I've recently installed this stack on AWS EC2:
https://aws.amazon.com/marketplace/pp/B00NO1HJ56/ref=srh_res_product_title?ie=UTF8&sr=0-2&qid=1461119036279
The instance's system log says that the SSH keys were installed here:
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
I have added the public key to my Github account and the fingerprints match.
When cloning a repo I get:
Permission denied (publickey).
From the Github help section https://help.github.com/articles/error-permission-denied-publickey
I run: ssh -vT git#github.com and get:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to github.com [192.30.252.122] port 22.
debug1: Connection established.
debug1: identity file /home/bitnami/.ssh/id_rsa type -1
debug1: identity file /home/bitnami/.ssh/id_rsa-cert type -1
debug1: identity file /home/bitnami/.ssh/id_dsa type -1
debug1: identity file /home/bitnami/.ssh/id_dsa-cert type -1
debug1: identity file /home/bitnami/.ssh/id_ecdsa type -1
debug1: identity file /home/bitnami/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/bitnami/.ssh/id_ed25519 type -1
debug1: identity file /home/bitnami/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: Remote protocol version 2.0, remote software version libssh-0.7.0
debug1: no match: libssh-0.7.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/bitnami/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bitnami/.ssh/id_rsa
debug1: Trying private key: /home/bitnami/.ssh/id_dsa
debug1: Trying private key: /home/bitnami/.ssh/id_ecdsa
debug1: Trying private key: /home/bitnami/.ssh/id_ed25519
debug1: No more authentication methods to try.
I seems the ssh agent is searching /home/bitnami/.ssh/ but the keys are located in /etc/ssh
This is the contents of /home/bitnami/.ssh
authorized_keys
known_hosts
And this is the contents of /etc/ssh
moduli
ssh_host_dsa_key
ssh_host_ecdsa_key.pub
ssh_host_rsa_key
ssh_config
ssh_host_dsa_key.pub
ssh_host_ed25519_key
ssh_host_rsa_key.pub
sshd_config
ssh_host_ecdsa_key
ssh_host_ed25519_key.pub
ssh_import_id
If I check what keys are added to the ssh agent I get:
$ ssh-add -l I get:
The agent has no identities.
Is this simply a matter of adding my public key in /etc/ssh/ to the ssh agent by using ssh-add, so it knows where to look?
I don't understand why the keys are were not installed in /etc/hosts rather than the home directory.
The solution is simply to ignore the keys in /etc/ssh. These keys are used by AWS to access the instance and belongs to the system rather than a user.
So I just generated new keys for the bitnami user and those keys are now correctly sitting in /home/.ssh/
I can now pull my repo from Github.
Related
I have installed a Gitlab server (15.1) and try to finalize configuration for my user.
I am able to connect with ssh to the server for administration purpose.with my user. I use rsa key pair for that. I connect on the 22002 port and everything works well.
Now I wanted to follow Gitlab instruction to create a project, a new pair of key and connect my repository to Gitlab using this key pair.
I have created keys (ed25519), copy the public part into the Gitlab web server and just try the command ssh -T myuser#gitlab.mydomain.com
I get the following result:
Permission denied (publickey)
I have searched for hours but didn't find what I have made wrong.
If I run ssh -Tvvv myuser#gitlab.mydomain.com I get the following result:
OpenSSH_9.0p1 Debian-1+b1, OpenSSL 3.0.4 21 Jun 2022
debug1: Reading configuration data /home/tasseb/.ssh/config
debug1: /home/tasseb/.ssh/config line 19: Applying options for gitlab-kb
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to gitlab.mydomain.com [160.53.247.6] port 22002.
debug1: Connection established.
debug1: identity file /home/tasseb/.ssh/id_ed25519-gitlab type 3
debug1: identity file /home/tasseb/.ssh/id_ed25519-gitlab-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0p1 Debian-1+b1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5+deb11u1
debug1: compat_banner: match: OpenSSH_8.4p1 Debian-5+deb11u1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to gitlab.mydomain.com:22002 as 'sbe'
debug1: load_hostkeys: fopen /home/tasseb/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:ofs8tNkzOxuU5AwC2VYbFGPXfERPKXGOFrTatb8hV78
tlab.mydomain.com]:22002
debug1: load_hostkeys: fopen /home/tasseb/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[gitlab.mydomain.com]:22002' is known and matches the ED25519 host key.
