Putty: Getting the server refused our key error

In my case, this is a resolution issue.

I changed the log level to DEBUG3 , and in /var/log/secure I see this line:

 Authentication refused: bad ownership or modes for directory 

Googled and found this post:

https://www.daveperrett.com/articles/2010/09/14/ssh-authentication-refused/

 chmod gw /home/your_user chmod 700 /home/your_user/.ssh chmod 600 /home/your_user/.ssh/authorized_keys 

Basically, this tells me:

• get rid of your user's group w permission
• change the resolution to 700 from .ssh dir
• change the resolution to 600 from the authorized_keys file.

And it works.

Another thing is that even if I turned on root, I can not get root to work. It’s better to use another user.

I am adding this answer to help anyone like me who has been scouring the internet for hours without success.

YOUR MEMORY OF THE HOUSE MAY BE COMPLETED.

Or, in any case, any folder where your authorized_keys file is located. Man, that would save me a lot of time. To check, go run

 ls -A 

in the directory whose status you want to determine. If the folder contains a folder named ".encryptfs", the answer will be yes, this folder is encrypted. This will make it difficult to access the "authorized_keys" file, which contains the ssh public key required for verification.

To fix this, put the "authorized_key" file in a directory tree that does not contain encryption.

The simple solution I found was to move the authorized_keys file from the .ssh hidden directory and put it in the ssh system directory:

 /etc/ssh/keys/authorized_keys 

As soon as I did this, it worked without problems.

with the same problem in Windows Server 2008 r2 and researched a lot to solve, in the end, by doing the following:

open C: \ Program Files (x86) \ OpenSSH \ etc \ sshd_config with a text panel or any other text editor

delete a comment from the following lines, after removal they should look like this:

 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys 

save it and try to log in using the private key. enjoy.

Thank!

Thanks for LogLevel DEBUG3 (in my case, CentOS 7 log is in /var/log/secure )

It turned out that my .ssh/authorized_keys mode was 644 and not 600 , and sshd felt that it was empty alone, which I finally discovered while reading this log file!

Thanks to nrathaus and /var/log/auth.log , debugging level investigations are as follows.

Another reason is because your home directory may have permissions other than 755.

I ran into this problem today, and my problem was that when copying a public key from a file, newline characters are also included. You can use ": set list" in vim to see all hidden newlines and make sure to delete all newlines except the last. Also, in my key, "ssh-rsa" was missing at the beginning. Make sure you have it too.

Running Windows 8.1, I ran into server refused our key problem.

Follow the instructions: https://winscp.net/eng/docs/guide_windows_openssh_server It was easy to establish a connection using the username and password Windows login. However, with username authentication combined with a private key server refused our key response was server refused our key .

Work with the public key C:\ProgramData\ssh\administrators_authorized_keys to permissions for the file: C:\ProgramData\ssh\administrators_authorized_keys

This is a useful page: https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubility-Steps

Stop the two OpenSSH services, then open the command prompt with admin permissions . Then run: C:\OpenSSH-Win32>c:\OpenSSH-Win32\sshd.exe -ddd

Note: specify the full path to the exe file, otherwise sshd complains. This creates a one-time connection receiver. -ddd - verbose level 3.

After establishing a connection, a scan of the logs revealed:

 debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys debug3: Failed to open file:C:/ProgramData/ssh/administrators_authorized_keys error:2 debug1: Could not open authorized keys '__PROGRAMDATA__/ssh/administrators_authorized_keys': No such file or directory 

I had to create a file: C:\ProgramData\ssh\administrators_authorized_keys and copy the public key text into it, for example: ssh-rsa AAAA................MmpfXUCj rsa-key-20190505 And then save the file. I saved the file as UTF-8 with BOM . Not tested ANSI .

Then again, running a one-time command line, the logs showed:

 debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys debug3: Bad permissions. Try removing permissions for user: S-1-5-11 on file C:/ProgramData/ssh/administrators_authorized_keys. Authentication refused. 

