there can be no group-write permissions on the home-directory, but group-read should be ok.
  • AntonioK
    AntonioK about 8 years
    Okay, I should check if 750 works in my case on that system.
  • mtraceur
    mtraceur over 7 years
    These exact symptoms can also manifest if you have SELinux enabled and mis-configured such that it prevents sshd from reading the authorized_keys file (not always obvious without looking at the SELinux audit log, because SELinux is fine-grained enough that you could easily get into a state where manual reads as the user or through sudo can succeed)
  • LittleByBlue
    LittleByBlue about 6 years
    This does not seem to be the problem here, but good point anyways.
  • phen0menon
    phen0menon over 4 years
    Thank you, this one solved my problem.
  • patschiboy
    patschiboy over 4 years
    ssh-copy-id - such a lifesaver to fix problems with linebreaks in public keys when you try to use copy & paste

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

unable to connect to the aws ec2 instance,Host key verification failed
Why password authentication is not allowed?
Public key authentication Permission denied (publickey)
google authenticator for certain users
Permission denied (publickey) Amazon Linux aws
How to change the default position of ~/.ssh/authorized_keys
Can't connect to a remote server with Nautilus and a private key
SSH with LDAP authentication (ActiveDirectory) and ssh keys stored in AD
SSH authentication: either SSH keys or one time password
How do I create one user without key authentication?