SSH Troubleshooting – Can’t SSH Even with Public Key in Authorized_keys

16.04networkingssh

I have a Digital Ocean droplet I'm trying to give myself ssh access to. I'm not sure what was done to it previously. I've tried added my public key through the Digital Ocean UI. That didn't work, I kept getting permission denied (publickey).

I accessed the server through the Digital ocean console and manually added my public key to /root/.ssh/authorized_keys. I then tried to ssh using ssh root@x.x.x.x. That didn't work (permission denied).

So I tried adding a new user, created the /home/me/.ssh directory with permissions 700 on the .ssh directory itself, and 600 on the authorized_keys file. Then I tried ssh me@x.x.x.x. That didn't work either.

Restarting the ssh daemon doesn't change anything either.

What am I missing?

Edit:

Here is verbose ssh output.

https://gist.github.com/jaesung2061/a37cfd68308414cede8abf7f0137daa9

Edit 2:

LogLevel DEBUG3 output:

Best Answer

Client Configuration

Set up `~/.ssh/config`

Setting up host entries for ssh is really easy and will save you a lot of trouble. Here is an example:

Host digitaloceanbox
Hostname 111.111.111.111
User root
PubKeyAuthentication yes
IdentityFile /home/user/.ssh/digitalocean-rsa
ForwardX11 yes


Host github github.com
Hostname github.com
User git
PubKeyAuthentication yes
IdentityFile /home/user/.ssh/github-rsa
ForwardX11 no

In this example, we setup digitaloceanbox and github and github.com so that we can do the following commands:

ssh github
ssh digitaloceanbox

If we want to login as a different user than the one specified in the config file, we just put user@ at the begining:

ssh user@digitaloceanbox

Generating `ssh` keys

ssh-keygen -t rsa -b 4096 -C user@homemachine
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):  /home/user/.ssh/digitalocean-rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/digitalocean-rsa
Your public key has been saved in /home/user/.ssh/digitalocean-rsa.pub.
The key fingerprint is:
SHA256:p9PYE/tveF2n//bLbp3ogYDtMtYEC5ziQiPxeob6fbo user@homemachine

Note that I've specified the full path of the private key I want to generate when prompted by ssh-keygen. I've also defined the comment (-C) which allows me to easily identify keys on remote machines.

This will create two files:

.ssh/digitalocean-rsa
- PRIVATE key. Never share this.
.ssh/digitalocean-rsa.pub
- Public key. This is what you store on the server to authenticate.

When you provide your ssh key, be sure it's the .pub version!! When you add to your ~/.ssh/config, be sure to add the correct private key that matches the public key you added to the system.

Server Configuration

Most installations will come with Public Key Authentication enabled. If you start doing things all willy nilly, you might run into a few problems, however. At where the OP is in their problem, I recommend that the OP deletes the /root/.ssh/ directory to start over.

It is not recommended that you use ssh to access the root user on the remote system. It is recommended that you ssh into another user, and then escalate to root using your password (sudo su -).

Add keys to host using `ssh-copy-id`

Regardless of whether you decide to create another user and use ssh as that user, or the root user, the following is the recommended way of placing ssh keys on a server:

ssh-copy-id -i /home/user/.ssh/digitalocean-rsa.pub user@digitaloceanbox

This allows sshd to create the directory and files needed with the permissions needed. This means there is zero chance for you to mess up permissions or needing to remember the details. Just use the tool to upload the keys.

Disable Password Authentication

That being said, once you have key'd yourself and verified that you are able to connect using the keys, it is recommended that you disable Password Authentication in sshd and restart the service:

Edit /etc/ssh/sshd_config
PasswordAuthentication no
sudo systemctl restart sshd

What about new users?

If you disable Password Authentication, how can you key new users? One way is to add template files to the /etc/skel directory. Once you've key'd one user, do the following:

sudo cp -r .ssh/ /etc/skel/
ls /etc/skel/.ssh
Edit any files found in /etc/skel/.ssh/ so that they are blank, unless you want to automatically key yourself for every newly created user.

When you create new users with sudo useradd -m newuser, that user will have the .ssh/authorized_keys, which you can edit and will have the proper permissions.

Debugging

You can watch the sshd log file to see why connections fail or get refused:

sudo tail -f /var/log/auth.log

While you're running this command, use another terminal to attempt a login. Many times the messages provided are good enough to help pinpoint the problem, or find a solution online.

Related Solutions

SSH Keys – How to Add SSH Keys to Authorized_keys File

You should never save the file with its contents starting with -----BEGIN RSA PRIVATE KEY----- on the server, that is your private key. Instead, you must put the public key into the ~/.ssh/authorized_keys file.

This public key has the .pub extension when generated using ssh-keygen and its contents begin with ssh-rsa AAAAB3. (The binary format is described in the answers to this question).

The permissions of ~/.ssh on the server should be 700. The file ~/.ssh/authorized_keys (on the server) is supposed to have a mode of 600. The permissions of the (private) key on the client-side should be 600.

If the private key was not protected with a password, and you put it on the server, I recommend you to generate a new one:

ssh-keygen -t rsa

You can skip this if you're fully sure that nobody can recover the deleted private key from the server.

If this does not help, run ssh with options for more verbosity:

ssh -vvv user@example.com

On the server side, you can review /var/log/auth.log for details.

SSH – Fix Public Key Added but Still Prompt for Password

Note that your /etc/ssh/sshd_config contains the line

 StrictModes yes

Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is ''yes''.

In other words, your home directory ~ on the remote host should be owned and group-owned by you (in this case, this probably means owner htpc and group htpc), and only writable by you (and potentially your group): that means no write in the last ("world") column

$ ls -la ~/
drwxr-xr-x 41 htpc htpc .

Note that the last part says r-x (not world writable), NOT rwx.

If there's a rwx in the last triplet, you need to remove the write rights:

chmod a-w ~

Similarly for the ~/.ssh folder and ~/.ssh/authorized_keys. I would recommend chmod 700 ~/.ssh to only grant access to yourself for the folder, and chmod 600 ~/.ssh/authorized_keys for the file.

(Also see https://unix.stackexchange.com/a/16981/5477 for more server-side debugging tools)