I'm trying to setup ssh access for a user account that I created with chef on a DigitalOcean Ubuntu 12.04 server. I had the options set in DigitalOcean to automatically copy my mac's ssh key when the droplet is created.
I can ssh in as root with no issues, but my other user fails to authenticate. this seems to be a common issue, and I checked some of the other answers, and found this command to get more info:
ssh -vvv -i id_rsa user@serverIP
The logs for the root user (which succeeds) with that command are
debug
1: Offering RSA public key: /Users/evan/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp snip!
debug3: sign_and_send_pubkey: snip!
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
failing user:
debug
1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/evan/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/evan/.ssh/id_dsa
debug3: no such identity: /Users/evan/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Which to me means that the public key is incorrect. But, if I login as the root user and go to
home/otheraccount/.ssh/authorized_keys
then I can see that my ssh key is there. I thought maybe there was an error, so I did:
cp .ssh/authorized_keys ~/home/otheraccout/.ssh/authorized_keys
But that didn't help. I don't know where else to look.
My etc/ssh/sshd_config
:
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
"sshd_config" 88L, 2508C
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# GS
SAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no
Banner /etc/ssh_banner
edit:
drwx------ 2 deploy deploy 4096 Apr 20 06:00 .ssh
-rw------- 1 deploy deploy 820 Apr 20 05:35 authorized_keys
Edit2:
As suggested in the comments, /var/log/authlog
contains:
Apr 21 04:59:30 localhost sshd[586]: User deploy not allowed because account is locked
Apr 21 04:59:30 localhost sshd[586]: input_userauth_request: invalid user deploy [preauth]
I tried to do:
sudo usermod --expiredate -1 deploy
It returned:
no changes
Best Answer
SSH logins can fail for various reasons(incorrect directory/file permissions,incorrect keys etc.) and the connecting client will just get
Permission denied
orNo more authentication methods to try
or some generic error.The exact reason for the login failure will be available in ssh log
/var/log/auth.log
or/var/log/secure
depending on the syslog configuration.