You are not logged in.

#1 2016-10-20 20:26:18

smithinger44
Member
Registered: 2016-01-01
Posts: 45

[SOLVED]SSH key authorisation - Permission denied (publickey)

I've spent on it last 4-5 hours, which is way too much for such a small thing.

What I've done:
installed open-ssh
enabled and started either sshd.service or sshd.socket (both give same results
ssh-keygen -b 2048 on all users
ssh-copy-id 127.0.0.1 on all users (this one populates authorized_keys for every user separately)
cat /home/user/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys on root, for every user
cp /home/user/.ssh/id_rsa.pub ~/.ssh/user.pub on root, for every user

All above done on local machine
Trying to ssh locally results in "Permission denied (publickey)"
Trying to ssh from a remote machine through putty and private key converted with puttygen results in "No supported authentication methods available (server sent: publickey)

sshd_config content: http://pastebin.com/b79Z7ndP

Where do I go from here?

Last edited by smithinger44 (2016-10-23 19:31:58)

Offline

#2 2016-10-20 22:57:48

basica
Member
From: Australia
Registered: 2012-10-31
Posts: 217

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

So I'm guessing you're sshing from a windows machine since you're using putty? I'm not sure if there's an ability to use a verbose mode so you can see the errors you're getting but the first thing that comes to mind is checking the permissions of the .ssh folder on the server, as well as the authorized_keys file. If they're too lax, it won't allow you to connect.

Offline

#3 2016-10-21 19:20:59

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

Oh. Right. That's what I've also tried
chmod 700 -R /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys

How can I view "the errors" when connecting from arch linux?

Ok. Here is my debug when trying to ssh locally:

http://pastebin.com/3SwNmV5w

When trying to ssh in locally with root account, after "Offering RSA public key: /home/user/.ssh/id_rsa" it asks for password to the key and logs in succesfully.

Last edited by smithinger44 (2016-10-21 19:38:39)

Offline

#4 2016-10-21 19:34:41

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

man 1 ssh wrote:

     -v      Verbose mode.  Causes ssh to print debugging messages about its
             progress.  This is helpful in debugging connection, authentica‐
             tion, and configuration problems.  Multiple -v options increase
             the verbosity.  The maximum is 3.

man 8 sshd wrote:

     -d      Debug mode.  The server sends verbose debug output to standard
             error, and does not put itself in the background.  The server
             also will not fork and will only process one connection.  This
             option is only intended for debugging for the server.  Multiple
             -d options increase the debugging level.  Maximum is 3.

Offline

#5 2016-10-21 20:07:53

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

Can you please quickly guide me what commands should I do after
ssh-keygen
to make it all work and at least for it to be possible to connect locally.

How should I copy generated .pub to where it should be stored?

Offline

#6 2016-10-21 20:27:30

oliver
Member
Registered: 2007-12-12
Posts: 448

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

Can you please quickly guide me what commands should I do after
ssh-keygen
to make it all work and at least for it to be possible to connect locally.

How should I copy generated .pub to where it should be stored?

server1$ ssh-keygen
server1$ ssh-copy-id server2
<enter credentials>

This will take care of copying the .pub file to the remote servers authorized_keys file and it's part of the openssh package

Offline

#7 2016-10-21 20:41:04

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

But I'm doing it all locally.
Do I have to be logged in on the user I will later want to SSH to, when executing those commands, or can I be on whatever user I want?

Offline

#8 2016-10-21 21:38:48

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

But I'm doing it all locally.

Please explain exactly what you mean by this? sshd is running on your machine and you want to ssh to it from the same box?


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#9 2016-10-21 21:52:32

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

Given the original post I'd ensure that authorized_keys isn't owned by UID0 but by the actual user.

Offline

#10 2016-10-21 22:23:38

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

I'm generating the keys on my remote machine.

Offline

#11 2016-10-21 23:09:25

oliver
Member
Registered: 2007-12-12
Posts: 448

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

I'm generating the keys on my remote machine.

It sounds like you've got things backwards.
You generate the key on the box you want to ssh from.  You put the public key that was generated locally by ssh-keygen into ~/.ssh/authorized_keys on the box you want to ssh to.

