1

I know this question has been asked more than a few times, but I can't work it out on my machine and I feel like I have tried everything.

I want to log into my ubuntu machine with ssh using a public key from my machine - so that I do not have to type in a password.

I always always always get permission denied (publickey)

I have created new keys with all sorts of options and nothing seems to change this.

Password authentication works fine - so I am not locked out or anything, but I want to be able to login with an SSH key if I can on computers I use a lot.

This is my log:

`01 OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
 02 debug1: Reading configuration data /etc/ssh_config
 03 debug1: /etc/ssh_config line 20: Applying options for *
 04 debug1: Connecting to bcs.net.nz [203.167.215.130] port 22.
 05 debug1: Connection established.
 06 debug1: identity file /Users/jeff/.ssh/id_rsa type 1
 07 debug1: identity file /Users/jeff/.ssh/id_rsa-cert type -1
 08 debug1: identity file /Users/jeff/.ssh/id_dsa type -1
 09 debug1: identity file /Users/jeff/.ssh/id_dsa-cert type -1
 10 debug1: Enabling compatibility mode for protocol 2.0
 11 debug1: Local version string SSH-2.0-OpenSSH_6.2
 12 debug1: Remote protocol version 2.0, remote software version   OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
 13 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
 14 debug1: SSH2_MSG_KEXINIT sent
 15 debug1: SSH2_MSG_KEXINIT received
 16 debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
 17 debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
 18 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
 19 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 20 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 21 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 22 debug1: Server host key: RSA 3b:2d:96:07:cf:f9:63:82:b1:3f:ae:5d:a0:83:24:84
 23 debug1: Host 'bcs.net.nz' is known and matches the RSA host key.
 24 debug1: Found key in /Users/jeff/.ssh/known_hosts:1
 25 debug1: ssh_rsa_verify: signature correct
 26 debug1: SSH2_MSG_NEWKEYS sent
 27 debug1: expecting SSH2_MSG_NEWKEYS
 28 debug1: SSH2_MSG_NEWKEYS received
 29 debug1: Roaming not allowed by server
 30 debug1: SSH2_MSG_SERVICE_REQUEST sent
 31 debug1: SSH2_MSG_SERVICE_ACCEPT received
 32 debug1: Authentications that can continue: publickey
 33 debug1: Next authentication method: publickey
 34 debug1: Offering RSA public key: /Users/jeff/.ssh/id_rsa
 35 debug1: Authentications that can continue: publickey
 36 debug1: Trying private key: /Users/jeff/.ssh/id_dsa
 37 debug1: Next authentication method: keyboard-interactive
 38 debug1: Authentications that can continue: publickey
 39 debug1: No more authentication methods to try.
 40 Permission denied (publickey,keyboard-interactive).`

My client machine is a Macbook Air with the following permission in the ~/.ssh/ directory

-rw------- 1 jeff staff 1675 2 Apr 22:32 id_rsa -rw------- 1 jeff staff 405 2 Apr 22:32 id_rsa.pub -rw------- 1 jeff staff 405 2 Apr 23:39 known_hosts

My Server machine has these in the ~/.ssh

-rw------- 1 git git 1 Apr 2 23:36 authorized_keys

The id_rsa.pub is copied into the authorized_keys

I am at a wits end, because I have tried so many combinations :-) anything else that can help?

