Server refused our key

I try to login at my linux ubuntu server via ssh-keyfile from another user. I checked all the file permissions carefully.

 

.ssh hat 700 and authorized_keys file has 600 permission. The owner and the group of this user is identical with the username. Somehow it does not work. I always get the 
Server refused our key error message. Thats really frustration pure. Can anybody help me out there?

Codemaster's picture

you need to allow the keyfile in sshd_config

You need to check few things until this will work

  1. folder .ssh needs to have 700 permission and file authorized_keys needs 600 permission
  2. the folder and the file owner needs to be same as the user you want to login with
  3. addAuthorizedKeysFile home/%u/.ssh/authorized_keys (replace with the correct filepath of user authorized_keys file)
  4. AllowUsers user2 (specify the allowed users)
  5. restart the server with service ssh restart if you are using linux ubuntu otherwise try service sshd restart
  6. Give the new user admin ot root permissions

Please check if this might help you solving the issue

Vote the answer: 
4.5
Average: 4.5 (2 votes)
tuckeranddale's picture

I can not get it running somehow

I followed your suggestions fully but I am still not able to ssh login at my linux ubuntu system with another user than root using the keyfile authentification method. It is still troubling.

Vote the answer: 
0
No votes yet
Codemaster's picture

Please do the following

Please edit the etc/ssh/sshd_config and change 

LogLevel Info

to

LogLevel DEBUG3

Aufter this authentificate with the user and post here the auth.log which you will find in var(log/auth.log

Please also post here the sshd_config file which you will find under etc/ssh/sshd_config

 

After this I can tell you more on this

 

 

Vote the answer: 
5
Average: 5 (1 vote)
chonthicha tutama's picture

here are the files

This is the sshd_config file

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel DEBUG3

# Authentication:
LoginGraceTime 120
#PermitRootLogin yes
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

#AuthorizedKeysFile    etc/.ssh/authorized_keys
AuthorizedKeysFile      ~/.ssh/authorized_keys

          AllowUsers teamalpha

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
 

 

Vote the answer: 
5
Average: 5 (1 vote)
chonthicha tutama's picture

And here is the auth.log

Jan 31 01:12:24 ssd1 sshd[10737]: debug1: trying public key file /root/.ssh/authorized_keys
Jan 31 01:12:24 ssd1 sshd[10737]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': Permission denied
Jan 31 01:12:24 ssd1 sshd[10737]: debug1: restore_uid: 0/0
Jan 31 01:12:24 ssd1 sshd[10737]: Failed publickey for teamalpha from 79.208.168.130 port 54691 ssh2:

RSA SHA256:bJvcIx3XkQusFLqZ5 +JqS29BO3tJI8uUZI7WW+R3GWI
Jan 31 01:12:24 ssd1 sshd[10737]: debug3: mm_answer_keyallowed: key 0x55d755c314d0 is not allowed
Jan 31 01:12:24 ssd1 sshd[10737]: debug3: mm_request_send entering: type 23
Jan 31 01:12:24 ssd1 sshd[10737]: debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
Jan 31 01:12:24 ssd1 sshd[10737]: debug3: userauth_finish: failure partial=0 next methods="publickey" [preauth]
Jan 31 01:12:24 ssd1 sshd[10737]: debug3: send packet: type 51 [preauth]
Jan 31 01:12:24 ssd1 sshd[10737]: debug3: receive packet: type 1 [preauth]
Jan 31 01:12:24 ssd1 sshd[10737]: error: Received disconnect from 79.208.168.130 port 54691:14: No supported authentication methods available [preauth]
Jan 31 01:12:24 ssd1 sshd[10737]: Disconnected from 79.208.168.130 port 54691 [preauth]
 

Vote the answer: 
5
Average: 5 (1 vote)
Codemaster's picture

Try 2 things

The first thing that I would do in your case is to add root to the allowed users

AllowUsers teamalpha root

Because if you test with teamalpha and if this fails you will log out the system. Then you will be only able to log in after using the rescue mode and mounting the drive. This will take some time. To avaoid logging out please add the user root there so that you can still log in as root.

From your auth.log you can see that the access to the authorized_keys file was denied for the user teamalpha. I can see that you changed the 

AuthorizedKeysFile      ~/.ssh/authorized_keys

I think thats the reason why this is not working. The file path for the user authorized_keys needs to be correct given there. Otherwise it won't work correct.

change it to:

%h/.ssh/authorized_keys

And if you add a user dont forget to add also bin/bash

useradd -d /home/teamalpha -s /bin/bash teamalpha

You also need to make sure that the user teamalpha has root priviligues. You can do this by editing the sudoers file

 

teamalpha ALL=(ALL) ALL

like this you granted the user teamalpha root rights. Alternatively you can add a group with root rights and add the user to this group. This has the same effect.

 

After this restart ssh with

service ssh restart

This works only on Ubuntu Systems like this.

 

Vote the answer: 
5
Average: 5 (1 vote)