S-1-5-11 is the name given to System .

To fix incorrect Bad permissions , right-click the administrators_authorized_keys file, go to the Security Tab , click the Advanced button and delete the inherited permissions. Then delete all Group or user names: except the Windows YourMachineName\username , for example: YourMachineName\username . Permissions for this, the username must be " Read Allow ," Write Deny everything else has not been verified. YourMachineName\username must also be the owner of the file

This solved the problem.

Other useful links:

Download the OpenSSH-Win32.zip file at : https://github.com/PowerShell/Win32-OpenSSH/releases.

Example of using C # WinSCPnet.dll to connect to an OpenSSH server: https://winscp.net/eng/docs/library#csharp

Here is a snippet of code to connect using WinSCPnet.dll :

 static void WinSCPTest() { SessionOptions ops = new SessionOptions { Protocol = Protocol.Sftp, PortNumber = 22, HostName = "192.168.1.188", UserName = "user123", //Password = "Password1", SshHostKeyFingerprint = @"ssh-rsa 2048 qu0f........................ddowUUXA=" }; ops.SshPrivateKeyPath = @"C:\temp\rsa-key-20190505.ppk"; using (Session session = new Session()) { session.Open(ops); MessageBox.Show("success"); } } 

Replace SshHostKeyFingerprint and SshPrivateKeyPath with your own values.

Edit: added screenshot of access rights to administrator_authorized_keys files:

When OpenSSH SSH Server runs as a Service, only System should have permission. However, if you run sshd.exe from the command line, the current user should be the only one in the list (reading is allowed, writing is prohibited).

For those who get this error from Windows Server, I got the same error, and it was a problem with the user account. In many organizations, group policy for administrators may not allow SSH server configuration and connections. With this type of configuration, this should be done from the Local Admin account. It might be worth a peek if you have confirmed that there are no typos in the public key.

In my case, I had to disable SELinux on Centos6.6 to make it work :)

Modify / etc / selinux / config and install the following, then reboot the host.

 selinux=disabled 

By the way ... forgot to mention that I had to set LogLevel = DEBUG3 to determine the problem.

I had the same error on a tanning bed, but found in / var / adm / splunk -auth.log:

 sshd: [auth.debug] debug1: PAM conv function returns PAM_SUCCESS sshd: [auth.notice] Excessive (3) login failures for weblogic: locking account. sshd: [auth.debug] ldap pam_sm_authenticate(sshd-kbdint weblogic), flags = 1 sshd: [auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed 

In / etc / shadow, the account was locked:

 weblogic:*LK*UP:16447::::::3 

Deleted part "* LK *":

 weblogic:UP:16447::::::3 

and I could use ssh with authorized_keys as usual.

In my case, this was called ( /etc/ssh/sshd_config ):

 PermitRootLogin no 

Changed to yes , restarted the service and logged in normally.

I solved this problem, puttygen is a third-party software, the ssh key that it generated was not used directly, so you have to make some changes. For example, it looks like this:

 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-20170502" AAAAB3NzaC1yc2EAAAABJQAAAQEAr4Ffd3LD1pa7KVSBDU+lq0M7vNvLp6TewkP7 *******C4eq1cdJACBPyjqUCoz00r+LqkGA6sIFGooeVuUXTOxbYULuNQ== ---- END SSH2 PUBLIC KEY ---- 

I omit some of the alphabets in the middle, replacing with *, if not, StackOverflow told me that the code format is incorrect, do not let me post messages.

