SSH only allows key authenicaiton

hollyfu · 2016-07-28 21:43:04

Hello,

I am trying to setup an ssh connection so I can access my Arch Linux server from my Arch Linux client.

When I ssh into the server, I am able to establish a connection. However, the only authenication method allowed seems to be publickey. Although I would like to use ssh keys, I am unable actually ssh using them becuase, even though I have added the public key to .ssh/authorized_keys, it still says "Permission denied (publickey).

user@client:~/.ssh $ ssh -v user@serverip
OpenSSH_7.2p2, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to serverip port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
debug1: match: OpenSSH_6.2p2 Ubuntu-6ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to serverip:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:lE469hzcDugE5n2xeU+0zCAGVkfQx2KjejyGo+9zN6E
debug1: Host 'serverip' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:2
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Offering RSA public key: /home/user/.ssh/id_dsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).

I have spent the last 6 hours reading how to add ssh keys and following every step possible to no avail. I've checked permissisons, generated keys, added them to ~/.ssh/authorized_keys

My sshd_config file is defaultly generated, and the only lines not commented out are these:

AuthorizedKeysFile	.ssh/authorized_keys
ChallengeResponseAuthentication yes
UsePAM yes
PrintMotd no # pam does that
Subsystem	sftp	/usr/lib/ssh/sftp-server

Is there any way I can force ssh authenticaiton to allow the user's password, or is there anything else I am doing incorrectly that would allow me to use ssh keys? My sshd_config file makes it seem as though password authenication is allowed, but I cannot figure out how to allow it.

Thanks so much for your help!

graysky · 2016-07-28 21:47:18

The default sshd_config allows passwords. Have you modified it? Adding a key is trivial, you simply add it to ~/.ssh/authorized_keys on the server to which you wish to connect... it = the public version of the key. Recommend you use the package default config and try that.

hollyfu · 2016-07-28 21:58:44

I am using the default sshd_config. That's why I am confused as to why it's not allowing passwords. Also, since adding the keys did not work, might there be something greater at play? I have done this before, and have never experienced a problem like this.

Here is the sshd_config that was generated, just in case there is something weird with it:

#	$OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication no
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

I have not changed it at all

jasonwryan · 2016-07-28 22:00:03

Please describe, in detail, how you attempted to set up key based auth.

Moving to NC...

hollyfu · 2016-07-28 22:14:42

On the client, I generated a key using the command 'ssh-keygen' and it generated the private key /home/user/.ssh/id_rsa and the public key /home/user/.ssh/id_rsa.pub

I then emailed myself the content of the public key ('cat /home/user/.ssh/id_rsa.pub') and then received the email on my server computer. I pasted the contents of that file to /home/user/.ssh/authorized_keys of the server computer. I then restarted the sshd service ('systemctl restart sshd.service'). I also checked my permissions of /home/user/.ssh and they seem to be correct.

user@server:~/.ssh $ ls -lah
total 24K
drwx------  2 user user 4.0K Jul 28 16:19 .
drwxr-x--x 36 user user 4.0K Jul 28 16:20 ..
-rw-r--r--  1 user user 2.4K Jul 28 16:19 authorized_keys
-rw-------  1 user user 3.3K Jul 27 22:49 id_rsa
-rw-------  1 user user  744 Jul 27 22:49 id_rsa.pub
-rw-r--r--  1 user user  361 Jul 28 16:16 known_hosts

Yet this does not seem to work as I still get the error message about the publickey authenication method not working. I also generated different key types (I tried rsa, dsa, and scdsa) using the same method and they didn't work either.

calmlychilled · 2016-07-28 23:03:47

#PubkeyAuthentication yes

#PasswordAuthentication yes

It looks to me like you have both Keys and Passwords disabled.
Remove the hash (#) from one or the other line depending on what you want

HTH

oliver · 2016-07-28 23:07:23

hollyfu wrote:

I pasted the contents of that file to /home/user/.ssh/authorized_keys of the server computer. I then restarted the sshd service ('systemctl restart sshd.service'). I also checked my permissions of /home/user/.ssh and they seem to be correct.

Make sure when you pasted that it pasted as one line. Any line breaks in the key will stop it working.

Also, if you get password authentication working then ssh-copy-id is a great time saver

$ pacman -Qo /usr/bin/ssh-copy-id
/usr/bin/ssh-copy-id is owned by openssh 7.2p2-2

Run it... authenticate... and it copies your key to the remote file and does everything for you (like creating dirs if needed)

Trilby · 2016-07-28 23:25:55

Calmlychilled, the defaults are commented. They only need to be uncommented if they are to be changed.

calmlychilled · 2016-07-29 10:16:35

Trilby wrote:

Calmlychilled, the defaults are commented. They only need to be uncommented if they are to be changed.

Ah, right, haven't come across that before.

Cheers for that :-)

graysky · 2016-07-29 11:12:10

Been like that for a as long as I can remember... Is your problem solved?

Arch Linux

#1 2016-07-28 21:43:04

SSH only allows key authenicaiton

#2 2016-07-28 21:47:18

Re: SSH only allows key authenicaiton

#3 2016-07-28 21:58:44

Re: SSH only allows key authenicaiton

#4 2016-07-28 22:00:03

Re: SSH only allows key authenicaiton

#5 2016-07-28 22:14:42

Re: SSH only allows key authenicaiton

#6 2016-07-28 23:03:47

Re: SSH only allows key authenicaiton

#7 2016-07-28 23:07:23

Re: SSH only allows key authenicaiton

#8 2016-07-28 23:25:55

Re: SSH only allows key authenicaiton

#9 2016-07-29 10:16:35

Re: SSH only allows key authenicaiton

#10 2016-07-29 11:12:10

Re: SSH only allows key authenicaiton

Board footer