debug1: Found key in /home/tasseb/.ssh/known_hosts:4
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /home/tasseb/.ssh/id_ed25519-gitlab ED25519 SHA256:7BtjWt7Ysd40SJ1xX1sBlZb7PJqUW5K2NhxDBvtIgfY explicit 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519#openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256#openssh.com,webauthn-sk-ecdsa-sha2-nistp256#openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tasseb/.ssh/id_ed25519-gitlab ED25519 SHA256:7BtjWt7Ysd40SJ1xX1sBlZb7PJqUW5K2NhxDBvtIgfY explicit
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
sbe#gitlab.mydomain.com: Permission denied (publickey).
Thanks for your help.
I was sure it was something simple that I have omitted.
So this morning I just continue to set up locally my git project and did the first push using my user and password. That has working well.
Then, I edit my .ssh/config file, changing my username by "git" as suggested by #VonC.
Re run the test, it asked for the passphrase for the key and everything is ok.
I thought I could set up the ssh before doing a first push or set the origin locally, but it seems no.
Thanks again for your precious comments.
Using SSH URL with a GitLab on-premise server should always involve the technical account git, not "myuser".
See "Verify that you can connect"
ssh -Tvvv git#gitlab.mydomain.com
GitLab will authenticate you through the public key registered to the GitLab user account SSH setting page.
I am setting up my SSH keys with github. Did it numerous times earlier so i am pretty much sure that i am doing it right. But its not working. whenever i clone it just gets stuck there for around 5-10 mins and then returns this
Cloning into 'sentry-python'...
Connection to github.com closed by remote host.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Ran this command to check what's going on ssh -vT git#github.com. One of the many lines in output has this
Authenticated to github.com ([13.234.176.102]:22) using "publickey".
Followed official documentation for setting up keys. I believe its something else.
UPDATE:
HTTPs works fine
Output from: ssh -vT git#github.com
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to github.com [13.234.176.102] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version babeld-92f10f70
debug1: compat_banner: no match: babeld-92f10f70
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: <SERVER HOST KEY HERE>
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/user/.ssh/id_rsa RSA <KEY HERE> agent
debug1: Will attempt key: /home/user/.ssh/id_ecdsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user/.ssh/id_ed25519
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user/.ssh/id_xmss
debug1: Will attempt key: /home/user/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01#openssh.com,ecdsa-sha2-nistp521-cert-v01#openssh.com,ecdsa-sha2-nistp384-cert-v01#openssh.com,ecdsa-sha2-nistp256-cert-v01#openssh.com,sk-ssh-ed25519-cert-v01#openssh.com,sk-ecdsa-sha2-nistp256-cert-v01#openssh.com,rsa-sha2-512-cert-v01#openssh.com,rsa-sha2-256-cert-v01#openssh.com,ssh-rsa-cert-v01#openssh.com,sk-ssh-ed25519#openssh.com,sk-ecdsa-sha2-nistp256#openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA <KEY HERE> agent
debug1: Server accepts key: /home/user/.ssh/id_rsa RSA <KEY HERE> agent
Authenticated to github.com ([13.234.176.102]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts for github.com / (none)
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts2 for github.com / (none)
debug1: client_input_hostkeys: hostkeys file /home/user/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_IN"
Okay. So earlier logs where till LANG = "en_IN". Now after altering some permission of my keys here's the updated log.
