SSH: Permission denied (publickey)

[WilliamMiller54]

I also don't think ssh keys are portable. When you reloaded your system the system generated new server keys. I can't say for sure though, and don't feel like looking it up. I'm lazy today.

Anyway, make sure your $HOME is chmod 700, and are you using a DSA key or an RSA key? DSA goes to authorized_keys2. I use DSA.

You need to delete your whole .ssh directory and start over. The private key needs to never leave the system it was generated on or it is considered compromised. The public key crosses the net, the private one is protected.

This isn't strictly required but IMO your .ssh directory should be chmod 700 too. Nobody else has any business poking around in there.

Thank you 1Clue, This is my "do-over" actually. I removed and recreated all the keys.

[WilliamMiller54]

They are portable, but you need to be using the correct key.

CharlesA,
How do you add the Public key to the Authorized_Keys file? Maybe I am doing that wrong?

[1clue]

My second post on this thread shows the commands I use to authorize and test.

[sh4d0w808]

On the server:

cat yourpubkey.file >> ~/.ssh/authorized_keys

This will append your public key file to authorized_keys.

[CharlesA]

Yo need to specify what private key you want to use like this:

Code:

ssh -i /path/to/privatekey -vvv xxxUName@192.xx.xx.xx

Or you could just cheat and create a config file in .ssh/
http://nerderati.com/2011/03/simplif...h-config-file/

[WilliamMiller54]

On the server:

cat yourpubkey.file >> ~/.ssh/authorized_keys

This will append your public key file to authorized_keys.

sh4d0w808, I am pretty sure that my Server \ Destination host has the public key in it already. I will double check when I get home to access

Yo need to specify what private key you want to use like this:

Code:

ssh -i /path/to/privatekey -vvv xxxUName@192.xx.xx.xx

Or you could just cheat and create a config file in .ssh/
http://nerderati.com/2011/03/simplif...h-config-file/

CharlesA, Thank you. Right now I can not ssh to the server specifically referencing the server using the -i param. I will test again once I get home.

Can you confirm my understanding

• On the client side, the private and public keys should be stored in the ~/.ssh/ directory
• On the client side, the public key should be stored in the ~/.ssh/authorized_key file
• On the server | Destination side, the public key should be added to the ~/.ssh/authorized_key file
• On the server | Destination side, I can copy the public key from the client to the server using [ssh-copy-id <username>@<host>]
• On the server | Destination side, I can manually copy the public key from the client to the server and use [cat yourpubkey.file >> ~/.ssh/authorized_keys ]
• On the server | Destination side, I can have multiple public keys listed in the authorized_keys file

thank you for your time and help

[CharlesA]

CharlesA, Thank you. Right now I can not ssh to the server specifically referencing the server using the -i param. I will test again once I get home.

Can you confirm my understanding

• On the client side, the private and public keys should be stored in the ~/.ssh/ directory
• On the client side, the public key should be stored in the ~/.ssh/authorized_key file
• On the server | Destination side, the public key should be added to the ~/.ssh/authorized_key file
• On the server | Destination side, I can copy the public key from the client to the server using [ssh-copy-id <username>@<host>]
• On the server | Destination side, I can manually copy the public key from the client to the server and use [cat yourpubkey.file >> ~/.ssh/authorized_keys ]
• On the server | Destination side, I can have multiple public keys listed in the authorized_keys file

thank you for your time and help

You only need the private and public keys on the client side. They can sit in ~/.ssh and the public key should not be in ~/.ssh/authorized_keys
Everything else is correct. I've used ssh-copy-id user@host if I need to add the keys to a server, but if I'm doing an install, I'll just copy the public key over and add it to authorized_keys.

[1clue]

On the server side, you only need the server key which is automatically generated and resides in /etc/ssh.
There is no need for a personal key to be generated on the server. One could call it a security risk.
On the client, the private and public keys reside in ~/.ssh
On the server the public key FROM THE CLIENT goes into ~/.ssh/authorized_keys (rsa) or ~/.ssh/authorized_keys2 (dsa)

[Lars Noodén]

All the key types can go in authorized_keys the other file, authorized_keys2, has been deprecated for a while. The upcoming 6.5 will also allow Ed25519 keys, not just RSA, DSA and ECDSA.

[WilliamMiller54]

You only need the private and public keys on the client side. They can sit in ~/.ssh and the public key should not be in ~/.ssh/authorized_keys
Everything else is correct. I've used ssh-copy-id user@host if I need to add the keys to a server, but if I'm doing an install, I'll just copy the public key over and add it to authorized_keys.

CharlesA, 1clue, Lars,
Thank you for your help. I think I am half way there.