Offline

#12 2016-10-21 23:27:41

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

seth wrote:

Given the original post I'd ensure that authorized_keys isn't owned by UID0 but by the actual user.

+1

SSH is very picky about permissions for good reasons (suppose your /home was world readable and your authorized_keys world writable, any other user could authorize themselves). Basically all stuff ~/.ssh must be read/write by the user only, not others.

Something like this?

chown user:user /home/user/ /home/user/.ssh/ /home/user/.ssh/*
chmod 700 /home/user/.ssh/
chmod 600 /home/user/.ssh/*

If unsure, remove/rename the entire .ssh dir and then have it re-created by ssh-copy-id (by temporarily allowing password logins).

From the sshd manpage:

~/.ssh/authorized_keys
             Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
             for logging in as this user.  The format of this file is
             described above.  The content of the file is not highly sensi‐
             tive, but the recommended permissions are read/write for the
             user, and not accessible by others.

             If this file, the ~/.ssh directory, or the user's home directory
             are writable by other users, then the file could be modified or
             replaced by unauthorized users.  In this case, sshd will not
             allow it to be used unless the StrictModes option has been set to
             “no”.

So you must even chmod 755 / 750 / 700 the homedir itself, in case it was world writable for some reason.

If correct it should look somewhat like this:

$ ls -ld /home/user/ /home/user/.ssh/ /home/user/.ssh/authorized_keys
drwx------ 15 user user 4096 Oct 20 17:27 /home/user/
drwx------  2 user user 4096 Oct 18 14:10 /home/user/.ssh/
-rw-------  1 user user 1234 Oct 18 14:31 /home/user/.ssh/authorized_keys

Last edited by frostschutz (2016-10-21 23:32:07)

Offline

#13 2016-10-22 00:00:10

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

I'm 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it's the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy the public key to authorized_keys in /home/user/.ssh?
It makes no sense at all for me.

Last edited by smithinger44 (2016-10-22 09:30:42)

Offline

#14 2016-10-22 00:03:01

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

You copy it to the .authorized_keys file of the user you will log in as, not root's.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#15 2016-10-22 00:24:59

basica
Member
From: Australia
Registered: 2012-10-31
Posts: 217

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

I'm 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it's the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy it to authorized_keys in /root/.ssh?
It makes no sense at all for me.


ls -la will cast away all doubt on whether your permissions are correct.

To clarify further what others have said, yes, you create a key pair on the local pc and copy the public key of the key pair to the remote pc authorized_keys file with the right permissions. The .ssh folder and authorized_keys file need to be in the home directory of the user you're trying to log in as, and they need to be owned by that user as well.

Offline

#16 2016-10-22 04:05:40

onslow77
Member
Registered: 2014-09-21
Posts: 279

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

I'm 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it's the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy it to authorized_keys in /root/.ssh?
It makes no sense at all for me.

Hello!

First of all, that is not what "oliver" niether wrote or meant!

@smithinger44, judging from your posts in this thread it is obvious that you do not understand the basic concept of how Secure Shell (SSH) work. Therefore I advice you to read the following:
- Arch SSH Wiki Page
- https://en.wikipedia.org/wiki/Public-key_cryptography
- https://en.wikipedia.org/wiki/Challenge … entication
- Arch SSH Keys Wiki Page

That way you will learn what "SSH" is, how to configure and use it, and for what purpose "SSH" is used.

Regards
Martin

Last edited by onslow77 (2016-10-22 08:37:26)


It is advised to follow the How to post guide when posting on the Arch forum. If one consciously jumps over these elementary steps like reading the wiki and providing necessary information about the problem, one can be regarded as a Help Vampire.

Offline

#17 2016-10-22 09:37:53

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

I've been using SSH for a few years now, but only now I have to give acces to SFTP to a person that is not too computer literate.
That's why I've chosen to config a password-less connection, so he can access his data just by opening the client.