======== ADDED SERVER LOG =======

Apr  3 11:19:16 bcs sshd[19198]: debug1: Forked child 19300.
Apr  3 11:19:16 bcs sshd[19300]: Set /proc/self/oom_score_adj to 0
Apr  3 11:19:16 bcs sshd[19300]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Apr  3 11:19:16 bcs sshd[19300]: debug1: inetd sockets after dupping: 3, 3
Apr  3 11:19:16 bcs sshd[19300]: Connection from 103.26.16.233 port 58988 on 172.16.1.102 port 22
Apr  3 11:19:16 bcs sshd[19300]: debug1: Client protocol version 2.0; client software version OpenSSH_6.2
Apr  3 11:19:16 bcs sshd[19300]: debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
Apr  3 11:19:16 bcs sshd[19300]: debug1: Enabling compatibility mode for protocol 2.0
Apr  3 11:19:16 bcs sshd[19300]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
Apr  3 11:19:16 bcs sshd[19300]: debug1: permanently_set_uid: 116/65534 [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: SSH2_MSG_KEXINIT received [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: KEX done [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: userauth-request for user git service ssh-connection method none [preauth]
Apr  3 11:19:16 bcs sshd[19300]: debug1: attempt 0 failures 0 [preauth]
Apr  3 11:19:17 bcs sshd[19300]: reverse mapping checking getaddrinfo for 103-26-16-233.ufb.ff.net.nz [103.26.16.233] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr  3 11:19:17 bcs sshd[19300]: debug1: userauth-request for user git service ssh-connection method publickey [preauth]
Apr  3 11:19:17 bcs sshd[19300]: debug1: attempt 1 failures 0 [preauth]
Apr  3 11:19:17 bcs sshd[19300]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Apr  3 11:19:17 bcs sshd[19300]: debug1: temporarily_use_uid: 1008/1007 (e=0/0)
Apr  3 11:19:17 bcs sshd[19300]: debug1: trying public key file /root/.ssh/authorized_keys
Apr  3 11:19:17 bcs sshd[19300]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': Permission denied
Apr  3 11:19:17 bcs sshd[19300]: debug1: restore_uid: 0/0
Apr  3 11:19:17 bcs sshd[19300]: Failed publickey for git from 103.26.16.233 port 58988 ssh2: RSA a3:40:f0:b3:8d:c7:fa:d2:6e:c4:53:93:1b:30:82:92
Apr  3 11:19:17 bcs sshd[19300]: Connection closed by 103.26.16.233 [preauth]
Apr  3 11:19:17 bcs sshd[19300]: debug1: do_cleanup [preauth]
Apr  3 11:19:17 bcs sshd[19300]: debug1: monitor_read_log: child log fd closed
Apr  3 11:19:17 bcs sshd[19300]: debug1: do_cleanup
Apr  3 11:19:17 bcs sshd[19300]: debug1: Killing privsep child 19301
Jeff Kranenburg
  • 149
  • 1
  • 1
  • 10
  • The /var/log/auth.log is empty - if that is what you are referring to? – Jeff Kranenburg Apr 02 '15 at 21:31
  • Ok I will need to see how to enable that - never needed it before. – Jeff Kranenburg Apr 02 '15 at 21:41
  • Still no luck in getting auth.log to show anything - changed LogLevel from INFO to DEUG – Jeff Kranenburg Apr 02 '15 at 21:50
  • @dawud Is this what you require? – Jeff Kranenburg Apr 02 '15 at 22:24
  • my ~/.ssh/ folder is under the git user home folder and I am wanting to log in as git@bcs.net.nz – Jeff Kranenburg Apr 02 '15 at 22:38
  • https://access.redhat.com/solutions/83933 – dawud Apr 02 '15 at 22:52
  • Still no luck - added UseDNS no to my sshd_conf file – Jeff Kranenburg Apr 02 '15 at 22:54
  • By what means did you copy your public key into the authorized_keys file on the server? Also, can you verify that you are using the correct user accounts on both client and server side i.e. use whoami on your client to make sure you are in the account of the user that's key you've copied to the server. Additionally, make sure the user account you are attempting to authenticate via ssh on the server has to contain the public key in its authorized_keys. – sardean Apr 02 '15 at 23:11
  • Hi @dean I have used several ways to copy. 1) I did a copy and paste with mouse and cmd-c / cmd-v in terminal. I have also done `cat ~/.ssh/id_rsa.pub | ssh git@bcs.net.nz 'cat >> ~/.ssh/authorized_keys'` 2) `whoami` and `pwd` are both in the expected paths. 3) the `authorised_keys` has the id_rsa.pub key in it. – Jeff Kranenburg Apr 02 '15 at 23:17
  • ok - I just re did the cat command for the I don't how many-th time and it accepted it. - No idea why this time is different – Jeff Kranenburg Apr 02 '15 at 23:21

2 Answers2

1

Check the following in your servers's sshd_config

PubkeyAuthentication yes
AuthorizedKeysFile     %h/.ssh/authorized_keys

For some reason, your sshd is trying to open /root/.ssh/authorized_keys file (from you sshd log) though you are trying to log in with user 'git', so it should actually read /home/git/.ssh/authorized_keys. I suspect the AuthorizedKeysFile entry is miss-configured. Typically, AuthorizedKeysFile entry does not need to be set as it defaults to above value.

Arul Selvan
  • 1,428
  • 13
  • 11
  • 1
    Another possibility is that the user's home directory is specified incorrectly in `/etc/passwd`. – kasperd May 01 '15 at 07:09
-1

Add this on the server:

ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key
René Höhle
  • 1,438
  • 3
  • 17
  • 26
Fábio Etc
  • 1
  • What does this achieve? It is great that you provided an answer, but would be good to explain what your answer achieves - kinds the point here :-) – Jeff Kranenburg Apr 30 '15 at 19:26
  • 1
    Please explain why and how answers your code snippet the question. Only copypasting some lines of a script is not enough here. – peterh Apr 30 '15 at 21:07
  • 1
    The question says password auth works which implies, and the log proves, that the server already has a perfectly good and already-recorded RSA key. Changing the server key(s) would *cause* problems, namely a "possible attack" mismatch, not solve them. – dave_thompson_085 May 01 '15 at 00:20
  • 1
    @JeffKranenburg As far as I can tell what these lines do is not to solve the problem but rather to add another one, which is likely going to be harder to solve than the first one. – kasperd May 01 '15 at 06:06