1

i am having some problems logging in to one server to SSH via a key

this is the client output: ssh '[email protected]' -p 2201 -v

OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to pdwhost [107.191.34.35] port 2201. debug1: Connection established. debug1: identity file /home/importer/.ssh/id_rsa type -1 debug1: identity file /home/importer/.ssh/id_rsa-cert type -1 debug1: identity file /home/importer/.ssh/id_dsa type 2 debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: identity file /home/importer/.ssh/id_dsa-cert type -1 debug1: identity file /home/importer/.ssh/id_ecdsa type -1 debug1: identity file /home/importer/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2 debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA cd:23:7f:17:0c:a3:97:37:71:97:ba:d0:0d:d6:7f:43 debug1: Host '[pdwhost]:2201' is known and matches the ECDSA host key. debug1: Found key in /home/importer/.ssh/known_hosts:4 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/importer/.ssh/id_rsa debug1: Offering DSA public key: /home/importer/.ssh/id_dsa debug1: Authentications that can continue: publickey debug1: Trying private key: /home/importer/.ssh/id_ecdsa debug1: No more authentication methods to try. Permission denied (publickey).

and this is the output on the server (when i start with -debug)

/usr/sbin/sshd -d -p 22

debug1: sshd version OpenSSH_6.0p1 Debian-4+deb7u2 debug1: read PEM private key done: type RSA debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: private host key: #1 type 2 DSA debug1: read PEM private key done: type ECDSA debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256 debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256 debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='22' Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 144.76.186.42 port 58956 debug1: Client protocol version 2.0; client software version OpenSSH_6.0p1 Debian-4 debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 debug1: permanently_set_uid: 103/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client->server aes128-ctr hmac-md5 none [preauth] debug1: kex: server->client aes128-ctr hmac-md5 none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user importer service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "importer" debug1: PAM: setting PAM_RHOST to "static.42.clients.your-server.de" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user importer service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /home/importer/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: restore_uid: 0/0 Failed publickey for importer from 144.XXX port 58956 ssh2 Connection closed by 144.XXX [preauth] debug1: do_cleanup [preauth] debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 17937

not sure what is going on here, SSHD kills itself when the client tries to login. Its a Debian 7 in an openVZ container (host is also Debian 7)

SSH Login via password works fine, I just disabled it for the purpose of testing the Key login, it always asked for a password when trying the key login (as key didnt work).

I set the %HOME% to 700, .ssh is also set to 700, files inside to 500

I copied the key with ssh-copy-id (and did it a second time). The keys I am using are a bit older, so I did not create them just for this SSH client. I cant find any errors in the authorized_keys

this from the sshd_config

RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys

Still get failed public key.

btw. in the meanwhile I tried to access the same server from another client: ssh-keygen -t rsa ssh-id-copy ssh ..

and it worked, so it must be something on the client above

Improve this question
3
  • forgot to explain, the port 2201 is rerouted to 22 via the openvz-host, so ports are correct Commented Jan 28, 2015 at 14:08
  • As much as I detest asking stupid followup questions: Can you confirm that /home/importer, /home/importer/.ssh, and /home/importer/.ssh/authorized_keys are owned by uid 1000 (importer?) and not root? Commented Jan 28, 2015 at 20:12
  • yes, ownership is correct, I also tested it from a another client (debian 7 also) and it is working from there, this means i must look at the client. Commented Jan 29, 2015 at 0:25

1 Answer 1

Reset to default
0

First check the basics:

  1. the contents of your .ssh/authorized_keys are correct? No extra line breaks in the public key?

  2. the file permissions are correct? sshd can be very strict about this: you should see lots 600, or even 400 (read-only for root). Quoting your log:

debug1: trying public key file /home/importer/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: restore_uid: 0/0 Failed publickey for importer from 144.XXX port 58956 ssh2

  1. sshd can even be annoyed about other folders' permissions
Improve this answer
8
  • 1
    plz see my comments in the original question Commented Jan 28, 2015 at 17:28
  • Oops, sorry :-/ Commented Jan 28, 2015 at 17:31
  • So is the key you are using modern & secure enough? How old are they? I.e. what type of encryption was used to generate the key: e.g. ssh-rsa, ecdsa-sha2-nistp256,... It should show in your 'known_hosts' Commented Jan 28, 2015 at 17:35
  • ecdsa-sha2-nistp256, cant really remember how I generated it. Commented Jan 28, 2015 at 18:13
  • Don't worry, that one should be good enough. I hope another Debian veteran can help you. I do not like the version of openSSL: "OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013" Commented Jan 28, 2015 at 18:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.