SSH keys documentation goes straight to generating and "copying" the keys assuming that the machine you are using is a client, whilst there is no mention on how it should be done (where the keys should be generated, how exactly should they be stored).
If I want to only SSH to this machine, can I just copy my .pub to the authorized_keys and delete the file, or does it also have to be stored in .ssh? There is no mention of it. Instead it says that my private key should be there, whilst I know that it should only reside on the client.

I'll try generating a key on my client and cp it to my server.

onslow77 wrote:
smithinger44 wrote:

I'm 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it's the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy it to authorized_keys in /root/.ssh?
It makes no sense at all for me.

And sorry for that, by root I meant the current user I'm configuring.

EDIT:
I've generated the keys, copied the public ones over from my PC to authorized_keys file in this format: ssh-rsa MY_KEY=

But still, attempting to connect with putty results in "Server refused our key".

Last edited by smithinger44 (2016-10-22 10:00:14)

Offline

#18 2016-10-22 10:05:14

basica
Member
From: Australia
Registered: 2012-10-31
Posts: 217

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

I've been using SSH for a few years now, but only now I have to give acces to SFTP to a person that is not too computer literate.
That's why I've chosen to config a password-less connection, so he can access his data just by opening the client.

SSH keys documentation goes straight to generating and "copying" the keys assuming that the machine you are using is a client, whilst there is no mention on how it should be done (where the keys should be generated, how exactly should they be stored).

Having a look at the wiki, I agree that it doesn't state explicitly where to generate them. I'll start a discussion on the wiki page about it to see if we can clarify this a bit. It doesn't matter where it happens I should add, as long as the client has the private key and the server public.

Rereading it, the section Copying the public key to the remote server makes it seem clear to me that you do it locally, and then how to copy it remotely. I can see how its verbosity can make it a bit hard to parse through though.

smithinger44 wrote:

If I want to only SSH to this machine, can I just copy my .pub to the authorized_keys and delete the file, or does it also have to be stored in .ssh? There is no mention of it. Instead it says that my private key should be there, whilst I know that it should only reside on the client.

I'll try generating a key on my client and cp it to my server.

Short answer is you don't need the public key on your client machine to be able to ssh into your server. When you ssh into your server, your private key gets matched against the public key(s) in the authorized_keys file. It doesn't look for the public key on your client machine as that goes totally against the public/private key pair design.

So yes, ultimately you generate the key pair locally, keep your private key and scp the public key into the authorized_keys file on the server. Keeping in mind of course the notes about permissions earlier.

EDIT:

smithinger44 wrote:

I've generated the keys, copied the public ones over from my PC to authorized_keys file in this format: ssh-rsa MY_KEY=

Just saw your edit here, the authorized_keys file shouldn't look like that. It should look something like "ssh-rsa really-long-string-here". Not sure where you got the MY_KEY= part from..

Last edited by basica (2016-10-22 10:16:13)

Offline

#19 2016-10-22 10:23:38

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

"really-long-string-here" = "MY_KEY" with "=" at the end

I've noticed an error reported by systemd that says something like:
"Wrong permissions at /home/user"

Does it mean that I have to have 700 on my home directory for it to work?
That's not what I'd expect at all. Can you bypass it, so this requirement only applies to .ssh?

EDIT:
Changing permissions for home directory hasn't changed a thing.

EDIT2:
Does ChallengeResponseAuthentication have to be set to YES?
I just changed it to yes, but the key is still refused.

Last edited by smithinger44 (2016-10-22 10:36:02)

Offline

#20 2016-10-22 11:25:35

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

I've noticed an error reported by systemd that says something like:
"Wrong permissions at /home/user"

https://bbs.archlinux.org/viewtopic.php?id=57855

Also running the server in debug mode and the client with verbose logging should provide you with more information as to why the login fails.

Offline

#21 2016-10-22 12:09:32

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

I don't know how to get logs out of the daemon, but journalctl -xe shows nothing.

Trying to ssh with -E prints out only: Permission denied (publickey,password).

I think I've fixed my permissions tho:
chmod 700 -R /home/user
chown user:users -R /home/user
chmod 600 /home/user/.ssh/authorized_keys

But Permission denied (publickey) is still present and won't let me log in.

