Trying to do ssh authentication with key files: server refused our key

I'm trying to setup ssh authentication with key files in stead of username/password. The client is a Windows box running PuTTY and the server is a Ubuntu 12.04 LTS server.

I downloaded puttygen.exe and had it generate a key pair. In /etc/ssh/sshd_config I have this line:

AuthorizedKeysFile %h/.ssh/authorized_keys

and on my client's public key file it says this:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "[email protected]"
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAr3Qo6T5XU06ZigGOd3eKvfBhFLhg5kWv8lz6
qJ2G9XCbexlPQGanPhh+vcPkhor6+7OmB+WSdHeNO652kTofnauTKcTCbHjsT7cJ
GNrO8WVURRh4fabknUHPmauerWQZ6TgRPGaz0aucU+2C+DUo2SKVFDir1vb+4u83
[email protected]
---- END SSH2 PUBLIC KEY ----

I copied the part from "ssh-rsa AAA" to "[email protected]" and put that in the file ~/.ssh/authorized_keys on my server (in my own homefolder). In PuTTY under Connection > SSH > Auth I entered the path to the private key it generated on my client and saved the session settings.

I restarted the ssh server with

sudo service ssh restart

Now if I load the profile in PuTTY (I verified the private key is still in Connection > SSH > Auth and that the path is correct) and run the profile, it says

Server refused our key

I tried putting the public key in a file under the directory ./ssh/authorized_keys/ but that didn't help so I used ./ssh/authorized_keys as a file, pasting the key in it. I also tried generating a private/public key pair on the server, putting the public key in ./ssh/authorized_files and loading the private one in PuTTY on my client. Rebooting the server didn't help either.

I found that the error may be solved by putting the key in a place outside the user's home folder but that's only useful if the home folder is encrypted, which this one is not.

Also tried generating a 4096 bit key, thinking perhaps 1024 was too short.

How can I get this to work? Thanks!

EDIT:

Ok, /var/log/auth.log said:

sshd: Authentication refused: bad ownership or modes for directory /home/vorkbaard/.ssh

Google tells me ~/.ssh/ should be 700 and and ~/.ssh/authorized_keys should be 600, so I did that. Now /var/log/auth.log says:

sshd: error: key_read: uudecode AAAAB3N [etc etc etc until about 3/4 of my public key]

Thanks, that makes sense and now I understand why it is a file, not a directory. However it didn't help.

Hmm, so what happened to that sshd: error: key_read: uudecode AAAAB3N error in auth.log?

I haven't a clue, Alaa. Perhaps I made an error pasting the previous key string. Auth.log doesn't get any more entries now and key based authentication works flawlessly. My main problem was that I wasn't really sure about what needed to be done, making the how that much more difficult. So I don't know why but it works. Thanks again for your help :)

Awesome!!! I have been scratching my head for 2 days. This answers saves the day!!

Step 3 was the trick for me. I didn't put the public key in the authorized_keys file I just pasted my mykey.pub file into the ~/.ssh folder and thought it would pick it up. Instead what I needed ultimately was to run this or edit and paste in below other keys that may be in there. cat mykey.pub >> authorized_keys. Seems simple now, but lesson learned is all public keys have to live in authorized_keys not just in the ~/.ssh/ directory. Someone please advise if this is not a correct assertion.

if the steps doesn't help, check also: 1. you copied the saved PuTTY public key into authorized_keys, not the OpenSSH one 2. if you copied using copy/paste from PuTTYgen (which you should do), you may have split the public key in multiple lines; it should be a single line; make sure you did not add leading or trailing spaces while copying thanks to r_hartman centos.org/forums/viewtopic.php?t=990

I would add chmod go-w ~/

This post was very helpful, but I need to change the format of my public key to start with ssh-rsa XYZASDF... to make it work. I used the button "Save Public Key" and it was saved in a different format.

This worked for me as well (on AIX though).

Seems default length in PuttyGen is now 2048. Your comment of (length 1024) solved it for me. Thanks!

I think you mean: "sudo service sshd restart"-- not ssh

Another reason it happens is with encrypted home directories, where before an interactive login occurs, the user's home directory is still encrypted and inaccessible.

Yes, it worked for me! It has to be in a single line. Can't believe it was only that!

this was my problem, but i didn't see anything in auth.log to suggest that was the case. frustrating...

for anyone who may be confused by this, what he means is each key itself has to be on a single line, but different keys need to be on different lines.

HI kuraara I reckon the above instruction by @Black should be made prominent in the answer.

Thanks, this helped me. Just to note, I notice this happening a lot on Raspian Jessie. For some reason, this line is commented out by default.

This step did the trick for me: chown $USER:$USER ~/.ssh -R

I also needed to add chmod 755 ~ but I think I specifically needs non group/other write access

Can I add comment to OpenSSH server format? For human it is hard to tell what computer this key represent.

What does chown $USER:$USER ~/.ssh -R do? Do I need to substitute my actual username/login?

Figured out two main things in /etc/ssh/sshd_config: uncomment AuthorizedKeysFile line and line PubkeyAcceptedKeyTypes ssh-dss.

This is the golden checklist. Go down this list and one of them should fix it. Usually its permissions or rather the folder isn't owned by the user. Its very picky about the permissions. The .ssh folder and the authorized_keys file need to match the permissions on the list (700 and 600 as listed). The user you are connecting with needs to own the folder. Remember its chown username:group ~/.ssh -R. -R does all subfolders and will blanket everything below.

Worked for me on CentOS as well

When I follow the suggestion by @Black, there is no UserName@HOSTNAME at the end of the string. I don't know if that part matters.

this actually fixed the problem. i dont get why if you click the save the public key why it doesnt save the proper format.

Worked for me on Redhat! Group write access seems to be the specific issue. Still works for me if I leave group read permissions in place though: "chmod 740 ~".

Could you expand upon this answer? What do the arguments entail? What is the command doing (for someone not experienced)?

Man, hours and hours I have been messing with this. I know this is old but it still works! Thanks a million

If you're willing to start over, I find it easiest to rm ~/.ssh on the target and on the client run ssh-copy-id -i <ssh_key_file> <login>@<target>. ssh-copy-id will create ~/.ssh on the target with all the correct permisions.

Adding the public key to the second line inside host .ssh/authorized_keys, then save, worked for me. Excellent! Thank you.

Just to add a helpful comment for future visitors : I just had an SSH key weirdly just stop working for me, threw me a complete curve ball. Looked in auth.log and it told me the user permissions on my HOME folder where wrong, NOT .ssh or the auth keys file, and when I did an "ls -al" in my ~ folder, sure enough the entry for '.' had gotten corrupted somehow, as soon as I did a "chown myname:users ." and corrected it, SSH started to work with it's existing key again.

the "ssh-keygen -i -f" worked for me

I can't thank you enough, it took me one day and found your answer here.