SSH - Permission denied (publickey) issue from Mac OSX to CentOS server

Question

(Most threads about this issue are either AWS or GitHub related. Mine is neither. It's a simple Digital Ocean CentOS 8 server.)

My old Macbook connects to my SSH server without any issues:, using

ssh -2 -p 5555 -i  /Users/Me/.ssh/id_rsa  me@99.99.99.99

(Port number and IP changed for privacy, of course.)

I bought a new Macbook Pro, and have set up the ssh-keygen stuff as usual, then manually moved the id_rsa.pub to the server's .ssh/authorized_keys. On the server, I did this adding to the authorized keys file using nano while logged in as the root user. So this below is what the .ssh dir looks like on the server, when logged in as the root user:

990971649 -rw-------. 1 root root 2722 Jul  7 07:52 authorized_keys
990971651 -rw-------. 1 root root 3389 Jan 10  2021 id_rsa
990971652 -rw-------. 1 root root  747 Jan 10  2021 id_rsa.pub

But despite adding the id_rsa.pub stuff into the authorized_keys on the server, I get this error:

me@99.99.99.99: Permission denied (publickey)

Most threads on this issue have been 'solved' by adding some parameter, but my ssh_config settings on the server seem to be fine...and this works from my old Macbook! Below are the server settings--

Protocol 2
Port 5555

LoginGraceTime 60
ClientAliveInterval 120
ClientAliveCountMax 3
MaxSessions  6
AllowUsers root 
PermitEmptyPasswords    no
PasswordAuthentication  no
PermitRootLogin         yes
X11Forwarding           no 
MaxAuthTries            6 
IgnoreRhosts            yes
AllowTcpForwarding      no
AllowAgentForwarding    no
Compression             no 
TCPKeepAlive            no 
UseDNS                  no 
HostbasedAuthentication no
PubkeyAuthentication    yes

AuthenticationMethods   publickey

What else could be going wrong?

Can you check the auth.log on your server with : grep 'sshd' /var/log/auth.log — Z0OM, Jul 07 '22 at 13:32
I am on CentOS. There's no file like that. There however is `/var/log/secure` and that shows these errors: https://pastebin.com/bZMh0mRt — Khom Nazid, Jul 08 '22 at 02:46
Can you try what i wrote in the update step by step. create a new user, deactivate everything i wrote and try to login only with username and password and no port select try with the standard 22. if this works change the port to your needs. than create a new key and upload with ssh-copy-key. try to login with the key now (-i), if this works edit your sshd_config to your needs, step by step(don't forget to restart the sshd server every time you doing changes. thats how i would doing find the solution. — Z0OM, Jul 08 '22 at 07:26

score 2 · Answer 1 · answered May 24 '23 at 07:26

To address the issue of OpenSSH 9.0p1 disabling RSA signatures using the SHA-1 hash algorithm by default, you can follow these steps to modify the ssh_config file:

sudo vi /etc/ssh/ssh_config

Add the following lines to the bottom of ssh_config:

HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

Z0OM · Answer 2 · 2022-07-07T13:26:03.183

1

sshd_config is the configuration file for the OpenSSH server. ssh_config is the configuration file for the OpenSSH client. Make sure not to get them mixed up

You need to edit the server config file not the client config file (ssh_config)

Add or edit this in your sshd_config

PubkeyAuthentication yes

IF you don't wanna login with passwords only keys edit this too:

But first try to login with the key than edit this to no if the server is not on the same location!

PasswordAuthentication  no

And don't login as root security!

PermitRootLogin         no

You can use ssh-copy-id to copy the key to the server

ssh-copy-id  -i ~/.ssh/[KEY] -p [PORT] [user]@[IP]

UPDATE:

Uncomment all this lines in your sshd_config an try to login with a allowed/existing user only with the password to find out if there are other errors:

DON'T FORGET TO RESTART THE SSH SERVER EVERY TIME YOU CHANGE SOMETHING IN THE SSH SERVER FILES:

#LoginGraceTime 60
#ClientAliveInterval 120
#ClientAliveCountMax 3
#MaxSessions  6
#AllowUsers root 
#PermitEmptyPasswords    no
PasswordAuthentication  yes
#PermitRootLogin         yes
#X11Forwarding           no 
#MaxAuthTries            6 
#IgnoreRhosts            yes
#AllowTcpForwarding      no
#AllowAgentForwarding    no
#Compression             no 
#TCPKeepAlive            no 
#UseDNS                  no 
#HostbasedAuthentication no
#PubkeyAuthentication    yes
#AuthenticationMethods   publickey

edited Jul 07 '22 at 13:26

answered Jul 07 '22 at 12:22

Z0OM

1
4
18
29

Yes that code I shared above is in fact on the server. These settings make no difference. Still get the error. (And no, ssh-copy-id won't work -- same error) – Khom Nazid Jul 07 '22 at 12:29
You edit the sshd_config or ssh_config? – Z0OM Jul 07 '22 at 12:30
What is the error message of ssh-copy-id? – Z0OM Jul 07 '22 at 12:33
The error message of ssh-copy-id is exactly the same. The ssh_config of the server is what I've included in my question: this is the file `/etc/ssh/sshd_config` on the CentOS server. – Khom Nazid Jul 07 '22 at 12:41
If you try to login only with a password not with the key you get the same error message? Permission denied (publickey) – Z0OM Jul 07 '22 at 12:45
There is no password. I just use the key on the old Macbook. – Khom Nazid Jul 07 '22 at 12:48
There must be a password for the user "me" on the server try to login with this user(change his password on the server if you lost) because with your config file it looks like that you can login with a key or with a password from the user with out a key. – Z0OM Jul 07 '22 at 12:51
try to uncomment this too : #HostbasedAuthentication no – Z0OM Jul 07 '22 at 12:54
There's no user called "me". It was me masking an old user ID for public posting here. I've removed that line. The updated `sshd_config` file is in my question now -- no impact though, same error. – Khom Nazid Jul 07 '22 at 13:00

SSH - Permission denied (publickey) issue from Mac OSX to CentOS server

2 Answers2