Public Key authentication failed
Solution 1
This bit looks like we used your private key to attempt a cryptographic login, then we had to try others because it was not accepted:
debug1: Trying private key: /home/leetom/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 68:51:b6:ed:cc:c2:54:f4:xx:15:41:d7:f5:4a:0e:da
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
The simplest problem could be in your copying over of the public key, because I get the same response trying to authenticate with a key that I know the other end doesn't have here.
Rather than manually copying the id over, why not try ssh-copy-id
- enter your password and it will update authorized_keys
. That should (a) definitely select the same key as ssh
should be selecting, (b) ensure you haven't accidentally added any formatting errors.
If that works for you, compare the line added to authorized_keys
by ssh-copy-id
and hopefully you'll understand what went wrong.
Solution 2
Permissions could be another sort of problem causing publickey authentication failures: check that your ~
and ~/.ssh
directories are not readable by anybody except for your user (chmod 700 ~ && chmod 700 ~/.ssh
could fix that).
EDIT: permissions 750 for ~
should be okay too.
Solution 3
Sometimes you need to provide the private key explicitly with -i
Example: ssh -i /root/.ssh/id_rsa2 user@remote
Solution 4
By chance, when creating the authorized_keys
file, have you misspelled your filename (since you have spelled it as authorzied_keys
in the question (i and z exchanged), there is a possibility you have named the file the same way)
In the ssh config file, the name of the file is specifically mentioned as
AuthorizedKeysFile %h/.ssh/authorized_keys
Hence, you need to be particular that the filename is the same. So just verify the filename.
Related videos on Youtube
leetom
Updated on September 18, 2022Comments
-
leetom over 1 year
I am using ubuntu 13.10, and the server runs ubuntu 12.04. I had generate private and public keys using ssh-keygen, and put id_rsa.pub to server side and added it to
authorzied_keys
accordding to the method I found on the Internet. But, I still have to input password while I am trying to login. I have set the home dir to 700, .ssh dir to 700, authorzied_keys file to 600, and I have checke sshd_config file, and nothing happened.The debug infomation (with -vvv option) and sshd_config is as following, and nothing listed in server's auth.log file.
I even have updated openssh-server openssh-client on both client and server side.
Is there anything else I have to do? Thanks for any infomation.
debug3: load_hostkeys: loading entries for host "[xxx.101.15.62]:2222" from file "/home/leetom/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /home/leetom/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "[xxx.101.15.62]:2222" from file "/home/leetom/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /home/leetom/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug1: Host '[xxx.101.15.62]:2222' is known and matches the ECDSA host key. debug1: Found key in /home/leetom/.ssh/known_hosts:2 debug1: ssh_ecdsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/leetom/.ssh/id_rsa ((nil)), debug2: key: /home/leetom/.ssh/id_dsa ((nil)), debug2: key: /home/leetom/.ssh/id_ecdsa ((nil)), debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/leetom/.ssh/id_rsa debug1: read PEM private key done: type RSA debug3: sign_and_send_pubkey: RSA 68:51:b6:ed:cc:c2:54:f4:xx:15:41:d7:f5:4a:0e:da debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /home/leetom/.ssh/id_dsa debug3: no such identity: /home/leetom/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/leetom/.ssh/id_ecdsa debug3: no such identity: /home/leetom/.ssh/id_ecdsa: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password [email protected]'s password:
and the sshd_config
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
-
leetom over 10 yearsIt works, thank you very much! It turns out that I had a typo with the
authorized_keys
filename. I had tried every method and checked the filename many times (I read something about filename typo), but... The eyes won't work well while I am sleepy... -
Asaf about 10 yearsUsing
ssh-copy-id
made the trick for me -
IO.Nathan over 8 yearsThis works perfectly... unless you have a Mac. :)
-
Greg over 8 years@Fixee
brew install ssh-copy-id
if you use homebrew -
UlfR about 8 yearsIs this really true? The permissions of
~/
should not matter, the default in Ubuntu is usually 755 on home directories and it works for me. -
AntonioK about 8 yearsI really faced that using (at remote host) CentOS 7 and both OpenSSH_6.4 and OpenSSH_6.6.1. Doing just
chmod 700 ~
have solved my problem. -
UlfR about 8 yearsGood for you! But: According to this: askubuntu.com/a/69867/31749 there can be no group-write permissions on the home-directory, but group-read should be ok.
-
AntonioK about 8 yearsOkay, I should check if 750 works in my case on that system.
-
mtraceur over 7 yearsThese exact symptoms can also manifest if you have SELinux enabled and mis-configured such that it prevents sshd from reading the authorized_keys file (not always obvious without looking at the SELinux audit log, because SELinux is fine-grained enough that you could easily get into a state where manual reads as the user or through sudo can succeed)
-
LittleByBlue about 6 yearsThis does not seem to be the problem here, but good point anyways.
-
phen0menon over 4 yearsThank you, this one solved my problem.
-
patschiboy over 4 years
ssh-copy-id
- such a lifesaver to fix problems with linebreaks in public keys when you try to use copy & paste