Unable to ssh localhost: Permission denied (publickey) / Connection closed by ::1 [preauth]

Question

I am trying to execute

ssh localhost  

on Ubuntu 14.04 LTS, but getting

Permission denied (publickey).  

Here is some debug info...

First of all, I have the following files in ~/.ssh directory:

ubuntu@<hostname>:~$ ls .ssh
authorized_keys  id_dsa  id_dsa.pub  id_ecdsa  id_ecdsa.pub  id_ed25519  id_ed25519.pub  id_rsa  id_rsa.pub  known_hosts

And access permissions to the directory are:

ubuntu@<hostname>:~# stat -c %a ~/.ssh  
700  

Here is the verbose output of sshing:

ubuntu@<hostname>:~$ ssh -vvv localhost  
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014  
debug1: Reading configuration data /etc/ssh/ssh_config  
debug1: /etc/ssh/ssh_config line 19: Applying options for *  
debug2: ssh_connect: needpriv 0  
debug1: Connecting to localhost [::1] port 22.  
debug1: Connection established.  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_rsa" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_rsa type 1  
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_dsa" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_dsa type 2  
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_ecdsa" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type 3  
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_ed25519" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type 4  
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2  
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2  
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000  
debug2: fd 3 setting O_NONBLOCK  
debug3: load_hostkeys: loading entries for host "localhost" from file "/home/ubuntu/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: none,zlib@openssh.com  
debug2: kex_parse_kexinit: none,zlib@openssh.com  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: mac_setup: setup hmac-md5-etm@openssh.com  
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none  
debug2: mac_setup: setup hmac-md5-etm@openssh.com  
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none  
debug1: sending SSH2_MSG_KEX_ECDH_INIT  
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY  
debug1: Server host key: ECDSA 4a:79:23:54:0b:5a:2c:98:39:ed:e4:b4:6b:5b:84:fa  
debug3: load_hostkeys: loading entries for host "localhost" from file "/home/ubuntu/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug1: Host 'localhost' is known and matches the ECDSA host key.  
debug1: Found key in /home/ubuntu/.ssh/known_hosts:1  
debug1: ssh_ecdsa_verify: signature correct  
debug2: kex_derive_keys  
debug2: set_newkeys: mode 1  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug2: set_newkeys: mode 0  
debug1: SSH2_MSG_NEWKEYS received  
debug1: Roaming not allowed by server  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug2: service_accept: ssh-userauth  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug2: key: /home/ubuntu/.ssh/id_rsa (0x7f403e66d570),  
debug2: key: /home/ubuntu/.ssh/id_dsa (0x7f403e66d4a0),  
debug2: key: /home/ubuntu/.ssh/id_ecdsa (0x7f403e6724d0),  
debug2: key: /home/ubuntu/.ssh/id_ed25519 (0x7f403e672b80),  
debug1: Authentications that can continue: publickey  
debug3: start over, passed a different list publickey  
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_lookup publickey  
debug3: remaining preferred: keyboard-interactive,password  
debug3: authmethod_is_enabled publickey  
debug1: Next authentication method: publickey  
debug1: Offering RSA public key: /home/ubuntu/.ssh/id_rsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering DSA public key: /home/ubuntu/.ssh/id_dsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering ECDSA public key: /home/ubuntu/.ssh/id_ecdsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering ED25519 public key: /home/ubuntu/.ssh/id_ed25519  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug2: we did not send a packet, disable method  
debug1: No more authentication methods to try.  
Permission denied (publickey).  

The content of /etc/ssh/sshd_config file:

ubuntu@<hostname>:~# cat /etc/ssh/sshd_config  
# Package generated configuration file  
# See the sshd_config(5) manpage for details  

# What ports, IPs and protocols we listen for  
Port 22  
# Use these options to restrict which interfaces/protocols sshd will bind to  
#ListenAddress ::  
#ListenAddress 0.0.0.0  
Protocol 2  
# HostKeys for protocol version 2  
HostKey /etc/ssh/ssh_host_rsa_key  
HostKey /etc/ssh/ssh_host_dsa_key  
HostKey /etc/ssh/ssh_host_ecdsa_key  
HostKey /etc/ssh/ssh_host_ed25519_key  
#Privilege Separation is turned on for security  
UsePrivilegeSeparation yes  

# Lifetime and size of ephemeral version 1 server key  
KeyRegenerationInterval 3600  
ServerKeyBits 1024  

# Logging  
SyslogFacility AUTH  
LogLevel INFO  

# Authentication:  
LoginGraceTime 120  
PermitRootLogin without-password  
StrictModes yes  

RSAAuthentication yes  
PubkeyAuthentication yes  
#AuthorizedKeysFile     %h/.ssh/authorized_keys  

# Don't read the user's ~/.rhosts and ~/.shosts files  
IgnoreRhosts yes  
# For this to work you will also need host keys in /etc/ssh_known_hosts  
RhostsRSAAuthentication no  
# similar for protocol version 2  
HostbasedAuthentication no  
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication  
#IgnoreUserKnownHosts yes  

# To enable empty passwords, change to yes (NOT RECOMMENDED)  
PermitEmptyPasswords no  

# Change to yes to enable challenge-response passwords (beware issues with  
# some PAM modules and threads)  
ChallengeResponseAuthentication no  

# Change to no to disable tunnelled clear text passwords  
PasswordAuthentication no  

# Kerberos options  
#KerberosAuthentication no  
#KerberosGetAFSToken no  
#KerberosOrLocalPasswd yes  
#KerberosTicketCleanup yes  