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to github.com [13.234.210.38] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 0
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version babeld-92f10f70
debug1: compat_banner: no match: babeld-92f10f70
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: <SERVER HOST KEY>
debug1: load_hostkeys: fopen /home/user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/user/.ssh/id_rsa <KEY HERE> agent
debug1: Will attempt key: /home/user/.ssh/id_ecdsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/user/.ssh/id_ed25519
debug1: Will attempt key: /home/user/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/user/.ssh/id_xmss
debug1: Will attempt key: /home/user/.ssh/id_dsa
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01#openssh.com,ecdsa-sha2-nistp521-cert-v01#openssh.com,ecdsa-sha2-nistp384-cert-v01#openssh.com,ecdsa-sha2-nistp256-cert-v01#openssh.com,sk-ssh-ed25519-cert-v01#openssh.com,sk-ecdsa-sha2-nistp256-cert-v01#openssh.com,rsa-sha2-512-cert-v01#openssh.com,rsa-sha2-256-cert-v01#openssh.com,ssh-rsa-cert-v01#openssh.com,sk-ssh-ed25519#openssh.com,sk-ecdsa-sha2-nistp256#openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/user/.ssh/id_rsa RSA <KEY HERE> agent
debug1: Server accepts key: /home/user/.ssh/id_rsa RSA <KEY HERE> agent
Authenticated to github.com ([13.234.210.38]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts for github.com / (none)
debug1: client_input_hostkeys: searching /home/user/.ssh/known_hosts2 for github.com / (none)
debug1: client_input_hostkeys: hostkeys file /home/user/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: no new or deprecated keys from server
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_IN"
PTY allocation request failed on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
Hi targhs! You've successfully authenticated, but GitHub does not provide shell access.
debug1: channel 0: free: client-session, nchannels 1
Connection to github.com closed.
Transferred: sent 3888, received 2812 bytes, in 0.6 seconds
Bytes per second: sent 6234.8, received 4509.3
debug1: Exit status 1
TL;DR link to what might as well be a duplicate here.
Explanation (long-ish)
You have something new in your edit: agent refused operation. That's the problem here. You are using an ssh agent, and it's the agent that must pass the private key (of the public/private key-pair) to ssh so that your ssh can decrypt the challenge that GitHub have sent to your ssh.
The way ssh authentication works (boiled down a bit) is this:
Your ssh client (ssh command) opens a channel to the host (in this case GitHub).
Your client tells them you'd like to log in as some user name (in this case git: GitHub always requires this as a constant).
Their ssh server then says: I might let you in, provided you prove to me that you have permission. Send me a public key.
Your client then pokes around to look for a public key to send. It finds one and sends it.
Their server checks to see if that ssh key is a valid key. It is; it's registered to you. But maybe you're not targhs. Maybe you've snagged the public key from the real targhs, and this connection is from an imposter! So they want to make sure you're really targhs. They use the public key to encrypt a random value, and send you—or rather, your client ssh—the value, challenging you to decrypt it.
Your client now requires the private key.
It's pretty common to have both public and private keys stored in a file on your computer (e.g., on your laptop). When this is the case, your ssh client can just open and read the private key file, giving it access to that private key. For security purposes, though, you can do one or both of these two things:
Not supply the private key at all. Keep it only in an agent.
Keep the private key in an encrypted file, so that a decryption key—separate from the public and private key—is required to read the private key.
If you've done either or both of these, your ssh client now needs help.
To get that help, your ssh client can:
interact directly with you, the user, via the keyboard: this may or may not be permitted; or
consult an ssh agent.
The ssh agent enables ssh clients to interact with you, the user, and provide the (secret) private key, even if it's not on the computer on which you're running ssh, or if it's just encrypted, or whatever. To do that, the ssh client asks the ssh agent for the key.
Your ssh agent says: Nuh-uh, not gonna give you the key!
Why does your ssh agent say that? That's the mystery here; that's what you have to figure out. There are multiple possible reasons. Fortunately, they're all pretty well covered in a separate StackOverflow question and answers: see How to solve "sign_and_send_pubkey: signing failed: agent refused operation"?
There are many similar questions and answers related to this authorization issue --- "Permission denied (publickey)". However, none of them works for my problem...