this is my puttygen generated ssh key, you should change to this

 ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAr4Ffd3LD1pa7KVSBDU+lq0M7vNvLp6TewkP7wfvKGWWR7wxA8GEXJsM01FQw5hYWbNF0CDI7nCMXDUEDOzO1xKtNoaidlLA0qGl67bHaF5t+0mE+dZBGqK7jG9L8/KU/b66/tuZnqFqBjLkT+lS8MDo1okJOScuLSilk9oT5ZiqxsD24sdEcUE62S8Qwu7roVEAWU3hHNpnMK+1szlPBCVpbjcQTdiv1MjsOHJXY2PWx6DAIBii+/N+IdGzoFdhq+Yo/RGWdr1Zw/LSwqKDq1SmrpToW9uWVdAxeC4eq1cdJACBPyjqUCoz00r+LqkGA6sIFGooeVuUXTOxbYULuNQ== yourname@hostname 

In my case, I deleted some comments, like

 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-20170502" ---- END SSH2 PUBLIC KEY ---- 

and add ssh-rsa at the beginning, add yourname@hostname last. note : do not delete == for the last time, and you must change the "name" and "host name" for yourself. In my case, this is uaskh@mycomputer , your name is what you want to log into your vps. If all this is done, you can upload the public key to uaskh home ~/.ssh/authorized_keys on cat public-key >> ~/.ssh/authorized_keys , then sudo chmod 700 ~/.ssh sudo chmod 600 ~/.ssh/authorized_keys , then you should change / etc / ssh / sshd _config, RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys my operating system is CentOS 7 , this is my first question for anders, I will try to do everything, thanks!

I am using a PUTTYgen file with psftp and I encountered this problem on my Windows Server when we needed to create new keys for the client. The private_key_name.ppk file and the open_ssh.txt file must be in the same directory to connect to the work.

In my case, home on nfs was 777, it was necessary 750. This fixed the problem.

I have this problem where sshd only reads from authorized_keys2 .

Copying or renaming the file fixed the problem for me.

 cd ~/.ssh sudo cat authorized_keys >> authorized_keys2 

PS I use Putty from Windows and used PuTTyKeygen to generate a key pair.

I encountered a similar problem when trying to login through Mobaxterm. The private key was generated via puttygen. Key recovery helped in my case.

When using cpanel, you can check if the key is authorized in

SSH access >> Public keys >> Management >> Authorization or deauthorization.

if you get this error in /var/log/secure

error: key_read: key_from_blob AA
AAB3NzaC1yc2EAAAABJQAAAQEAoo3PFwX04NFG + rKz93l7em1BsUBzjHPMsswD

this means that your key has a space, if you generated the key via puttgen when viewing the .ppk file, it will look like this:

 AAAAB3NzaC1yc2EAAAABJQAAAQEAoo3PFwX04NFG+rKz93l7em1BsUBzjHPMsswD al74MLaJyhQD0pE23NS1izahbo1sJGnSJu2VJ//zxidSsba6xa6OvmeiKTwCz0E5 GMefdGVdpdbTlv99qjBl1+Nw1tDnHIC0+v9XmeZERQfCds9Kp1UivfReoYImntBC gLtNyqRYrSu8csJCt7E1oY8QK6WP1vfYgAQ2taGyS9+g7FHyyf5VY2vH3oWzzbqz xjsSLAv3zEQSm1LzSw9Pvc8iwasFyUMBOPj31CKQYTXyX8KpJTr0Zb7oqMauBE5L VwxZhlcJHbj0FsMbF/+GRjvgexymCi3bHmwGQ6FEADNd0RkhdQ== 

and when you try to insert it, you will get an error while reading the key, so try to edit the key and make it one line, and try

it should look somehow

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoo3PFwX04NFG+rKz93l7em1BsUBzjHPMsswDal74MLaJyhQD0pE23NS1izahbo1sJGnSJu2VJ//zxidSsba6xa6OvmeiKTwCz0E5GMefdGVdpdbTlv99qjBl1+Nw1tDnHIC0+v9XmeZERQfCds9Kp1UivfReoYImntBCgLtNyqRYrSu8csJCt7E1oY8QK6WP1vfYgAQ2taGyS9+g7FHyyf5VY2vH3oWzzbqzxjsSLAv3zEQSm1LzSw9Pvc8iwasFyUMBOPj31CKQYTXyX8KpJTr0Zb7oqMauBE5LVwxZhlcJHbj0FsMbF/+GRjvgexymCi3bHmwGQ6FEADNd0RkhdQ== username@domainname

