Permission denied publickey ssh linux

Arch Linux

You are not logged in.

#1 2016-10-20 20:26:18

[SOLVED]SSH key authorisation — Permission denied (publickey)

I’ve spent on it last 4-5 hours, which is way too much for such a small thing.

What I’ve done:
installed open-ssh
enabled and started either sshd.service or sshd.socket (both give same results
ssh-keygen -b 2048 on all users
ssh-copy-id 127.0.0.1 on all users (this one populates authorized_keys for every user separately)
cat /home/user/.ssh/id_rsa.pub >>

/.ssh/authorized_keys on root, for every user
cp /home/user/.ssh/id_rsa.pub

/.ssh/user.pub on root, for every user

All above done on local machine
Trying to ssh locally results in «Permission denied (publickey)»
Trying to ssh from a remote machine through putty and private key converted with puttygen results in «No supported authentication methods available (server sent: publickey)

Where do I go from here?

Last edited by smithinger44 (2016-10-23 19:31:58)

#2 2016-10-20 22:57:48

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

So I’m guessing you’re sshing from a windows machine since you’re using putty? I’m not sure if there’s an ability to use a verbose mode so you can see the errors you’re getting but the first thing that comes to mind is checking the permissions of the .ssh folder on the server, as well as the authorized_keys file. If they’re too lax, it won’t allow you to connect.

#3 2016-10-21 19:20:59

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

Oh. Right. That’s what I’ve also tried
chmod 700 -R /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys

How can I view «the errors» when connecting from arch linux?

Ok. Here is my debug when trying to ssh locally:

When trying to ssh in locally with root account, after «Offering RSA public key: /home/user/.ssh/id_rsa» it asks for password to the key and logs in succesfully.

Last edited by smithinger44 (2016-10-21 19:38:39)

#4 2016-10-21 19:34:41

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

-v Verbose mode. Causes ssh to print debugging messages about its
progress. This is helpful in debugging connection, authentica‐
tion, and configuration problems. Multiple -v options increase
the verbosity. The maximum is 3.

-d Debug mode. The server sends verbose debug output to standard
error, and does not put itself in the background. The server
also will not fork and will only process one connection. This
option is only intended for debugging for the server. Multiple
-d options increase the debugging level. Maximum is 3.

#5 2016-10-21 20:07:53

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

Can you please quickly guide me what commands should I do after
ssh-keygen
to make it all work and at least for it to be possible to connect locally.

How should I copy generated .pub to where it should be stored?

#6 2016-10-21 20:27:30

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

Can you please quickly guide me what commands should I do after
ssh-keygen
to make it all work and at least for it to be possible to connect locally.

How should I copy generated .pub to where it should be stored?

This will take care of copying the .pub file to the remote servers authorized_keys file and it’s part of the openssh package

#7 2016-10-21 20:41:04

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

But I’m doing it all locally.
Do I have to be logged in on the user I will later want to SSH to, when executing those commands, or can I be on whatever user I want?

#8 2016-10-21 21:38:48

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

But I’m doing it all locally.

Please explain exactly what you mean by this? sshd is running on your machine and you want to ssh to it from the same box?

Registered Linux User #482438

Online

#9 2016-10-21 21:52:32

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

Given the original post I’d ensure that authorized_keys isn’t owned by UID0 but by the actual user.

#10 2016-10-21 22:23:38

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’m generating the keys on my remote machine.

#11 2016-10-21 23:09:25

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’m generating the keys on my remote machine.

It sounds like you’ve got things backwards.
You generate the key on the box you want to ssh from. You put the public key that was generated locally by ssh-keygen into

/.ssh/authorized_keys on the box you want to ssh to.

#12 2016-10-21 23:27:41

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

Given the original post I’d ensure that authorized_keys isn’t owned by UID0 but by the actual user.

SSH is very picky about permissions for good reasons (suppose your /home was world readable and your authorized_keys world writable, any other user could authorize themselves). Basically all stuff

/.ssh must be read/write by the user only, not others.

Something like this?

If unsure, remove/rename the entire .ssh dir and then have it re-created by ssh-copy-id (by temporarily allowing password logins).

From the sshd manpage:

/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used
for logging in as this user. The format of this file is
described above. The content of the file is not highly sensi‐
tive, but the recommended permissions are read/write for the
user, and not accessible by others.

If this file, the

/.ssh directory, or the user’s home directory
are writable by other users, then the file could be modified or
replaced by unauthorized users. In this case, sshd will not
allow it to be used unless the StrictModes option has been set to
“no”.

So you must even chmod 755 / 750 / 700 the homedir itself, in case it was world writable for some reason.

If correct it should look somewhat like this:

Last edited by frostschutz (2016-10-21 23:32:07)

Online

#13 2016-10-22 00:00:10

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’m 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it’s the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy the public key to authorized_keys in /home/user/.ssh?
It makes no sense at all for me.

Last edited by smithinger44 (2016-10-22 09:30:42)

#14 2016-10-22 00:03:01

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

You copy it to the .authorized_keys file of the user you will log in as, not root’s.

Registered Linux User #482438

Online

#15 2016-10-22 00:24:59

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’m 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it’s the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy it to authorized_keys in /root/.ssh?
It makes no sense at all for me.

ls -la will cast away all doubt on whether your permissions are correct.

To clarify further what others have said, yes, you create a key pair on the local pc and copy the public key of the key pair to the remote pc authorized_keys file with the right permissions. The .ssh folder and authorized_keys file need to be in the home directory of the user you’re trying to log in as, and they need to be owned by that user as well.

#16 2016-10-22 04:05:40

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’m 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it’s the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy it to authorized_keys in /root/.ssh?
It makes no sense at all for me.

First of all, that is not what «oliver» niether wrote or meant!

@smithinger44, judging from your posts in this thread it is obvious that you do not understand the basic concept of how Secure Shell (SSH) work. Therefore I advice you to read the following:
— Arch SSH Wiki Page
— https://en.wikipedia.org/wiki/Public-key_cryptography
— https://en.wikipedia.org/wiki/Challenge … entication
— Arch SSH Keys Wiki Page

That way you will learn what «SSH» is, how to configure and use it, and for what purpose «SSH» is used.

Last edited by onslow77 (2016-10-22 08:37:26)

It is advised to follow the How to post guide when posting on the Arch forum. If one consciously jumps over these elementary steps like reading the wiki and providing necessary information about the problem, one can be regarded as a Help Vampire.

#17 2016-10-22 09:37:53

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’ve been using SSH for a few years now, but only now I have to give acces to SFTP to a person that is not too computer literate.
That’s why I’ve chosen to config a password-less connection, so he can access his data just by opening the client.

SSH keys documentation goes straight to generating and «copying» the keys assuming that the machine you are using is a client, whilst there is no mention on how it should be done (where the keys should be generated, how exactly should they be stored).
If I want to only SSH to this machine, can I just copy my .pub to the authorized_keys and delete the file, or does it also have to be stored in .ssh? There is no mention of it. Instead it says that my private key should be there, whilst I know that it should only reside on the client.

I’ll try generating a key on my client and cp it to my server.

I’m 99% sure that I have my permissions set right, 1% is because I have to have my home read/writable by the group, because it’s the place I store my data.

So, from what oliver wrote, I suppose I should generate a private key on my PC and a public key on my arch linux device then copy it to authorized_keys in /root/.ssh?
It makes no sense at all for me.

And sorry for that, by root I meant the current user I’m configuring.

EDIT:
I’ve generated the keys, copied the public ones over from my PC to authorized_keys file in this format: ssh-rsa MY_KEY=

But still, attempting to connect with putty results in «Server refused our key».

Last edited by smithinger44 (2016-10-22 10:00:14)

#18 2016-10-22 10:05:14

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’ve been using SSH for a few years now, but only now I have to give acces to SFTP to a person that is not too computer literate.
That’s why I’ve chosen to config a password-less connection, so he can access his data just by opening the client.

SSH keys documentation goes straight to generating and «copying» the keys assuming that the machine you are using is a client, whilst there is no mention on how it should be done (where the keys should be generated, how exactly should they be stored).

Having a look at the wiki, I agree that it doesn’t state explicitly where to generate them. I’ll start a discussion on the wiki page about it to see if we can clarify this a bit. It doesn’t matter where it happens I should add, as long as the client has the private key and the server public.

Rereading it, the section Copying the public key to the remote server makes it seem clear to me that you do it locally, and then how to copy it remotely. I can see how its verbosity can make it a bit hard to parse through though.

If I want to only SSH to this machine, can I just copy my .pub to the authorized_keys and delete the file, or does it also have to be stored in .ssh? There is no mention of it. Instead it says that my private key should be there, whilst I know that it should only reside on the client.

I’ll try generating a key on my client and cp it to my server.

Short answer is you don’t need the public key on your client machine to be able to ssh into your server. When you ssh into your server, your private key gets matched against the public key(s) in the authorized_keys file. It doesn’t look for the public key on your client machine as that goes totally against the public/private key pair design.

So yes, ultimately you generate the key pair locally, keep your private key and scp the public key into the authorized_keys file on the server. Keeping in mind of course the notes about permissions earlier.

I’ve generated the keys, copied the public ones over from my PC to authorized_keys file in this format: ssh-rsa MY_KEY=

Just saw your edit here, the authorized_keys file shouldn’t look like that. It should look something like «ssh-rsa really-long-string-here». Not sure where you got the MY_KEY= part from..

Last edited by basica (2016-10-22 10:16:13)

#19 2016-10-22 10:23:38

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

«really-long-string-here» = «MY_KEY» with «=» at the end

I’ve noticed an error reported by systemd that says something like:
«Wrong permissions at /home/user»

Does it mean that I have to have 700 on my home directory for it to work?
That’s not what I’d expect at all. Can you bypass it, so this requirement only applies to .ssh?

EDIT:
Changing permissions for home directory hasn’t changed a thing.

EDIT2:
Does ChallengeResponseAuthentication have to be set to YES?
I just changed it to yes, but the key is still refused.

Last edited by smithinger44 (2016-10-22 10:36:02)

#20 2016-10-22 11:25:35

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I’ve noticed an error reported by systemd that says something like:
«Wrong permissions at /home/user»

Also running the server in debug mode and the client with verbose logging should provide you with more information as to why the login fails.

#21 2016-10-22 12:09:32

Re: [SOLVED]SSH key authorisation — Permission denied (publickey)

I don’t know how to get logs out of the daemon, but journalctl -xe shows nothing.

Trying to ssh with -E prints out only: Permission denied (publickey,password).

I think I’ve fixed my permissions tho:
chmod 700 -R /home/user
chown user:users -R /home/user
chmod 600 /home/user/.ssh/authorized_keys

But Permission denied (publickey) is still present and won’t let me log in.

After asking for the password to the private key, debug3 reports:
Send packet: type 50
Receive packet: type 51

And drops this authentication method, by checking for other private keys.

[SOLVED]
Loged in using root user, with password authentication using WinSCP.
Fixed all the permissions to:
-chmod 700 -R /home/user
-chmod 600 -R /home/user/.ssh
-chmod 700 /home/user/.ssh
Fixed all the ownership to:
-chown user:user -R /home/user

Generated key pair using puttygen

!IMPORTANT! !MY FIX!
Copied contents of «Public key for pasting into openSSH authorized_keys file:» window in puttygen straight to /home/user/.ssh/authorized_keys

!FOR TESTING!
In puttygen press Conversions -> Export OpenSSH key
Put the generated file in /home/user/.ssh/
Rename the file to id_rsa
Change the files permissions to 600
Change the files ownership to user:user
On your server either:
Login as the user you want to test and type in: ssh IP.ADDRESS.OF.SERVER -p SSH.PORT
Or login as root and type in: ssh IP.ADDRESS.OF.SERVER -p SSH.PORT -l USER -i /home/user/.ssh/id_rsa

If it will succesfully log in, you are done. Just remember to delete id_rsa from your server, because it shouldn’t be there.

Last edited by smithinger44 (2016-10-22 13:08:19)

Источник