Trying to do ssh authentication with key files: server refused our key
Solution 1
Ok, it is fixed however I don't see how this is different from what I tried already.
What I did:
- generate a key pair with puttygen.exe (length: 1024 bits)
- load the private key in the PuTTY profile
- enter the public key in
~/.ssh/authorized_keys
in one line (ssh-rsa {your_public_key}
with no more than once space betweenssh-rsa
and your key) chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown $USER:$USER ~/.ssh -R
- change
/etc/ssh/sshd_config
so it containsAuthorizedKeysFile %h/.ssh/authorized_keys
sudo service ssh restart
For troubleshooting do # tail -f /var/log/auth.log
.
Thanks for your help!
Solution 2
I just encountered this problem. Despite having the config set correctly as is already mentioned in this thread (permissions on authorized_keys etc.), it turns out I had the public key in the wrong format. It was in the form of:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "imported-openssh-key"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDUoj0N3vuLpeviGvZTasGQ...
... lPmTrOfVTxI9wjax2JvKcyE0fiNMzXO7qiHJsQM9G9ZB4Lkf71kT
---- END SSH2 PUBLIC KEY ----
Which wasn't working. But got it working having it in the form:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU.....j0N3vuLpeviGvZTasGQa1rcJiPXQMW7v3uurb+n94B9MQaaWR0odsg5DJQL92TNenOda5BO1nd08y6+sdLQmHXExTz6X8FzgoVsAkEl3RscxcxHUksiKA9JfTo38vQvG/bPxIHMCuSumCQVA1laf3rO/uOrkcB7iMWhaoi1/z6AbFtPzeh7xjGfInMWwtBI0CsHSRF73VWIxT26w0P+KjafCjSn/7vDO1bT8QHujSQelU/GqaVEvbbvPl1a7POVjKgHLNekolwRKfNeVEewcnmZaoqfHgOKlPmTrOfVTxI9wjax2JvKcyE0fiNMzXO7qiHJsQM9G9ZB4Lkf71kT UserName@HOSTNAME
Solution 3
I had to change permissions to home directory
chmod 700 ~
Solution 4
the problem is that windows uses a different new line than linux, so when copying the key from windows to linux, there is a \n at the end of the line that you can not see on linux in the editor.
If you tail the /var/log/auth.log and try to login, the error is like:
sshd: error: key_read: uudecode AAAAB3N[....]==\n
If you change your key on windows so its in a single line without a new line at the end and copy it then to linux, it should work (did the trick for me).
Solution 5
I had to change the ~/.ssh directory permissions from 770 to 700 and the ~/.ssh/authorized_keys file permissions from 660 to 600.
For some reason removing group permissions fixed this issue for me.
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Related videos on Youtube
Forkbeard
Updated on September 18, 2022Comments
-
Forkbeard over 1 year
I'm trying to setup ssh authentication with key files in stead of username/password. The client is a Windows box running PuTTY and the server is a Ubuntu 12.04 LTS server.
I downloaded puttygen.exe and had it generate a key pair. In
/etc/ssh/sshd_config
I have this line:AuthorizedKeysFile %h/.ssh/authorized_keys
and on my client's public key file it says this:
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "[email protected]" ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAr3Qo6T5XU06ZigGOd3eKvfBhFLhg5kWv8lz6 qJ2G9XCbexlPQGanPhh+vcPkhor6+7OmB+WSdHeNO652kTofnauTKcTCbHjsT7cJ GNrO8WVURRh4fabknUHPmauerWQZ6TgRPGaz0aucU+2C+DUo2SKVFDir1vb+4u83 [email protected] ---- END SSH2 PUBLIC KEY ----
I copied the part from "ssh-rsa AAA" to "[email protected]" and put that in the file
~/.ssh/authorized_keys
on my server (in my own homefolder). In PuTTY under Connection > SSH > Auth I entered the path to the private key it generated on my client and saved the session settings.I restarted the ssh server with
sudo service ssh restart
Now if I load the profile in PuTTY (I verified the private key is still in Connection > SSH > Auth and that the path is correct) and run the profile, it says
Server refused our key
I tried putting the public key in a file under the directory
./ssh/authorized_keys/
but that didn't help so I used./ssh/authorized_keys
as a file, pasting the key in it. I also tried generating a private/public key pair on the server, putting the public key in./ssh/authorized_files
and loading the private one in PuTTY on my client. Rebooting the server didn't help either.I found that the error may be solved by putting the key in a place outside the user's home folder but that's only useful if the home folder is encrypted, which this one is not.
Also tried generating a 4096 bit key, thinking perhaps 1024 was too short.
How can I get this to work? Thanks!
EDIT:
Ok,
/var/log/auth.log
said:sshd: Authentication refused: bad ownership or modes for directory /home/vorkbaard/.ssh
Google tells me
~/.ssh/
should be 700 and and~/.ssh/authorized_keys
should be 600, so I did that. Now/var/log/auth.log
says:sshd: error: key_read: uudecode AAAAB3N [etc etc etc until about 3/4 of my public key]
-
Admin almost 3 years
/var/log/auth.log
helps a lot, thanks =) -
Admin over 2 years+1 for checking /var/log/auth.log. I had an unrelated problem, but checking that log file helped me solve it.
-
-
Forkbeard almost 11 yearsThanks, that makes sense and now I understand why it is a file, not a directory. However it didn't help.