Edit:

After asking for the password to the private key, debug3 reports:
Send packet: type 50
Receive packet: type 51

And drops this authentication method, by checking for other private keys.

[SOLVED]
Loged in using root user, with password authentication using WinSCP.
Fixed all the permissions to:
     -chmod 700 -R /home/user
     -chmod 600 -R /home/user/.ssh
     -chmod 700 /home/user/.ssh
Fixed all the ownership to:
     -chown user:user -R /home/user

Generated key pair using puttygen

!IMPORTANT! !MY FIX!
Copied contents of "Public key for pasting into openSSH authorized_keys file:" window in puttygen straight to /home/user/.ssh/authorized_keys

!FOR TESTING!
In puttygen press Conversions -> Export OpenSSH key
Put the generated file in /home/user/.ssh/
Rename the file to id_rsa
Change the files permissions to 600
Change the files ownership to user:user
On your server either:
     Login as the user you want to test and type in: ssh IP.ADDRESS.OF.SERVER -p SSH.PORT
     Or login as root and type in: ssh IP.ADDRESS.OF.SERVER -p SSH.PORT -l USER -i /home/user/.ssh/id_rsa

If it will succesfully log in, you are done. Just remember to delete id_rsa from your server, because it shouldn't be there.

Last edited by smithinger44 (2016-10-22 13:08:19)

Offline

#22 2016-10-22 13:01:48

oliver
Member
Registered: 2007-12-12
Posts: 448

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:

I don't know how to get logs out of the daemon, but journalctl -xe shows nothing.

Trying to ssh with -E prints out only: Permission denied (publickey,password).

I think I've fixed my permissions tho:
chmod 700 -R /home/user
chown user:users -R /home/user
chmod 600 /home/user/.ssh/authorized_keys

But Permission denied (publickey) is still present and won't let me log in.

Edit:

After asking for the password to the private key, debug3 reports:
Send packet: type 50
Receive packet: type 51

And drops this authentication method, by checking for other private keys.

When you copied the public key, make sure it copied as one line.  Multiple lines will cause it to fail.

The easiest way IMO is:

$ wc -l ~/.ssh/authorized_keys

The first column is the line count and should be equal to the number of keys you've copied (I assume it should be 1)

Offline

#23 2016-10-22 13:42:40

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

SSH agent is for the client or for the server?

I'd like to remove the need for passwords.

Offline

#24 2016-10-22 14:14:48

onslow77
Member
Registered: 2014-09-21
Posts: 279

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

smithinger44 wrote:
onslow77 wrote:
smithinger44 wrote:

I'm 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it's the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy it to authorized_keys in /root/.ssh?
It makes no sense at all for me.

No, that was what you wrote! I wrote this:

onslow77 wrote:

Hello!

First of all, that is not what "oliver" niether wrote or meant!

@smithinger44, judging from your posts in this thread it is obvious that you do not understand the basic concept of how Secure Shell (SSH) work. Therefore I advice you to read the following:
- Arch SSH Wiki Page
- https://en.wikipedia.org/wiki/Public-key_cryptography
- https://en.wikipedia.org/wiki/Challenge … entication
- Arch SSH Keys Wiki Page

That way you will learn what "SSH" is, how to configure and use it, and for what purpose "SSH" is used.

Regards
Martin

Then you wrote:

smithinger44 wrote:

SSH agent is for the client or for the server?

I'd like to remove the need for passwords.

@smithinger44 - Did you read the information under the links I sent you in my first post?

Regards
Martin

Last edited by onslow77 (2016-10-22 14:31:19)


It is advised to follow the How to post guide when posting on the Arch forum. If one consciously jumps over these elementary steps like reading the wiki and providing necessary information about the problem, one can be regarded as a Help Vampire.

Offline

#25 2016-10-22 14:51:09

smithinger44
Member
Registered: 2016-01-01
Posts: 45

Re: [SOLVED]SSH key authorisation - Permission denied (publickey)

Yes I did, but for some reason I can't really understand what works on the local machine and what works on the remote machine.

Offline

Board footer

Powered by FluxBB