How can I get sshd to tell me why it's failing public key authentications?

Question

I'm using OpenSSH 6.9p1 (on Lubuntu) as my SSH server. When trying to connect to it (using an SSH client in Cygwin), I keep being reverted to password authentication, despite having properly generated my keys, put them in the authorized key file on the server, checked the permissions etc.

So, I look in /var/log/auth.log to see what the server says. I find this:

Nov  1 09:50:10 er-thinkpad sshd[16148]: Accepted password for joeuser from 192.168.2.6 port 53325 ssh2
Nov  1 09:50:10 er-thinkpad sshd[16148]: pam_unix(sshd:session): session opened for user joeuser by (uid=0)
Nov  1 09:50:10 er-thinkpad systemd-logind[590]: New session 497 of user joeuser.

... and nothing before that first line about the public key authentication failure. Ok, let's increase the verbosity maybe. So I change LogLevel from INFO to VERBOSE and try again. Now I get:

Nov  1 09:53:12 er-thinkpad sshd[16269]: Connection from 192.168.2.6 port 53349 on 192.168.2.2 port 22
Nov  1 09:53:12 er-thinkpad sshd[16269]: Failed publickey for joeuser from 192.168.2.6 port 53349 ssh2: RSA SHA256:removedthis
Nov  1 09:53:12 er-thinkpad sshd[16269]: Failed publickey for joeuser from 192.168.2.6 port 53349 ssh2: ECDSA SHA256:removedthis
Nov  1 09:53:15 er-thinkpad sshd[16269]: Accepted password for joeuser from 192.168.2.6 port 53349 ssh2
Nov  1 09:53:15 er-thinkpad sshd[16269]: pam_unix(sshd:session): session opened for user joeuser by (uid=0)
Nov  1 09:53:15 er-thinkpad systemd-logind[590]: New session 499 of user joeuser.
Nov  1 09:53:15 er-thinkpad sshd[16269]: User child is on pid 16271
Nov  1 09:53:15 er-thinkpad sshd[16271]: Starting session: shell on pts/5 for joeuser from 192.168.2.6 port 53349

So great, it failed, but why did it fail? How can I get sshd to tell me that?

PS - Just so you know, here's what the client sees:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/joeuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Skipping ssh-dss key /home/joeuser/.ssh/id_dsa for not in PubkeyAcceptedKeyTypes
debug1: Offering ECDSA public key: /home/joeuser/.ssh/id_ecdsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/joeuser/.ssh/id_ed25519
debug1: Next authentication method: password

Sorry, I just noticed (and deleted my comment). But there are levels above `VERBOSE`, and now might be a good time to try them. — MadHatter, Nov 01 '15 at 09:00
@Iain: Can you explain which elements from the list of necessary ones you think are missing? Note the question has been given a reasonable answer already, so enough info was available to allow that. — einpoklum, Nov 04 '15 at 12:38

score 11 · Accepted Answer · answered Nov 01 '15 at 14:58

11

On the server side, set the log level to DEBUG3. On the client side, connect with the -vvv option (which gives you DEBUG3 on the client side as well).

answered Nov 01 '15 at 14:58

Bazze

1,531
10
11

1

I mistakenly assumed DEBUG would only add, well, debugging-related log messages rather than useful information, but I guess I should have seen that coming. – einpoklum Nov 01 '15 at 15:11
@einpoklum So what was the problem? – EEAA Nov 01 '15 at 19:32
6

line breaks in the `authorized_keys2` entry (which looked like wrapping). – einpoklum Nov 01 '15 at 22:27
@einpoklum Thanks, that was it for me too. So frustrating! – piksel bitworks Jul 30 '19 at 14:20
It was a problem with SELinux for me. – Der_Meister Apr 21 '22 at 00:35

How can I get sshd to tell me why it's failing public key authentications?

1 Answers1