What works for me is:

• Stopped ec2 instance
• turn off the volume
• connect the volume with the old instance using the same key and could ssh
• mount the volume to some temporary folder
• checked the file in the mount_point / home / ec2-user / .ssh / authorized_keys directory
  • Ideally, this file should have our key information, but for me this file was empty
• copied the old instance of the author_keys file to the newly mounted volume
• unmount device
• connect to the source instance of ec2
• run it and let it pass a health check

This time it works for me. But I do not know why it does not have information about my key file when starting the instance. Check out this link too https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubilityInstancesConnecting.html#TroubilityInInstancesConnectingMindTerm

In my case, the problem was this: during the generation of ssh keys, I intentionally changed the default key directories. So instead of using the location ~ / .ssh / authorized_keys, I decided to use ~/home/user/folder1/.ssh/authorized_keys for these changes to work, I had to make the same changes regarding the new location in this file /etc/ssh/sshd_config . But until I realized this, I already tried several solutions suggested by other people, including setting the permission for the home folder 700 and for the .ssh 600 directory.

Root mount fix steps (What I followed when I changed the permission with the ec2-user folder and authorization key file) This process will be similar to disconnecting and connecting a flash drive

Below are some other scenarios you may encounter:

1. You are using the SSH private key, but the corresponding public key is not in the author_keys file.
2. You do not have permission for your author_keys file.
3. You do not have permission for the .ssh folder.
4. Your author_keys file or .ssh folder is incorrectly named.
5. Your author_keys file or .ssh folder has been deleted.

Steps to fix them

• Stop the problematic instance of Ec2
• Disconnect the root volume (/ dev / sda1)
• Create an ec2 instance or use a working one
• Mount a separate volume (/ dev / sdvf) in a new ec2 instance

Now after entering the new ec2, run the following steps

• Lsblk command - list all available mounts
• Select the mount value that you unmount from the problem instance.
• As an ec2 user, run "sudo mount / dev / mapper / rootvg-home / mnt" sudo mount/dev/mapper/rootvg-home/mnt
• Then change the directory to / mnt
• Make any necessary changes.

Now we have fixed our volume with the problem we are facing. Basically this may be a user rights issue - Unmount / mnt to unmount it - Now go to the console and specify the volume that is connected to the new instance and disconnect it - After disconnecting, attach it to the new volume as / dev / sda1

You must be logged in successfully.

Based on my experience, I suggest that you generate keys from putty, and not from linux. Because the key will be the old PEM format. In any case, only my suggestion. I did as the steps below, and worked well with me and with my team.

1. Create a key pair with PuTTYGen.exe on the local computer (type: RSA, length: 2048 bits).

2. Save the private / public key as files " id_rsa.ppk / id_rsa.pub " on your local computer.

3. Create the file "authorized_keys" on your local computer, and then enter the public key in " id_rsa.pub " for " authorized_keys ". Remember that content must begin with " ssh -R sa " and only one line .

4. Use WinScp (or the putty command) to copy " author_keys & id_rsa.pub " from your local directory to your linux-user-home " /home/$USER/.ssh/ ".

5. Run these commands:

   Chmod 700.US

   chmod 600.ssh / authorized_keys

   chown $ USER: $ USER.ssh -R

6. Check the connection settings by downloading the private key " id_rsa.ppk " in the profile of PuTTY.exe, then click the "Open" button (enter the password, if you have one).

check your key, today it should be the rsa key (id_rsa.pub), and not the dss key (id_dsa.pub), use puttygen 0.70 and select RSA for the type of key generated, replace the public key on the host ~ /. Ssh / authorized_keys

After adding the key, log in as ec2-user if you are using an Amazon Linux machine