[SOLVED] SSH connection fails (Permission denied)

FiX#3 · 2014-06-11 09:35:15

Hi,

I have problem with connecting to my server via SSH. I generated rsa key according to CentOS server tutorial (http://wiki.centos.org/HowTos/Network/SecuringSSH). Then I tried to configure my ArchLinux client according to arch wiki tutorial, but I got this error message:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

/usr/bin/sshd -d
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1h 5 Jun 2014
debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
Could not load host key: /etc/ssh/ssh_host_rsa_key
debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
Could not load host key: /etc/ssh/ssh_host_dsa_key
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission denied
Could not load host key: /etc/ssh/ssh_host_ed25519_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.

Sshd.service daemon is running (active (running)).

I found a lot of similar errors on internet, but usually problem was with permissions to directory/file. That didnt help me. I have my keys in ~/.ssh directory with correct permissions.

Can you help me with this problem? Or would it help, if I put here some other config file/log etc.?

Last edited by FiX#3 (2014-06-12 06:11:47)

rune0077 · 2014-06-11 10:14:42

Start sshd with systemctl:

#systemctl start sshd

If you already did that, check that the keys mentioned in /etc/ssh/ are there (they should be generated by default) and that root has read-write access to them (only root should have this)

FiX#3 · 2014-06-11 10:54:02

I hope that, this is alright. But my keys are stored in ~/.ssh, I cannot use these keys (ssh_host_rsa_key etc.), right?

$ systemctl status sshd
● sshd.service - OpenSSH Daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since St 2014-06-11 12:35:00 CEST; 13min ago
 Main PID: 335 (sshd)
   CGroup: /system.slice/sshd.service
           └─335 /usr/bin/sshd -D

$ ls -l /etc/ssh
celkem 288
-rw-r--r-- 1 root root 242153 20. dub 21.36 moduli
-rw-r--r-- 1 root root   1574 20. dub 21.36 ssh_config
-rw-r--r-- 1 root root   3654 11. čen 10.02 sshd_config
-rw------- 1 root root    668 11. čen 09.18 ssh_host_dsa_key
-rw-r--r-- 1 root root    603 11. čen 09.18 ssh_host_dsa_key.pub
-rw------- 1 root root    227 11. čen 09.18 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    175 11. čen 09.18 ssh_host_ecdsa_key.pub
-rw------- 1 root root    399 11. čen 09.18 ssh_host_ed25519_key
-rw-r--r-- 1 root root     95 11. čen 09.18 ssh_host_ed25519_key.pub
-rw------- 1 root root    978 11. čen 09.18 ssh_host_key
-rw-r--r-- 1 root root    643 11. čen 09.18 ssh_host_key.pub
-rw------- 1 root root   1679 11. čen 09.18 ssh_host_rsa_key
-rw-r--r-- 1 root root    395 11. čen 09.18 ssh_host_rsa_key.pub

rune0077 · 2014-06-11 11:03:29

The keys in /etc/ssh are host keys, and need to be there. Their permissions are right. Only root can read them, so I think you are not running sshd as root?

Did you try to start it with systemctl? Or run sshd as root?

FiX#3 · 2014-06-11 12:01:44

I tried to restart sshd as root, but result is the same.

[root@mar-arch mar]# systemctl stop sshd
[root@mar-arch mar]# systemctl status sshd
● sshd.service - OpenSSH Daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: inactive (dead) since St 2014-06-11 13:06:44 CEST; 8s ago
  Process: 335 ExecStart=/usr/bin/sshd -D (code=exited, status=0/SUCCESS)
 Main PID: 335 (code=exited, status=0/SUCCESS)

čen 11 12:35:00 mar-arch systemd[1]: Starting OpenSSH Daemon...
čen 11 12:35:00 mar-arch systemd[1]: Started OpenSSH Daemon.
čen 11 12:35:01 mar-arch sshd[335]: Server listening on 0.0.0.0 port 22.
čen 11 12:35:01 mar-arch sshd[335]: Server listening on :: port 22.
čen 11 13:06:44 mar-arch systemd[1]: Stopping OpenSSH Daemon...
čen 11 13:06:44 mar-arch systemd[1]: Stopped OpenSSH Daemon.
[root@mar-arch mar]# systemctl start sshd
[root@mar-arch mar]# systemctl status sshd
● sshd.service - OpenSSH Daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since St 2014-06-11 13:07:01 CEST; 2s ago
 Main PID: 1901 (sshd)
   CGroup: /system.slice/sshd.service
           └─1901 /usr/bin/sshd -D

čen 11 13:07:01 mar-arch systemd[1]: Starting OpenSSH Daemon...
čen 11 13:07:01 mar-arch systemd[1]: Started OpenSSH Daemon.
čen 11 13:07:01 mar-arch sshd[1901]: Server listening on 0.0.0.0 port 22.
čen 11 13:07:01 mar-arch sshd[1901]: Server listening on :: port 22.