1. I removed the authorized_keys file from the source client system
2. Both public and private keys are in the ~/.ssh folder in the source client system
3. I replaced the server ~/.ssh/authorized_keys with the Public key by coping the public key to the server, removing the existing authorized_keys file, and coping the public key to authorized_keys

• If I change the authorized_keys files "644" to "600" I can not connect. I have to keep permissions at "644"
• it takes about 30 seconds to connect, but is very quick after connected

Issues: Now I can connect via a command line, but I can not RDP into the server using Remmina I get the following errors

• IF I select "SSH Authentication: Public Key (Automatic)" i receive the following error: SSH automatic public key authentication failed: No public key matched
  
  Code:

  [SSH] libssh 0.5.2 (c) 2003-2010 Aris Adamantiadis (aris@0xbadc0de.be) Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_noop
  [SSH] Socket connection callback: 1 (0)
  [SSH] SSH server banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
  [SSH] Analyzing banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
  [SSH] We are talking to an OpenSSH client version: 5.9 (50900)
  [SSH] Error : Access denied. Authentication that can continue: publickey
  [SSH] Trying to authenticate with SSH agent keys as user: xxxUserName
  [SSH] Trying identity xxxUserName@client
  [SSH] Error : Access denied. Authentication that can continue: publickey
  [SSH] Error : No public key matched

• IF I select "SSH Authentication: Identify File > PrivateKey", I am prompted for the key password, and I receive the following error: SSH public key authentication failed: Access denied. Authentication that can continue: publickey
  
  Code:

  [SSH] libssh 0.5.2 (c) 2003-2010 Aris Adamantiadis (aris@0xbadc0de.be) Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_noop
  [SSH] Socket connection callback: 1 (0)
  [SSH] SSH server banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
  [SSH] Analyzing banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
  [SSH] We are talking to an OpenSSH client version: 5.9 (50900)
  [SSH] Trying to open /home/xxxUserName/.ssh/clientRSAKey_id3
  [SSH] Trying to read /home/xxxUserName/.ssh/clientRSAKey_id3, passphase=true, authcb=false
  [SSH] Error : Parsing private key /home/xxxUserName/.ssh/clientRSAKey_id3: error:0906A068:lib(9):func(106):reason(104)
  [SSH] Trying to open /home/xxxUserName/.ssh/clientRSAKey_id3
  [SSH] Trying to read /home/xxxUserName/.ssh/clientRSAKey_id3, passphase=true, authcb=false
  [SSH] Error : Access denied. Authentication that can continue: publickey

• IF I select "SSH Authentication: Identify File > PublicKey", SSH public key authentication failed: Public key file doesn't exist
  
  Code:

  [SSH] libssh 0.5.2 (c) 2003-2010 Aris Adamantiadis (aris@0xbadc0de.be) Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_noop
  [SSH] Socket connection callback: 1 (0)
  [SSH] SSH server banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
  [SSH] Analyzing banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
  [SSH] We are talking to an OpenSSH client version: 5.9 (50900)
  [SSH] Error : Public key file doesn't exist

Is there something wrong with my keys? Is there a configuration that I am missing.

Server Files

Code:

xxxUserName@server:~$ ls -l ~/.ssh/
total 12
-rw-r--r-- 1 root root 399 Jan 27 16:25 authorized_keys
-rw------- 1 root root 399 Jan 24 15:49 authorized_keys_Backup
-rw-r--r-- 1 root root 399 Jan 24 15:48 clientRSAKey_id3.pub

Client Files

Code:

xxxUserName@client:~/.ssh$ ls -l
total 12
-rw-r--r-- 1 xxxUserName xxxUserName  619 Jan 24 16:37 known_hosts
-rw------- 1 xxxUserName xxxUserName 1766 Jan 24 15:42 clientRSAKey_id3
-rw-r--r-- 1 xxxUserName xxxUserName  399 Jan 24 15:42 clientRSAKey_id3.pub

xxxUserName@client:~/.ssh$ ssh -v xxxUserName@192.168.123.106
OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.123.106 [192.168.123.106] port 22.
debug1: Connection established.
debug1: identity file /home/xxxUserName/.ssh/id_rsa type -1
debug1: identity file /home/xxxUserName/.ssh/id_rsa-cert type -1
debug1: identity file /home/xxxUserName/.ssh/id_dsa type -1
debug1: identity file /home/xxxUserName/.ssh/id_dsa-cert type -1
debug1: identity file /home/xxxUserName/.ssh/id_ecdsa type -1
debug1: identity file /home/xxxUserName/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ea:bf:60:43:09:b4:49:a5:a3:fd:b3:f4:06:eb:67:f4
debug1: Host '192.168.x.x' is known and matches the ECDSA host key.
debug1: Found key in /home/xxxUserName/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: xxxUserName@client
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.123.106 ([192.168.123.106]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-53-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Mon Jan 27 17:17:19 2014 from client.local

Thank you