-
Alaa Ali almost 11 yearsHmm, so what happened to that
sshd: error: key_read: uudecode AAAAB3N
error inauth.log
? -
Forkbeard almost 11 yearsI haven't a clue, Alaa. Perhaps I made an error pasting the previous key string. Auth.log doesn't get any more entries now and key based authentication works flawlessly. My main problem was that I wasn't really sure about what needed to be done, making the how that much more difficult. So I don't know why but it works. Thanks again for your help :)
-
naka almost 10 yearsAwesome!!! I have been scratching my head for 2 days. This answers saves the day!!
-
timbrown almost 10 yearsStep 3 was the trick for me. I didn't put the public key in the
authorized_keys
file I just pasted mymykey.pub
file into the~/.ssh
folder and thought it would pick it up. Instead what I needed ultimately was to run this or edit and paste in below other keys that may be in there.cat mykey.pub >> authorized_keys
. Seems simple now, but lesson learned is all public keys have to live inauthorized_keys
not just in the~/.ssh/
directory. Someone please advise if this is not a correct assertion. -
mvladk over 9 yearsif the steps doesn't help, check also: 1. you copied the saved PuTTY public key into authorized_keys, not the OpenSSH one 2. if you copied using copy/paste from PuTTYgen (which you should do), you may have split the public key in multiple lines; it should be a single line; make sure you did not add leading or trailing spaces while copying thanks to r_hartman centos.org/forums/viewtopic.php?t=990
-
CappY over 9 yearsI would add
chmod go-w ~/
-
Marcel Burkhard over 9 yearsThis post was very helpful, but I need to change the format of my public key to start with
ssh-rsa XYZASDF
... to make it work. I used the button "Save Public Key" and it was saved in a different format. -
stevepastelan about 9 yearsThis worked for me as well (on AIX though).
-
Danny Schoemann about 9 yearsSeems default length in PuttyGen is now 2048. Your comment of (length 1024) solved it for me. Thanks!
-
Trevor Hickey about 9 yearsI think you mean: "sudo service sshd restart"-- not ssh
-
naisanza about 8 yearsAnother reason it happens is with encrypted home directories, where before an interactive login occurs, the user's home directory is still encrypted and inaccessible.
-
adelriosantiago almost 8 yearsYes, it worked for me! It has to be in a single line. Can't believe it was only that!
-
Anthony almost 8 yearsthis was my problem, but i didn't see anything in auth.log to suggest that was the case. frustrating...
-
Anthony almost 8 yearsfor anyone who may be confused by this, what he means is each key itself has to be on a single line, but different keys need to be on different lines.
-
ekerner about 7 yearsHI kuraara I reckon the above instruction by @Black should be made prominent in the answer.
-
Hiromichi Kobashi almost 7 yearsThanks, this helped me. Just to note, I notice this happening a lot on Raspian Jessie. For some reason, this line is commented out by default.
-
Jan over 6 yearsThis step did the trick for me:
chown $USER:$USER ~/.ssh -R
-
ShoeLace over 6 yearsI also needed to add
chmod 755 ~
but I think I specifically needs non group/other write access -
user1700890 over 6 yearsCan I add comment to OpenSSH server format? For human it is hard to tell what computer this key represent.
-
user1700890 over 6 yearsWhat does
chown $USER:$USER ~/.ssh -R
do? Do I need to substitute my actual username/login? -
Bimal Poudel over 6 yearsFigured out two main things in /etc/ssh/sshd_config: uncomment
AuthorizedKeysFile
line and linePubkeyAcceptedKeyTypes ssh-dss
. -
G_Style about 6 yearsThis is the golden checklist. Go down this list and one of them should fix it. Usually its permissions or rather the folder isn't owned by the user. Its very picky about the permissions. The .ssh folder and the authorized_keys file need to match the permissions on the list (700 and 600 as listed). The user you are connecting with needs to own the folder. Remember its chown username:group ~/.ssh -R. -R does all subfolders and will blanket everything below.
-
Jaywalker about 6 yearsWorked for me on CentOS as well
-
arnoldbird almost 6 yearsWhen I follow the suggestion by @Black, there is no UserName@HOSTNAME at the end of the string. I don't know if that part matters.
-
luky over 5 yearsthis actually fixed the problem. i dont get why if you click the save the public key why it doesnt save the proper format.
-
Paul about 5 yearsWorked for me on Redhat! Group write access seems to be the specific issue. Still works for me if I leave group read permissions in place though: "chmod 740 ~".
-
AlwaysTalkingAboutMyDog about 5 yearsCould you expand upon this answer? What do the arguments entail? What is the command doing (for someone not experienced)?
-
Jason Waltz almost 4 yearsMan, hours and hours I have been messing with this. I know this is old but it still works! Thanks a million
-
JS. about 3 yearsIf you're willing to start over, I find it easiest to
rm ~/.ssh
on the target and on the client runssh-copy-id -i <ssh_key_file> <login>@<target>
.ssh-copy-id
will create~/.ssh
on the target with all the correct permisions. -
Mugé about 3 yearsAdding the public key to the second line inside host .ssh/authorized_keys, then save, worked for me. Excellent! Thank you.
-
shawty about 3 yearsJust to add a helpful comment for future visitors : I just had an SSH key weirdly just stop working for me, threw me a complete curve ball. Looked in auth.log and it told me the user permissions on my HOME folder where wrong, NOT .ssh or the auth keys file, and when I did an "ls -al" in my ~ folder, sure enough the entry for '.' had gotten corrupted somehow, as soon as I did a "chown myname:users ." and corrected it, SSH started to work with it's existing key again.
-
TexasNeo over 2 yearsthe "ssh-keygen -i -f" worked for me
-
Sahin over 2 yearsI can't thank you enough, it took me one day and found your answer here.