• sshd - Permission denied (publickey)


    Hi there.

    I have a strange problem with sshd.

    So, I start the sshd service with systemctl start sshd.service on my machine A ( cannot figure out how to make it start on boot ).
    Here’s the weird part.

    If I ssh from another machine B in my LAN, it works fine. ( both machines have same username, same id_rsa private/pub pair )
    But, if I ssh from the machine B in my LAN, using my WAN hostname ( foo.bar.com ) and my external port ( I map 22022 to 20022 ) then I get this error :

    debug1: Offering RSA public key: /home/antouank/.ssh/id_rsa
    debug1: Authentications that can continue: publickey
    debug1: Trying private key: /home/antouank/.ssh/id_dsa
    debug1: Trying private key: /home/antouank/.ssh/id_ecdsa
    debug1: Trying private key: /home/antouank/.ssh/id_ed25519
    debug1: No more authentication methods to try.
    Permission denied (publickey).
    

    I get the same error when I try to ssh from my phone using the mobile cell connection.

    So it seems to block all non-LAN connections?

    I checked permissions and owner on the .ssh/ on all sides.
    Also, I have to mention that this B machine has arch as well, and I can ssh to it from anywhere. Never did anything special to set it up, just enabled sshd.

    I tried to add the “hosts.allow” to allow any IP, no difference. I’m out of ideas… :(

    This is my config:

    #    $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
    
    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options override the
    # default value.
    
    Port 20022
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    #AllowUsers antouank@*       # <---- I tried this line, but no difference.
    
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    #HostKey /etc/ssh/ssh_host_ecdsa_key
    #HostKey /etc/ssh/ssh_host_ed25519_key
    
    # Ciphers and keying
    #RekeyLimit default none
    
    # Logging
    #SyslogFacility AUTH
    #LogLevel VERBOSE
    
    # Authentication:
    
    #LoginGraceTime 2m
    PermitRootLogin no
    #StrictModes no
    #MaxAuthTries 6
    #MaxSessions 10
    
    PubkeyAuthentication yes
    
    # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
    # but this is overridden so installations will only check .ssh/authorized_keys
    #AuthorizedKeysFile    .ssh/authorized_keys
    
    #AuthorizedPrincipalsFile none
    
    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandUser nobody
    
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    PermitEmptyPasswords no
    
    # Change to no to disable s/key passwords
    ChallengeResponseAuthentication no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PermitTTY yes
    PrintMotd no # pam does that
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS no
    #PidFile /run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no
    #ChrootDirectory none
    #VersionAddendum none
    
    # no default banner path
    #Banner none
    
    # override default of no subsystems
    Subsystem    sftp    /usr/lib/ssh/sftp-server
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #    X11Forwarding no
    #    AllowTcpForwarding no
    #    PermitTTY no
    #    ForceCommand cvs server
    
  • @antouank said in sshd - Permission denied (publickey):

    systemctl start sshd.service

    systemctl enable sshd.service
    

    to enable service at boot.

    As you do not talk about a server configuration here?
    To get from external network via ssh to a machine inside your local network behind your router/s you need to setup the lessest a dyndns inside your router to make him visible from internet.

    Second would be to pass the firewall on the port sshd is offering for connections…

    also this port needs to be forwarded to the machine you want login via ssh inside your local network…

    " both machines have same username, same id_rsa private/pub pair"
    what for you need this???

    You can just use the username from remote machine to login:

    ssh [email protected]
    

    But may i simple missunderstand what you want to do ?
    so i will leave you also to the wiki: https://wiki.archlinux.org/index.php/Secure_Shell

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad
    systemctl enable sshd.service
    done that. It doesn’t start on boot.

    To get from external network via ssh to a machine inside your local network behind your router/s you need to setup the lessest a dyndns inside your router to make him visible from internet.

    Done that. I have a dyndns hostname that resolves to my external IP.
    And I have my router forwarding a port to the one sshd listens to ( I changed it from 22 ).

    Like I said, I don’t get an error for not finding the port or the sshd, I get a “publickey denied” error. Which I cannot understand how to solve.

    What I want to do is simply to be able to ssh on my main PC from anywhere else. I’ll be going on holidays for a few weeks, so I want access.

  • PubkeyAuthentication yes

    So you have generate (ssh-keygen) client side public/private rsa key pair?
    copy it from client to serverside:

    ssh-copy-id -i .ssh/key_rsa.pub [email protected]
    

    check with:

    ssh -i .ssh/key_rsa [email protected]
    

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad I have a pair of private/public keys that I always use on my machines. What I do is manually copy them in .ssh/ whenever I install linux on a new system.
    And then on a remote machine, I just add the public key into the authorized_keys file.
    It always works fine.

