g1ra
Reputation: 41
Can't accept publickey ssh but id_rsa.pub is in authorized_keys
/Update: Problem refined to : Could not open authorized keys. /
I have a Ubuntu Server in Virtualbox, and i try to ssh in, but everytime asking login password , pubkey is not working.
Synopsis: Ubuntu server 12.04.2 LTS in Vbox. Host only network configuration. Static ip 192.168.56.10 Standard OpenSSH server. Host id_rsa.pub is added to client authorized_keys file.
g2ra@host:~$ cat .ssh/id_rsa.pub | ssh -p 22 [email protected] 'cat >> .ssh/authorized_keys'
~/.ssh permissions is chmod correctly.
g2ra@host:~$ ll .ssh/
total 68
drwx------ 2 g2ra g2ra 4096 Apr 24 00:31 ./
drwx------ 81 g2ra g2ra 28672 Apr 24 09:37 ../
-rw------- 1 g2ra g2ra 1766 Mar 27 10:12 id_rsa
-rw------- 1 g2ra g2ra 397 Mar 27 10:12 id_rsa.pub
-rw------- 1 g2ra g2ra 1110 Apr 24 11:23 known_hosts
Here is debug message :
~$ ssh -v -l g2ra -p 22 192.168.56.10
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.56.10 [192.168.56.10] port 22.
debug1: Connection established.
debug1: identity file /home/g2ra/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/g2ra/.ssh/id_rsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_dsa type -1
debug1: identity file /home/g2ra/.ssh/id_dsa-cert type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa type -1
debug1: identity file /home/g2ra/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 00:00:00:87:00:0a:3d:e1:aa:78:ac:05:00:00:0e:00
debug1: Host '192.168.56.10' is known and matches the ECDSA host key.
debug1: Found key in /home/g2ra/.ssh/known_hosts:5
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/g2ra/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/g2ra/.ssh/id_dsa
debug1: Trying private key: /home/g2ra/.ssh/id_ecdsa
debug1: Next authentication method: password
Here is my sshd config, on Ubuntu Server in Vbox:
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Update. verbose level increased to DEBUG in sshd config. On Ubuntu Server Vbox.
grep 'ssh'/var/log/auth.log
Apr 24 13:57:03 host sshd[19731]: debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
Apr 24 13:57:03 host sshd[19731]: debug1: Enabling compatibility mode for protocol 2.0
Apr 24 13:57:03 host sshd[19731]: debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
Apr 24 13:57:03 host sshd[19731]: debug1: permanently_set_uid: 105/65534 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_KEXINIT received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: KEX done [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method none [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 0 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: initializing for "g2ra"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_RHOST to "192.168.56.1"
Apr 24 13:57:03 host sshd[19731]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 24 13:57:03 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method publickey [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: attempt 1 failures 0 [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Apr 24 13:57:03 host sshd[19731]: debug1: temporarily_use_uid: 1000/1000 (e=0/0)
Apr 24 13:57:03 host sshd[19731]: debug1: trying public key file /home/g2ra/.ssh/authorized_keys
Apr 24 13:57:03 host sshd[19731]: debug1: Could not open authorized keys '/home/g2ra/.ssh/authorized_keys': No such file or directory
Apr 24 13:57:03 host sshd[19731]: debug1: restore_uid: 0/0
Apr 24 13:57:03 host sshd[19731]: Failed publickey for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:07 host sshd[19731]: debug1: userauth-request for user g2ra service ssh-connection method password [preauth]
Apr 24 13:57:07 host sshd[19731]: debug1: attempt 2 failures 1 [preauth]
Apr 24 13:57:07 host sshd[19733]: pam_ecryptfs: Passphrase file wrapped
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: password authentication accepted for g2ra
Apr 24 13:57:08 host sshd[19731]: debug1: do_pam_account: called
Apr 24 13:57:08 host sshd[19731]: Accepted password for g2ra from 192.168.56.1 port 51041 ssh2
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_read_log: child log fd closed
Apr 24 13:57:08 host sshd[19731]: debug1: monitor_child_preauth: g2ra has been authenticated by privileged process
Apr 24 13:57:08 host sshd[19731]: debug1: PAM: establishing credentials
Apr 24 13:57:08 host sshd[19731]: pam_unix(sshd:session): session opened for user g2ra by (uid=0)
Apr 24 13:57:09 host sshd[19731]: User child is on pid 19871
Apr 24 13:57:09 host sshd[19871]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: PAM: establishing credentials
Apr 24 13:57:09 host sshd[19871]: debug1: permanently_set_uid: 1000/1000
Apr 24 13:57:09 host sshd[19871]: debug1: Entering interactive session for SSH2.