# GSSAPI options  
#GSSAPIAuthentication no  
#GSSAPICleanupCredentials yes  

X11Forwarding yes  
X11DisplayOffset 10  
PrintMotd no  
PrintLastLog yes  
TCPKeepAlive yes  
#UseLogin no  

#MaxStartups 10:30:60  
#Banner /etc/issue.net  

# Allow client to pass locale environment variables  
AcceptEnv LANG LC_*  

Subsystem sftp /usr/lib/openssh/sftp-server  

# Set this to 'yes' to enable PAM authentication, account processing,  
# and session processing. If this is enabled, PAM authentication will  
# be allowed through the ChallengeResponseAuthentication and  
# PasswordAuthentication.  Depending on your PAM configuration,  
# PAM authentication via ChallengeResponseAuthentication may bypass  
# the setting of "PermitRootLogin without-password".  
# If you just want the PAM account and session checks to run without  
# PAM authentication, then enable this but set PasswordAuthentication  
# and ChallengeResponseAuthentication to 'no'.  
UsePAM yes  

Everytime I'm trying to execute "ssh localhost" the following line is added to /var/log/auth.log:

Jan 29 08:40:41 <hostname> sshd[5167]: Connection closed by ::1 [preauth]

Can anyone suggest anything please?

Answer 1

If you're running Ubuntu on Windows Subsystem for Linux, there will not be a preinstalled public key or authorized keys list, so you'll need to generate your own.

If you don't already have openssh-server installed:

sudo apt-get upgrade && \
sudo apt-get update  && \
sudo apt-get install openssh-server && \
sudo service ssh start

Then take the following steps to enable sshing to localhost:

cd ~/.ssh 

# Generate a public/private rsa key pair; 
# Use the default options
ssh-keygen

# Append the key to the authorized_keys file
cat id_rsa.pub >> authorized_keys

# Set the required permissions 
sudo chmod 640 authorized_keys

# Restart service with the latest changes (keys)
sudo service ssh restart

# Verify that ssh is running and working
ssh localhost

Answer 2

You may need to adjust the path to config.pem based on its actual location in your file system if it's not in the current directory from where you're running the ssh command.

ssh -i config.pem user@your_id

Answer 3

The debug message actually provides information about the root cause of the error.

debug1: Next authentication method: publickey  
debug1: Offering RSA public key: /home/ubuntu/.ssh/id_rsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering DSA public key: /home/ubuntu/.ssh/id_dsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering ECDSA public key: /home/ubuntu/.ssh/id_ecdsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering ED25519 public key: /home/ubuntu/.ssh/id_ed25519  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug2: we did not send a packet, disable method  
debug1: No more authentication methods to try.  
Permission denied (publickey).  

To authenticate with public key, the client will send SSH_MSG_USERAUTH_REQUEST that contains its public key to the server. When receiving this message, the server will check if the public key has been authorized (usually against the authorized_keys file).

The client had several public keys created with different algorithms (id_rsa.pub, id_dsa.pub, id_ecdsa.pub, id_ed25519.pub). When authenticating, the client started by offering the server with the default public key id_rsa.pub and rotated through the remaining public keys when the server responded that it could not authorize the provided public key. Finally, when all the public keys failed to be authorized, the SSH client displayed Permission denied message.

The preauth label was shown to indicate the connection was closed before authentication process was completed.

Answer 4

i try to resolve this problem accord above answer， edit config file /etc/ssh/sshd_config ，but it doesn't work.

PermitRootLogin yes

Then i reset password "12345678", login successfully!!! origin password is '0123;

Answer 5

As mentioned here: https://askubuntu.com/questions/689710/ssh-localhost-gives-permission-denied-publickey, try checking the logs at /var/log/auth.log for possible issues and then proceed as required. Mine was an access issue for the user ubuntu which was solved through the following scripts:

chmod go-w /home/ubuntu
chmod 700 /home/ubuntu/.ssh
chmod 600 /home/ubuntu/.ssh/authorized_keys

Answer 6

$cat /etc/ssh/sshd_config
...
AllowUsers User1 User2 User3
...

Might also be the problem

Answer 7

// Your server

server@server:~$ ssh localhost

ECDSA key fingerprint is SHA256:Kv2PpSzdjCr7dhPHQPAHgEoSacrKEGUDEUKVBEb/BQY. Are you sure you want to continue connecting (yes/no)? yes server@192.168.43.96's password: ********

// Your laptop

PS C:\Users\username> ssh server@192.168.43.96

The authenticity of host '192.168.43.96 (192.168.43.96)' can't be established. ECDSA key fingerprint is SHA256:Kv2PpSzdjCr7dhPHQPAHgEoSacrKEGUDEUKVBEb/BQY. Are you sure you want to continue connecting (yes/no)? yes server@192.168.43.96's password: ********

Done!

Answer 8

Apart from adding public key you may want to change a PasswordAuthentication from 'no' to 'yes' (it may be 'no' by default in a fresh installed ssh).

Open config

$ sudo nano /etc/ssh/sshd_config

and change

PasswordAuthentication no

to

PasswordAuthentication yes

save and exit. Then reload ssh server

$ sudo service ssh reload

Note: PasswordAuthentication is not recommended from the security point, disable it and use SSH key if your server is exposed to the internet.

Answer 9

After reading some good manuals I realized that the public key of ubuntu@ (e.g., /home/ubuntu/.ssh/id_dsa.pub) must be added to the user's /home/ubuntu/.ssh/authorized_keys file, which contains public keys for public key authentication)

ubuntu@<localhost>:~$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys