0

i am posting this question after extensive search in google to create public key and accessing server using public key, i am still unable to resolve this issue, as i am getting below error.

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug2: resolving "192.168.12.2" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 192.168.12.2 [192.168.12.2] port 22. debug1: Connection established. debug1: identity file .ssh/authorized_keys type 1 debug1: key_load_public: No such file or directory debug1: identity file .ssh/authorized_keys-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.12.2:22 as 'ansible' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected] debug2: compression stoc: none,[email protected] debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none debug1: kex: curve25519-sha256 need=16 dh_need=16 debug1: kex: curve25519-sha256 need=16 dh_need=16 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YTd6SSDMsb3Qhn8EoF/otK+TY6DSAsahYvZxFErZJnQ debug1: Host '192.168.12.2' is known and matches the ECDSA host key. debug1: Found key in /home/ansible/.ssh/known_hosts:1 debug2: set_newkeys: mode 1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks debug2: key: .ssh/authorized_keys (0x560667b2de80), explicit debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received This system is for the use of authorised users only. debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:1003) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KEYRING:persistent:1003) debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Offering RSA public key: .ssh/authorized_keys debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

server side - 192.168.12.2 - user:ansible

 chmod 700 .ssh/ chmod 600 .ssh/* ssh-keygen ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] /sbin/restorecon -r .ssh/

client side - 192.168.12.10 - user:ansible

chmod 700 .ssh/ chmod 600 .ssh/* /sbin/restorecon -r .ssh/ /sbin/restorecon -r .ssh ssh -vv -i .ssh/authorized_keys -o PasswordAuthentication=no [email protected]

in sshd_config file, PubkeyAuthentication yes is set at both client & server end.

user credentials has been verified for server when generating keys, and multiple attempts made with passphrase and without passphrase.. but no luck.

most of issues found are of user ownership.. i have ensured that both sides user's .ssh/ directory & its files are having user ownership, 700 for .ssh/ directory and 600 for .ssh/ files.

restorecon tried but no luck.

as suggested, i have verfied audit log at server end, found this.

type=USER_AUTH msg=audit(1593508901.404:87844): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="ansible" exe="/usr/sbin/sshd" hostname=? addr=192.168.12.10 terminal=ssh res=failed' type=USER_ERR msg=audit(1593508901.408:87847): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=localhost addr=192.168.12.10 terminal=ssh res=failed' type=USER_LOGIN msg=audit(1593508901.409:87851): pid=26089 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="ansible" exe="/usr/sbin/sshd" hostname=? addr=192.168.12.10 terminal=ssh res=failed'

and journalctl _COMM=sshd at server shows below.

Jun 30 10:21:41 localhost sshd[26089]: Connection closed by 192.168.12.10 port 47944 [preauth]
Improve this question
6
  • journalctl _COMM=sshd output for this failed login attempt could be helpful. Also, if you have SeLinux enabled please check auditd logs at /var/log/audit. Commented Jun 30, 2020 at 9:13
  • @Artem, thanks for your response.. please find outputs from server (have updated my question), do you sense anything from the outputs?? please help if you can Commented Jun 30, 2020 at 9:42
  • 1
    Your client and server blocks of commands are backwards. You have set up key authentication to ssh from 192.168.12.2 to 192.168.12.10, not the other way around. Commented Jun 30, 2020 at 10:35
  • i hope both ssh-keygen & ssh-copy-id must be done at server side (192.168.12.2) and by then client side (192.168.12.10) .ssh/authorized_keys file will be updated with server key. then we try ssh to server.. could you please explain where am i doing wrong??? Commented Jun 30, 2020 at 10:46
  • ssh-keygen and ssh-copy-id must be executed on the client side (192.168.12.10) and then the server side (192.168.12.2) .ssh/authorized_keys file will be updated with the client key. Then you can ssh from the client to the server. Commented Jun 30, 2020 at 11:03

1 Answer 1

Reset to default
3

there is a confusion

ssh -vv -i .ssh/authorized_keys -o PasswordAuthentication=no [email protected]

authorized_keys is a list of public keys you allow to connect.

this file should be set on server side.

you must connect using your private keys, likely

ssh -i .ssh/id_rsa [email protected]

step 1 (client)

connect to 192.168.12.10 with user ansible and type:

mkdir .ssh ; chmod go-rwx .ssh ; cd .ssh ssh-keygen -t rsa

Accept default option, do not set password.

Do this only one, do not do it if there is already a pair of key.

if password for ansible is know, copy file id_rsa.pub using

scp id_rsa.pub [email protected]:.ssh/id_rsa_ansible.pub

The first time you ssh or scp from 192.168.12.10 to 192.168.12.2, you will have a confirmation dialog.

[email protected]:hosts.ansible The authenticity of host '192.168.12.10' can't be established. RSA key fingerprint is 89:dc:fe:d6:4a:40:28:e5:e9:d0:bd:09:28:01:93:23. Are you sure you want to continue connecting (yes/no)? y

if password in unknow or unset, copy the line from id_rsa.pub using putty buffer

step 2 (server)

Connect to 192.168.12.2 with user ansible

mkdir .ssh ; chmod go-rwx .ssh ; cd .ssh

Create authorization files

cat id_rsa_ansible.pub >> authorized_keys

or copy/paste content of id_rsa.pub file from ansible

authorized_keys must :

  • belong either to ansible (or root)

    chown ansible authorized_keys

  • ansible must be only writer (rw-r--r--)

    chmod 644 authorized_keys

verification

connect to 192.168.12.10 with user ansible

ssh [email protected]

You should connect without having to type password

I already have a web page detailing those steps (in french and english), you can enter usernames and hostnames. detail of ssh setup

Improve this answer
6
  • HI Archemar.. do you mean trying "ssh -i .ssh/id_rsa [email protected]" at client 192.168.12.10 with -i option is for server side file?? i have tried this option as well but no luck, and got same permission denied error. Commented Jun 30, 2020 at 10:01
  • id_rsa should be present on your client; as a default key name, you don't need to specify it with the -i option, although it will do no harm to do so. Commented Jun 30, 2020 at 10:32
  • -i will look for key at client side or server side?? Commented Jun 30, 2020 at 10:41
  • -i will look for a key on the client side. Your private key should be on the client; your public key concatenated onto the authorized_keys file on the server. Commented Jun 30, 2020 at 10:43
  • thanks.. could you please provide answer with server side steps & client side steps.. my ultimate goal is to access server(192.168.12.2) from client (192.168.12.10).. really appreciate your patience, please help. Commented Jun 30, 2020 at 10:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.