Apr 24 13:57:09 host sshd[19871]: debug1: server_init_dispatch_20
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
Apr 24 13:57:09 host sshd[19871]: debug1: input_session_request
Apr 24 13:57:09 host sshd[19871]: debug1: channel 0: new [server-session]
Apr 24 13:57:09 host sshd[19871]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_open: session 0: link with channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_open: confirm session
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_global_request: rtype [email protected] want_reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req pty-req
Apr 24 13:57:09 host sshd[19871]: debug1: Allocating pty.
Apr 24 13:57:09 host sshd[19731]: debug1: session_new: session 0
Apr 24 13:57:09 host sshd[19731]: debug1: SELinux support disabled
Apr 24 13:57:09 host sshd[19871]: debug1: session_pty_req: session 0 alloc /dev/pts/0
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request env reply 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req env
Apr 24 13:57:09 host sshd[19871]: debug1: server_input_channel_req: channel 0 request shell reply 1
Apr 24 13:57:09 host sshd[19871]: debug1: session_by_channel: session 0 channel 0
Apr 24 13:57:09 host sshd[19871]: debug1: session_input_channel_req: session 0 req shell
Apr 24 13:57:09 host sshd[19872]: debug1: Setting controlling tty using TIOCSCTTY.
Debug log said. Could not open authorized keys '/home/g2ra/.ssh/authorized_keys': No such file or directory. Why?
Upvotes: 4
Views: 4673
Answers (3)
mcchots
Reputation: 516
@g1ra's comment solves this issue if you have an encrypted home folder. Adding it here for better visibility.
If you have an encrypted home directory, SSH cannot access your authorized_keys file because it is inside your encrypted home directory and won't be available until after you are authenticated. Therefore, SSH will default to password authentication.
To solve this, create a folder outside your home named /etc/ssh/<username> (replace <username> with your actual username). This directory should have 755 permissions and be owned by the user. Move the authorized_keys file into it. The authorized_keys file should have 644 permissions and be owned by the user.
Then edit your /etc/ssh/sshd_config and add:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
Finally, restart ssh with:
sudo service ssh restart
The next time you connect with SSH you should not have to enter your password.
Source: Ubuntu - SSH/OpenSSH/Keys
Upvotes: 5
Vitaly Isaev
Reputation: 5815
You could try to renew ssh records using ssh-add on both machines.
Upvotes: -1
Emii Khaos
Reputation: 10085
Generally you should use ssh-copy-id instead of constructing it manually.
Have you checked the permissions of the .ssh folder and authorized_keys on the target machine? Maybe (caused of the manual cat) the file/folder were created with standard umask, which is too "open" for SSH.
Upvotes: -1
Related Questions
- Vagrant : Permission denied (publickey)
- Vagrant ssh authentication failure
- id_rsa.pub is not a public key file
- Cannot connect to Azure Ubuntu VM - Public Key Denied
- OpenStack: permission denied (publickey) when SSH'ing to the VMs
- Could not load id_rsa as a RSA1 public key
- Cannot make Vagrant SSH key-using connection in base initializing (authorized_keys permission issue)
- Can't ssh to vagrant VMs using the insecure private key (vagrant 1.7.2)
- Private key access to ssh refused through putty
- SSH doesn't accept public key, and permissions appear to be correct