Here is my situation: I am using Amazon web server EC2 and my PC connects well with the server. For the next step, I was trying to install git on the server. The result which I was hoping to accomplish is updating the server-end when I push from local. But here the problem showed up: "Permission denied (publickey)"
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/IvyLin/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 52.68.24.4 [52.68.24.4] port 22.
debug1: Connection established.
debug1: identity file /Users/IvyLin/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/IvyLin/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/IvyLin/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/IvyLin/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/IvyLin/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/IvyLin/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/IvyLin/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/IvyLin/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to 52.68.24.4:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305#openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305#openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ieQEskLZ3tiW76F5KPhlQfHcGYFW+SifiIDQnBUZHmY
debug1: Host '52.68.24.4' is known and matches the ECDSA host key.
debug1: Found key in /Users/IvyLin/.ssh/known_hosts:5
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/IvyLin/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /Users/IvyLin/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/IvyLin/.ssh/id_dsa
debug1: Trying private key: /Users/IvyLin/.ssh/id_ecdsa
debug1: Trying private key: /Users/IvyLin/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
One thing I am wondering is where should I put the public key exactly? There is one .ssh file for "validate server connection" already in the server, path: ~/.ssh and it works for me.
In terms of the ssh key for git, I created another .ssh folder inside the git folder, path: ~/home/git/.ssh. Which file does it look for during the connection? Though I've tried to put the public key into ~/.ssh, but still, it does not work...
I've been stuck there for so long time and really appreciated if someone can help me out! Workarounds to achieving "update as push" will also help me out!
One thing I am wondering is where should I put the public key exactly?
you have to put the public key on your git server under your account.
Which file does it look for during the connection?
you have to copy the ~/.ssh/id_rsa.pub to your git server account
I'm trying to start a vertica cluster on 3 ec2 instances(node1, node2, node3) which requires root login via ssh between the instances.
On node1, the main node...as a root user, I generated keys using ssh-keygen
On node2 and node3, I edited the /etc/ssh/sshd_config file with this:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no`
then added the id_rsa.pub key to node2 and node3 in both /root/.ssh/authorized_keys and /home/ec2-user/.ssh/authorized_keys
then did a
service sshd restart
I try to login like ssh root#node2 from node1...but I keep get this error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
EDIT:
also changed permitrootlogin to this:
PermitRootLogin without-password
did a -v on ssh and here is what I see
[root#ip-10-205-119-236 .ssh]# ssh -v root#10.205.117.61
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.205.117.61 [10.205.117.61] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.205.117.61' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I see its trying to use id_dsa...but I don't have that file...i have a file called node1 which is what I named my file...
SSH requires quite precise access rights on these files because if it would be different, it is security issue. You need your ~/.ssh to have accessible only by you and your authorized_keys can't be writeable by other:
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
should fix it.
I'm trying to connect to an embedded board of mine through ssh. But upon trying to connect through ssh -v -l root user#xx.xx.xx.xx, I get a series of debug comments:
dico#lithya:~$ sudo ssh -v -l root dico#foxboard2
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: Applying options for *
debug1: Connecting to foxboard2 [10.251.145.180] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 18:14:33:1e:88:5f:ad:13:78:9f:36:10:b9:d2:27:e4
debug1: Host 'foxboard2' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,password).
The connection is being established through port 22 so that isn't the problem. So, clearly there is a problem with public/private key authentication. Therefore, how can I make sure that the private/public keys through both my machine and the board are in sync? Or better yet, how do I solve this issue or completely remove any keys?
UPDATE
I've tried to connect to the board by specifying no public key authentication by ssh -o PubkeyAuthentication=no dico#foxboard2, but now it's asking me for a password. I've checked the site but the password I type is incorrect. How can I remove a password request?
You can copy your public key to the server using:
ssh-copy-id user#xx.xx.xx.xx
It is always better to use keys than passwords.
Make sure your ~/.ssh directory is set to mode 700 (chmod 700 ~/.ssh) and your ~/.ssh/authorized_keys is set to mode 600 (chmod 600 ~/.ssh/authorized_keys).
In your /etc/ssh/sshd_config file set PasswordAuthentication no to turn off password logins.