$ ssh mar@192.168.1.2
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

rune0077 · 2014-06-11 12:07:18

Hmm, that's strange. Do you have access to the server without ssh? I think you'll need to check the logfiles on the server. Check /var/log/auth.log

FiX#3 · 2014-06-11 12:26:57

There is no /var/log/auth.h, but I think /var/log/secure is the same on CentOS. The output is:

Jun 11 16:15:13 server sshd[25737]: Connection closed by 192.168.1.101

loqs · 2014-06-11 12:30:35

If the arch box is just the client you do not need to run sshd on it.
Did you copy the public keys for your user from the client ( arch ) to the server?

qinohe · 2014-06-11 12:39:54

Try to get more verbose output, SSH has an option for that..

ssh -vvv 'user@server'

FiX#3 · 2014-06-11 12:54:18

loqs
I install it to authorized keys:

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

qinohe
Verbose output of connection:

$ ssh -vvv 'mar@192.168.1.2'
OpenSSH_6.6.1, OpenSSL 1.0.1h 5 Jun 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.2 [192.168.1.2] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/mar/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/mar/.ssh/id_rsa type 1
debug1: identity file /home/mar/.ssh/id_rsa-cert type -1
debug1: identity file /home/mar/.ssh/id_dsa type -1
debug1: identity file /home/mar/.ssh/id_dsa-cert type -1
debug1: identity file /home/mar/.ssh/id_ecdsa type -1
debug1: identity file /home/mar/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mar/.ssh/id_ed25519 type -1
debug1: identity file /home/mar/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.168.1.2" from file "/home/mar/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/mar/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: setup hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: setup hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1541/3072
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 91:00:8d:42:51:14:6b:0a:9f:e4:0e:fc:e1:51:f5:07
debug3: load_hostkeys: loading entries for host "192.168.1.2" from file "/home/mar/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/mar/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '192.168.1.2' is known and matches the RSA host key.
debug1: Found key in /home/mar/.ssh/known_hosts:1
debug2: bits set: 1580/3072
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mar/.ssh/id_rsa (0x7fbc63bf4ef0),
debug2: key: /home/mar/.ssh/id_rsa (0x7fbc63befbc0),
debug2: key: /home/mar/.ssh/id_dsa ((nil)),
debug2: key: /home/mar/.ssh/id_ecdsa ((nil)),
debug2: key: /home/mar/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mar/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Offering RSA public key: /home/mar/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/mar/.ssh/id_dsa
debug3: no such identity: /home/mar/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/mar/.ssh/id_ecdsa
debug3: no such identity: /home/mar/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/mar/.ssh/id_ed25519
debug3: no such identity: /home/mar/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Output says "No such file or directory", but this is my ~/.ssh folder:

 .ssh]$ ls -l
celkem 12
-rw------- 1 mar mar 1766 11. čen 09.37 id_rsa
-rw------- 1 mar mar  405 11. čen 09.37 id_rsa.pub
-rw------- 1 mar mar  393 11. čen 09.44 known_hosts

loqs · 2014-06-11 13:02:04

FiX#3 wrote:

loqs
I install it to authorized keys:
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
Output says "No such file or directory", but this is my ~/.ssh folder:
 .ssh]$ ls -l
celkem 12
-rw------- 1 mar mar 1766 11. čen 09.37 id_rsa
-rw------- 1 mar mar  405 11. čen 09.37 id_rsa.pub
-rw------- 1 mar mar  393 11. čen 09.44 known_hosts

If the output of ls -l is from the server where is the authorized_keys file you just appended to?

qinohe · 2014-06-11 13:04:29

It seems to not find your RSA key.
Check authorized_keys as loqs suggested.

FiX#3 · 2014-06-11 13:08:16

loqs wrote:

If the output of ls -l is from the server where is the authorized_keys file you just appended to?

Sorry, I should have said, that this output is from client.

Output from server:

-rw-------. 1 mar prace 405 11. čen 11.34 authorized_keys

rune0077 · 2014-06-11 13:26:51

From the guide you used, did you also remember to run the SElinux command on the server:

$ restorecon -Rv ~/.ssh

qinohe · 2014-06-11 13:32:53

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

This somehow makes me think you created the keys on your server, however, I might be wrong?

FiX#3 · 2014-06-11 13:51:50

I did everything again. Result is the same.