    What does this command do?
    I don’t have a .ssh/key_rsa.pub file anywhere.

  • if you want to use public key auth you need a public key…(key_rsa.pub or id_rsa.pub in your case…i do this last time ince 7 years ago ;) )

    and you can see from your debug1: log:

    Permission denied (publickey).
    

    into arch like this then: copy pubkey to server:

    ssh-copy-id -i .ssh/id_rsa.pub [email protected]
    

    check pubkey login from client to server:

    ssh -i .ssh/id_rsa [email protected]
    

    [-i identity_file] from ssh command options : http://linuxcommand.org
    EDIT: put commands vice versa before(pub-key sec-key)

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad Yes, I do have an id_rsa.pub.
    I’m still confused though on what you suggest.

    on machine A, I have two files.
    ~/.ssh/id_rsa
    ~/.ssh/id_rsa.pub
    obviously, private/public key pair.

    on machine X ( any other machine I want to use to log into A ) I also need the private key in that machine, so I need ~/.ssh/id_rsa to be inside X. Correct?

    Those commands you gave, what do they do?

    I run the last one, from both inside machine A and X, and I get again Permission denied (publickey).
    The server IP and port I use, on both tries, is the one of machine A.

  • Regarding starting on boot, I’ve done the ‘enable’ part, but still it won’t start.

    Does this help?

    ❯ systemctl status sshd.service
    ● sshd.service - OpenSSH Daemon
       Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled)
       Active: inactive (dead)
    

    seems enabled, but “dead”

    ❯ systemctl list-unit-files | grep sshd
    
    sshd.service                                enabled  
    sshd@.service                               static   
    sshdgenkeys.service                         static   
    sshd.socket                                 enabled  
    
  • If you can not reach the server because sshd is not running you will get a "host not reachable " error.
    And you have enabled socket + service?
    that should be one of your problems…

    disable sshd.socket or sshd.service and restart system.

    Other hand:
    The error you get is: Permission denied (publickey).
    The Server (A) needs your publickey to auth your identity.

    This command is to copy client publickey to Server (A):

    ssh-copy-id -i .ssh/id_rsa.pub [email protected]
    

    this commant then from Client to Server (A):

    ssh -i .ssh/id_rsa [email protected]
    

    uses clients SecKey to get authenticated by the publikey part from client key you copy before on the Server(A)

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad said in sshd - Permission denied (publickey):

    If you can not reach the server because sshd is not running you will get a "host not reachable " error.
    And you have enabled socket + service?
    that should be your problem…

    disable sshd.socket or sshd.service and restart system.

    To be clear, all I posted above, I tried after manually starting the sshd service. So it was working when I made the attempts.

    I’ll disable the sshd.socket service and try again.
    There are two problems:

    1. sshd doesn’t start on boot
    2. I cannot connect from outside my LAN ( I get the pubkey denied error ).

    This should help with 1 or 2?

  • @joekamprad this solved both!
    Thanks.

    Out of curiosity, why did this socket service caused those issues?

  • Add:

    Client id_rsa.pub should be copy to the users .ssh/ on the Server(A) from the user you use to login to Server(A)!

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad said in sshd - Permission denied (publickey):

    Add:

    Client id_rsa.pub should be copy to the users .ssh/ on the Server(A) from the user you use to login to Server(A)!

    Yeah, that’s done already.
    Thanks for the help.

  • @antouank said in sshd - Permission denied (publickey):

    Out of curiosity, why did this socket service caused those issues?

    They do not work together… because sshd.socket invoke sshd.service “on call”

    sshd.service, which will keep the SSH daemon permanently active
    sshd.socket which spawn on-demand instances of the SSH daemon per connection. Using it implies that systemd listens on the SSH socket and will only start the daemon process for an incoming connection.

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • Thanks to you to let me relearn this sshd stuff ;)

    [updates once a week] = [90% less problems]
    [Li{u}n//u//{i}x] since 1988 - overcoming failure means success
    http://kamprad.net/howto-installing-antergos/
    https://forum.antergos.com/topic/1883/how-to-include-system-logs-when-asking-for-help

  • @joekamprad oh, I see.
    Good to know! Thank you.

sshd2 ssh7 Posts 16Views 473
Log in to reply