Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unable to ssh localhost: Permission denied (publickey) / Connection closed by ::1 [preauth]

Tags:

ssh

ubuntu

I am trying to execute

ssh localhost  

on Ubuntu 14.04 LTS, but getting

Permission denied (publickey).  

Here is some debug info...

First of all, I have the following files in ~/.ssh directory:

ubuntu@<hostname>:~$ ls .ssh
authorized_keys  id_dsa  id_dsa.pub  id_ecdsa  id_ecdsa.pub  id_ed25519  id_ed25519.pub  id_rsa  id_rsa.pub  known_hosts

And access permissions to the directory are:

ubuntu@<hostname>:~# stat -c %a ~/.ssh  
700  

Here is the verbose output of sshing:

ubuntu@<hostname>:~$ ssh -vvv localhost  
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014  
debug1: Reading configuration data /etc/ssh/ssh_config  
debug1: /etc/ssh/ssh_config line 19: Applying options for *  
debug2: ssh_connect: needpriv 0  
debug1: Connecting to localhost [::1] port 22.  
debug1: Connection established.  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_rsa" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_rsa type 1  
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_dsa" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_dsa type 2  
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_ecdsa" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type 3  
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1  
debug3: Incorrect RSA1 identifier  
debug3: Could not load "/home/ubuntu/.ssh/id_ed25519" as a RSA1 public key  
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type 4  
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2  
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2  
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000  
debug2: fd 3 setting O_NONBLOCK  
debug3: load_hostkeys: loading entries for host "localhost" from file "/home/ubuntu/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: none,[email protected],zlib  
debug2: kex_parse_kexinit: none,[email protected],zlib  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1  
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]  
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96  
debug2: kex_parse_kexinit: none,[email protected]  
debug2: kex_parse_kexinit: none,[email protected]  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit:  
debug2: kex_parse_kexinit: first_kex_follows 0  
debug2: kex_parse_kexinit: reserved 0  
debug2: mac_setup: setup [email protected]  
debug1: kex: server->client aes128-ctr [email protected] none  
debug2: mac_setup: setup [email protected]  
debug1: kex: client->server aes128-ctr [email protected] none  
debug1: sending SSH2_MSG_KEX_ECDH_INIT  
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY  
debug1: Server host key: ECDSA 4a:79:23:54:0b:5a:2c:98:39:ed:e4:b4:6b:5b:84:fa  
debug3: load_hostkeys: loading entries for host "localhost" from file "/home/ubuntu/.ssh/known_hosts"  
debug3: load_hostkeys: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:1  
debug3: load_hostkeys: loaded 1 keys  
debug1: Host 'localhost' is known and matches the ECDSA host key.  
debug1: Found key in /home/ubuntu/.ssh/known_hosts:1  
debug1: ssh_ecdsa_verify: signature correct  
debug2: kex_derive_keys  
debug2: set_newkeys: mode 1  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug2: set_newkeys: mode 0  
debug1: SSH2_MSG_NEWKEYS received  
debug1: Roaming not allowed by server  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug2: service_accept: ssh-userauth  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug2: key: /home/ubuntu/.ssh/id_rsa (0x7f403e66d570),  
debug2: key: /home/ubuntu/.ssh/id_dsa (0x7f403e66d4a0),  
debug2: key: /home/ubuntu/.ssh/id_ecdsa (0x7f403e6724d0),  
debug2: key: /home/ubuntu/.ssh/id_ed25519 (0x7f403e672b80),  
debug1: Authentications that can continue: publickey  
debug3: start over, passed a different list publickey  
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password  
debug3: authmethod_lookup publickey  
debug3: remaining preferred: keyboard-interactive,password  
debug3: authmethod_is_enabled publickey  
debug1: Next authentication method: publickey  
debug1: Offering RSA public key: /home/ubuntu/.ssh/id_rsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering DSA public key: /home/ubuntu/.ssh/id_dsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering ECDSA public key: /home/ubuntu/.ssh/id_ecdsa  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug1: Offering ED25519 public key: /home/ubuntu/.ssh/id_ed25519  
debug3: send_pubkey_test  
debug2: we sent a publickey packet, wait for reply  
debug1: Authentications that can continue: publickey  
debug2: we did not send a packet, disable method  
debug1: No more authentication methods to try.  
Permission denied (publickey).  