On client (Arch linux):

[mar@mar-arch ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mar/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/mar/.ssh/id_rsa.
Your public key has been saved in /home/mar/.ssh/id_rsa.pub.
[mar@mar-arch ~]$ chmod 700 ~/.ssh
[mar@mar-arch ~]$ chmod 600 ~/.ssh/id_rsa
[mar@mar-arch ~]$ ls -l ~/.ssh/
celkem 8
-rw------- 1 mar mar 1766 11. čen 15.35 id_rsa
-rw-r--r-- 1 mar mar  394 11. čen 15.35 id_rsa.pub
-rw------- 1 mar mar    0 11. čen 15.34 known_hosts

On server (CentOS):
(I moved the id_rsa.pub file with the flash disk)

[mar@server arch]$ ls
id_rsa.pub
[mar@server arch]$ cat id_rsa.pub >> ~/.ssh/authorized_keys 
[mar@server arch]$ chmod 700 ~/.ssh
[mar@server arch]$ chmod 600 ~/.ssh/authorized_keys 
[mar@server arch]$ restorecon -Rv ~/.ssh

rune0077 · 2014-06-11 13:57:19

As qinohe asked, you did actually copy the id_rsa.pub key from the client to the server? Just asking because this step is not really covered in the guide.

If you did that, I'm running out of ideas.

EDIT: Nevermind, I missed the part where you said you already that :-)

Last edited by rune0077 (2014-06-11 13:57:56)

qinohe · 2014-06-11 14:06:34

FIX#3 wrote:

(I moved the id_rsa.pub file with the flash disk)

My idea: use 'ssh-copy-id' for that, it could be your first check to see if the server works.
After you did that, lock down SSH through your config file, it leaves some room , to 'see' what is happening.

\hbar · 2014-06-11 14:50:49

The

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

error refers to the failure of the authentication to the ssh server using either "publickey", "gssapi-keyex" or "gssapi-with-mic" protocols, and in no way means there is a unix file permissions error.

You should run sshd in debug mode (on the server) and check the log (the server's log).

PS: The "no such file or directory" messages above were referencing files used for other encryption algorithms like "id_dsa" (not "id_rsa"), etc...

qinohe · 2014-06-11 17:15:32

@\hbar, you are probably on the right track, with the UNIX file permissions, could be OP is using encrypted partition, which authorized_keys can't be read of.

@FIX#3, if the above is the case, have a look at https://help.ubuntu.com/community/SSH/O … leshooting

FiX#3 · 2014-06-12 06:10:45

\hbar wrote:

You should run sshd in debug mode (on the server) and check the log (the server's log).

Thanks a lot! I ran sshd in debug mode and then I found out, that server is not reading the ~/.ssh/authorized_keys file, so I changed the configuration and connection works :-).

Arch Linux

#1 2014-06-11 09:35:15

[SOLVED] SSH connection fails (Permission denied)

#2 2014-06-11 10:14:42

Re: [SOLVED] SSH connection fails (Permission denied)

#3 2014-06-11 10:54:02

Re: [SOLVED] SSH connection fails (Permission denied)

#4 2014-06-11 11:03:29

Re: [SOLVED] SSH connection fails (Permission denied)

#5 2014-06-11 12:01:44

Re: [SOLVED] SSH connection fails (Permission denied)

#6 2014-06-11 12:07:18

Re: [SOLVED] SSH connection fails (Permission denied)

#7 2014-06-11 12:26:57

Re: [SOLVED] SSH connection fails (Permission denied)

#8 2014-06-11 12:30:35

Re: [SOLVED] SSH connection fails (Permission denied)

#9 2014-06-11 12:39:54

Re: [SOLVED] SSH connection fails (Permission denied)

#10 2014-06-11 12:54:18

Re: [SOLVED] SSH connection fails (Permission denied)

#11 2014-06-11 13:02:04

Re: [SOLVED] SSH connection fails (Permission denied)

#12 2014-06-11 13:04:29

Re: [SOLVED] SSH connection fails (Permission denied)

#13 2014-06-11 13:08:16

Re: [SOLVED] SSH connection fails (Permission denied)

#14 2014-06-11 13:26:51

Re: [SOLVED] SSH connection fails (Permission denied)

#15 2014-06-11 13:32:53

Re: [SOLVED] SSH connection fails (Permission denied)

#16 2014-06-11 13:51:50

Re: [SOLVED] SSH connection fails (Permission denied)

#17 2014-06-11 13:57:19

Re: [SOLVED] SSH connection fails (Permission denied)

#18 2014-06-11 14:06:34

Re: [SOLVED] SSH connection fails (Permission denied)

#19 2014-06-11 14:50:49

Re: [SOLVED] SSH connection fails (Permission denied)

#20 2014-06-11 17:15:32

Re: [SOLVED] SSH connection fails (Permission denied)

#21 2014-06-12 06:10:45

Re: [SOLVED] SSH connection fails (Permission denied)

Board footer