Can't connect over SSH with public key

Issues related to configuring your network
microbug
Posts: 2
Joined: 2018/01/29 18:24:31

Can't connect over SSH with public key

Postby microbug » 2018/01/29 18:38:47

I have a fresh CentOS 7 VM, installed from the minimal ISO. The only user is root. It's on a Proxmox host with no firewall between it and me. I can SSH using a public/private key pair into other (Debian) VMs on the Proxmox host fine, there are no VLANs setup and the firewall in Proxmox is disabled. I can SSH into the VM using a password, but not with a public/private key pair. I have tried using the IP address rather than the hostname and setting `PasswordAuthentication no` on the server, but I get a permission denied error on attempting to connect:

`ssh -vv carbon` (host is called carbon btw):
[spoiler]
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/richard/.ssh/config
debug1: /Users/richard/.ssh/config line 30: Applying options for c
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to carbon port 22.
debug1: Connection established.
debug1: identity file /Users/richard/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/richard/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to carbon:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:2uvHS/4EU+IRV0ucRw/SKQm/EDIo6/Vtg7IwwaPOmls
debug1: Host 'carbon' is known and matches the ECDSA host key.
debug1: Found key in /Users/richard/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /Users/richard/.ssh/id_rsa (0x7fb491500760), explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:iFDSP+QQtcVbV8xK5vaaQOYDsPQ7qPH/RDRiw8in9xY /Users/richard/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@carbon: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[/spoiler]

If I do `ssh-keygen -l -f .ssh/id_rsa`, I get a matching fingerprint to the one above (SHA256:iFDSP+QQtcVbV8xK5vaaQOYDsPQ7qPH/RDRiw8in9xY), if I do `ssh-keygen -l -f .ssh/authorized_keys` I get the same (identical) fingerprint. Permissions on /root/.ssh are 755 for .ssh and 644 for .ssh/authorized_keys. I have tried rebooting. PubkeyAuthentication is set to yes in /etc/ssh/sshd_config.

Thanks in advance for any help

User avatar
avij
Forum Moderator
Posts: 2449
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Can't connect over SSH with public key

Postby avij » 2018/01/29 20:26:11

Your .ssh file/directory permissions are unnecessarily permissive, but that doesn't seem to be a problem here.

What do you have in the server's /etc/ssh/sshd_config for PermitRootLogin ?

If it is a SELinux issue, you could try restorecon -r .ssh as root on the target server to fix the file contexts.

The server's /var/log/secure may also show some hints.

microbug
Posts: 2
Joined: 2018/01/29 18:24:31

Re: Can't connect over SSH with public key

Postby microbug » 2018/01/31 21:45:02

I feel extremely stupid writing this. I hadn't updated the system since the install from the Minimal ISO. Doing a `yum update` and rebooting fixed the problem (SSH worked as expected, public key login is fine now).

Thanks for the tips anyway :)