The content of /etc/ssh/sshd_config file:

ubuntu@<hostname>:~# cat /etc/ssh/sshd_config  
# Package generated configuration file  
# See the sshd_config(5) manpage for details  

# What ports, IPs and protocols we listen for  
Port 22  
# Use these options to restrict which interfaces/protocols sshd will bind to  
#ListenAddress ::  
#ListenAddress 0.0.0.0  
Protocol 2  
# HostKeys for protocol version 2  
HostKey /etc/ssh/ssh_host_rsa_key  
HostKey /etc/ssh/ssh_host_dsa_key  
HostKey /etc/ssh/ssh_host_ecdsa_key  
HostKey /etc/ssh/ssh_host_ed25519_key  
#Privilege Separation is turned on for security  
UsePrivilegeSeparation yes  

# Lifetime and size of ephemeral version 1 server key  
KeyRegenerationInterval 3600  
ServerKeyBits 1024  

# Logging  
SyslogFacility AUTH  
LogLevel INFO  

# Authentication:  
LoginGraceTime 120  
PermitRootLogin without-password  
StrictModes yes  

RSAAuthentication yes  
PubkeyAuthentication yes  
#AuthorizedKeysFile     %h/.ssh/authorized_keys  

# Don't read the user's ~/.rhosts and ~/.shosts files  
IgnoreRhosts yes  
# For this to work you will also need host keys in /etc/ssh_known_hosts  
RhostsRSAAuthentication no  
# similar for protocol version 2  
HostbasedAuthentication no  
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication  
#IgnoreUserKnownHosts yes  

# To enable empty passwords, change to yes (NOT RECOMMENDED)  
PermitEmptyPasswords no  

# Change to yes to enable challenge-response passwords (beware issues with  
# some PAM modules and threads)  
ChallengeResponseAuthentication no  

# Change to no to disable tunnelled clear text passwords  
PasswordAuthentication no  

# Kerberos options  
#KerberosAuthentication no  
#KerberosGetAFSToken no  
#KerberosOrLocalPasswd yes  
#KerberosTicketCleanup yes  

# GSSAPI options  
#GSSAPIAuthentication no  
#GSSAPICleanupCredentials yes  

X11Forwarding yes  
X11DisplayOffset 10  
PrintMotd no  
PrintLastLog yes  
TCPKeepAlive yes  
#UseLogin no  

#MaxStartups 10:30:60  
#Banner /etc/issue.net  

# Allow client to pass locale environment variables  
AcceptEnv LANG LC_*  

Subsystem sftp /usr/lib/openssh/sftp-server  

# Set this to 'yes' to enable PAM authentication, account processing,  
# and session processing. If this is enabled, PAM authentication will  
# be allowed through the ChallengeResponseAuthentication and  
# PasswordAuthentication.  Depending on your PAM configuration,  
# PAM authentication via ChallengeResponseAuthentication may bypass  
# the setting of "PermitRootLogin without-password".  
# If you just want the PAM account and session checks to run without  
# PAM authentication, then enable this but set PasswordAuthentication  
# and ChallengeResponseAuthentication to 'no'.  
UsePAM yes  

Everytime I'm trying to execute "ssh localhost" the following line is added to /var/log/auth.log:

Jan 29 08:40:41 <hostname> sshd[5167]: Connection closed by ::1 [preauth]

Can anyone suggest anything please?

like image 895
bad associations Avatar asked Jan 29 '15 09:01

bad associations


People also ask

How do I fix SSH permissions denied?

If you want to use a password to access the SSH server, a solution for fixing the Permission denied error is to enable password login in the sshd_config file. In the file, find the PasswordAuthentication line and make sure it ends with yes . Find the ChallengeResponseAuthentication option and disable it by adding no .

Why does SSH say Permission denied?

If you receive this error, check for the following issues: The password is incorrect. The SSH key is missing on your local computer or on the Droplet. You are trying to use a password, but PasswordAuthentication is disabled in sshd_config.


2 Answers

After reading some good manuals I realized that the public key of ubuntu@ (e.g., /home/ubuntu/.ssh/id_dsa.pub) must be added to the user's /home/ubuntu/.ssh/authorized_keys file, which contains public keys for public key authentication)

ubuntu@<localhost>:~$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
like image 113
bad associations Avatar answered Nov 12 '22 13:11

bad associations


If you're running Ubuntu on Windows Subsystem for Linux, there will not be a preinstalled public key or authorized keys list, so you'll need to generate your own.

If you don't already have openssh-server installed:

  1. sudo apt-get upgrade
  2. sudo apt-get update
  3. sudo apt-get install openssh-server
  4. sudo service ssh start

Then take the following steps to enable sshing to localhost:

  1. cd ~/.ssh
  2. ssh-keygen to generate a public/private rsa key pair; use the default options
  3. cat id_rsa.pub >> authorized_keys to append the key to the authorized_keys file
  4. chmod 640 authorized_keys to set restricted permissions
  5. sudo service ssh restart to pickup recent changes
  6. ssh localhost
like image 29
enharmonic Avatar answered Nov 12 '22 13:11

enharmonic