Develop Reference

SSH into server Authentication Failed

Hi I 'm trying to SSH into a server from client (RHEL7) machine. I already added the clients public key (id_rsa.pub) to the servers authorized_keys file. I also added the servers fingerprint to my clients known_hosts file. When I try sshing, I used the -vvv flag to get some debug info and this is what I got (of course I put a fake IP in, and the returned SHA256 is fake):
[azure#blahblah ssh]$ ssh -v myusername#10.22.11.111
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 10.22.11.111 [10.22.11.111] port 22.
debug1: Connection established.
debug1: identity file /home/azure/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/azure/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/azure/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/azure/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/azure/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/azure/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/azure/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/azure/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.5
debug1: no match: Sun_SSH_1.1.5
debug1: Authenticating to 10.22.11.111:22 as 'suser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:aaaaaaaabbbbbbbccccccdddeeefffff
debug1: Host '10.22.11.111' is known and matches the RSA host key.
debug1: Found key in /home/azure/.ssh/known_hosts:5
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1001)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1001)
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/azure/.ssh/id_rsa
Authentication failed.
Can anyone provide some insight on what I can do to get this working?

Looks like a permission issue in .ssh folder
Following commands to be run at the server to set the correct permission for the folders.
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys

SSH login between servers still asking for password, why?

I have two servers identified as server-1 - 192.168.3.128 and server-2 - 192.168.3.130. I am setting up capifony for automatic deployment from server-1 to server-2 and this is what I have done so far:
In both servers I have created a user deploy without password since that's the user I will use for deployment.
In server-1 I setup a SSH keys by running the command: ssh-keygen and I leave without pass-phrase and default directories.
I have copied the content of /home/deploy/.ssh/id_rsa.pub at server-1 into server-2 at /home/deploy/.ssh/authorized_keys.
From server-1 I try to reach server-2 by running ssh deploy#192.168.3.130 and it's asking for a password (below is the output)
$ ssh deploy#192.168.3.130
The authenticity of host '192.168.3.130 (192.168.3.130)' can't be established.
RSA key fingerprint is 3c:81:da:7a:78:0f:b0:2f:44:3b:62:fb:c9:6f:33:86.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.3.130' (RSA) to the list of known hosts.
deploy#192.168.3.130's password:
This is the -v output of the command above:
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.3.130 [192.168.3.130] port 22.
debug1: Connection established.
debug1: identity file /home/deploy/.ssh/identity type -1
debug1: identity file /home/deploy/.ssh/identity-cert type -1
debug1: identity file /home/deploy/.ssh/id_rsa type 1
debug1: identity file /home/deploy/.ssh/id_rsa-cert type -1
debug1: identity file /home/deploy/.ssh/id_dsa type -1
debug1: identity file /home/deploy/.ssh/id_dsa-cert type -1
debug1: identity file /home/deploy/.ssh/id_ecdsa type -1
debug1: identity file /home/deploy/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.3.130' is known and matches the RSA host key.
debug1: Found key in /home/deploy/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Trying private key: /home/deploy/.ssh/identity
debug1: Offering public key: /home/deploy/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/deploy/.ssh/id_dsa
debug1: Trying private key: /home/deploy/.ssh/id_ecdsa
debug1: Next authentication method: password
deploy#192.168.3.130's password:
Why? What I am doing wrong?

In addition to running the client in verbose mode, start a new server instance in debug mode on another port:
server-2 as root:
# /usr/sbin/sshd -p 9999 -d
Then connect in verbose mode to that server on the same port:
server-1 as deploy
$ ssh -vvv -p 9999 server-2
9/10 it has to do with permissions.

passwordless root login from aws ec2 to ec2

I'm trying to start a vertica cluster on 3 ec2 instances(node1, node2, node3) which requires root login via ssh between the instances.
On node1, the main node...as a root user, I generated keys using ssh-keygen
On node2 and node3, I edited the /etc/ssh/sshd_config file with this:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no`
then added the id_rsa.pub key to node2 and node3 in both /root/.ssh/authorized_keys and /home/ec2-user/.ssh/authorized_keys
then did a
service sshd restart
I try to login like ssh root#node2 from node1...but I keep get this error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
EDIT:
also changed permitrootlogin to this:
PermitRootLogin without-password
did a -v on ssh and here is what I see
[root#ip-10-205-119-236 .ssh]# ssh -v root#10.205.117.61
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.205.117.61 [10.205.117.61] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.205.117.61' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I see its trying to use id_dsa...but I don't have that file...i have a file called node1 which is what I named my file...

SSH requires quite precise access rights on these files because if it would be different, it is security issue. You need your ~/.ssh to have accessible only by you and your authorized_keys can't be writeable by other:
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
should fix it.

Permission denied (publickey) ssh

I am attempting to ssh into a a EC2 machine and ssh has stopped working. I'm not sure how I broke it but it is now unable to connect. I already tried creating a new key but it is not helping.
$ ssh -vT ****#****.****-2.compute.amazonaws.com
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to ec2-****.****-2.compute.amazonaws.com [****] port 22.
debug1: Connection established.
debug1: identity file /home/Brad/.ssh/id_rsa type 1
debug1: identity file /home/Brad/.ssh/id_rsa-cert type -1
debug1: identity file /home/Brad/.ssh/id_dsa type -1
debug1: identity file /home/Brad/.ssh/id_dsa-cert type -1
debug1: identity file /home/Brad/.ssh/id_ecdsa type -1
debug1: identity file /home/Brad/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/Brad/.ssh/id_ed25519 type -1
debug1: identity file /home/Brad/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ****
debug1: Host '****.****-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/Brad/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/Brad/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/Brad/.ssh/id_dsa
debug1: Trying private key: /home/Brad/.ssh/id_ecdsa
debug1: Trying private key: /home/Brad/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
I have replaced all of the personal info with *.
Thank you

Nowhere in your command you are referring the ssh private key. Try running command as below:
ssh -i <path_to_the_private_key> ubuntu#<EC2_Hostname>
In above command, note that I have used the username as ubuntu. Depending on which AMI you are using, you should change the username which corresponds to that AMI.

Remove publickey from ssh login

I'm trying to connect to an embedded board of mine through ssh. But upon trying to connect through ssh -v -l root user#xx.xx.xx.xx, I get a series of debug comments:
dico#lithya:~$ sudo ssh -v -l root dico#foxboard2
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: Applying options for *
debug1: Connecting to foxboard2 [10.251.145.180] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 18:14:33:1e:88:5f:ad:13:78:9f:36:10:b9:d2:27:e4
debug1: Host 'foxboard2' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,password).
The connection is being established through port 22 so that isn't the problem. So, clearly there is a problem with public/private key authentication. Therefore, how can I make sure that the private/public keys through both my machine and the board are in sync? Or better yet, how do I solve this issue or completely remove any keys?
UPDATE
I've tried to connect to the board by specifying no public key authentication by ssh -o PubkeyAuthentication=no dico#foxboard2, but now it's asking me for a password. I've checked the site but the password I type is incorrect. How can I remove a password request?

You can copy your public key to the server using:
ssh-copy-id user#xx.xx.xx.xx
It is always better to use keys than passwords.

Make sure your ~/.ssh directory is set to mode 700 (chmod 700 ~/.ssh) and your ~/.ssh/authorized_keys is set to mode 600 (chmod 600 ~/.ssh/authorized_keys).
In your /etc/ssh/sshd_config file set PasswordAuthentication no to turn off password logins.