Keyless SSH to Ubuntu

1

I'm trying to SSH with PuTTY on Windows to a Ubuntu box.

I created the public key and private key with PuttyKeygen and added the public key to the server's /home/[user]/.ssh/authorized_keys file as a single line, appending [user@server] to the end, and adding ssh-rsa in the beginning, so it looks like:

ssh-rsa [key] [user]@[server]

This is on a single line; authorized_keys chmod is 600, ~/.ssh folder is 700 on the server. Everything is the same according to this tutorial.

Still when I try to use the private key file from PuTTY I get the below response:

"Server refused our key"

Here is the session log:

2011-10-08 23:43:58 Looking up host "server"
2011-10-08 23:43:58 Connecting to server port 22
2011-10-08 23:43:58 Server version: SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
2011-10-08 23:43:58 We claim version: SSH-2.0-PuTTY_Release_0.60
2011-10-08 23:43:58 Using SSH protocol version 2
2011-10-08 23:43:58 Doing Diffie-Hellman group exchange
2011-10-08 23:43:58 Doing Diffie-Hellman key exchange with hash SHA-256
2011-10-08 23:43:59 Host key fingerprint is:
2011-10-08 23:43:59 ssh-rsa 2048 be:32:9b:69:e9:fb:5d:08:71:3e:08:09:4d:b2:c8:b4
2011-10-08 23:43:59 Initialised AES-256 SDCTR client->server encryption
2011-10-08 23:43:59 Initialised HMAC-SHA1 client->server MAC algorithm
2011-10-08 23:43:59 Initialised AES-256 SDCTR server->client encryption
2011-10-08 23:43:59 Initialised HMAC-SHA1 server->client MAC algorithm
2011-10-08 23:43:59 Reading private key file "C:\Users\User\.ssh\id_rsa.ppk"
2011-10-08 23:43:59 Offered public key
2011-10-08 23:43:59 Server refused public key

Here is what I see in auth.log file

Oct  9 01:53:12 [server] sshd[1818]: Connection closed by [client-ip]
Oct  9 01:53:12 [server] sshd[1818]: Transferred: sent 3104, received 2008 bytes
Oct  9 01:53:12 [server] sshd[1818]: Closing connection to [client-ip] port 51499
Oct  9 01:53:12 [server] sshd[1800]: pam_unix(sshd:session): session closed for user [user]
Oct  9 01:53:15 [server] sshd[1786]: Connection closed by [client-ip]
Oct  9 01:53:15 [server] sshd[1786]: Transferred: sent 1944288, received 9040 bytes
Oct  9 01:53:15 [server] sshd[1786]: Closing connection to [client-ip] port 51498
Oct  9 01:53:15 [server] sshd[1764]: pam_unix(sshd:session): session closed for user [user]
Oct  9 01:53:20 [server] sshd[1933]: Set /proc/self/oom_score_adj to 0
Oct  9 01:53:20 [server] sshd[1933]: Connection from [client-ip] port 51501
Oct  9 01:53:20 [server] sshd[1933]: Failed publickey for [user] from [client-ip] port 51501 ssh2

Here is sshd_config file 

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel DEBUG#INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /home/%u/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication yes#no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
# PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

aug70co

Posted 2011-10-09T04:47:05.203

Reputation: 111

What's in the server sshd log? – Greg Hewgill – 2011-10-09T04:49:50.967

Make sure there are no blank spaces/whitespace when you copy the key between windows and ubuntu. Try shhing inside of ubuntu using keyless ssh to confirm that, at least, your ubuntu ssh is set up correctly. – None – 2011-10-09T04:50:18.947

Posted auth.log file output on failure at the bottom of the ticket – None – 2011-10-09T06:57:32.343

What does your public key look like; could you post it somewhere? (It's supposed to already begin with ssh-rsa AAAAB3Nz.....) – user1686 – 2011-10-09T14:08:46.417

Here is my public key in double quotes. "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB7W/GDgL66RLujj8gm2W76JuJX5VHt9Uy8KthFXqJTTh+CcW4x3v72pkqMG+boHSOICbYeYpdBX8PDiX1/dH1Hm4XQXrkJ5F/TuNWB2tEcAFI4RE3MMWNzNxdce3f0BvlZD9GwoUX1kD/XoYaEjAi0HiO20wkIdQj8Jv702dpmww== [user]@[server]" – aug70co – 2011-10-09T16:32:08.530

Answers

1

When creating the ~/.ssh/authorized_keys file, you should not have to modify the line you paste in there at all. This line should be exactly the same as the contents of the public key file on the ssh client. Your comment about appending [user@server] and prepending ssh-rsa indicates to me that you may not have pasted the correct line in there in the first place. Modifying the line to add those bits won't help.

Greg Hewgill

Posted 2011-10-09T04:47:05.203

Reputation: 5 099

The user@server suffix is a comment for the user, and PuTTYgen by default outputs rsa-<datetime> instead. Either way, SSH ignores it. Still, good point on copying the wrong key. PuTTYgen's UI is confusing in that matter. – user1686 – 2011-10-09T14:09:47.460

@GregHewgill I think the problem lies in my sshd_config, I will post it on the question shortly. – aug70co – 2011-10-09T16:25:15.590

sshd_config added to the question – aug70co – 2011-10-09T16:34:24.280

0

Slightly silly question (would be a comment if I had the rights)...

Are you sure your trying to login as the correct user. Try connecteing as user@host in putty as in the example screenshot below.

Putty Pointer

Otherwise your settings all look reasonable to me..

Ashimema

Posted 2011-10-09T04:47:05.203

Reputation: 145

Yes I have correct [user]@[host] value in the "Host Name (or IP Address) text box. I'm using Putty version 0.60 and I don't see the options ("Sessions from registry" and "Sessions from file") as you have in your screen shot above. Although I don't necessarily think this is a problem. I still believe, there is a problem with my sshd_config file. Can you take a look if you get chance (sshd_config is posted in the question). Thank you – aug70co – 2011-10-13T05:32:46.790

@user850718 OK.. your right the "Sessions from registry" stuff is a red herring.. I use Putty Tray as apposed to Putty..

A difference I can see in my config compared to your is that the line:
AuthorizedKeysFile %h/.ssh/authorized_keys is commented out in my config.. your is slightly different and being used.. you might want to check it's 100% correct. – Ashimema – 2011-10-13T11:38:24.223

Asked: 2011-10-09T04:47:05.203

Viewed: 1 080 times

Active: 2011-10-11T10:00:10.517