SSH with RSA2 Keys (Putty) "Server refused our key"

SUSE Product Topics SLES Networking
1

Hi Guys,
I tried to log in to my server with the public/private keys. But all I tried - it failed :confused:

[LIST]
[]Client: Windows 8
[]Server: SLES11
[*]Putty and Puttygen
[/LIST]

On my Windows Client, I generated my public and private keys with puttygen and copied the public key into the authorized_keys file in my home directory

/home/user/.ssh/authorized_keys

This is my public key:

---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-20141203" AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lqVEmAPFT+7ifc5X EeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggMVZZBzXH63MlxCMhb2CcYc6ck3Co7 kmStXV4ov28w4uDEe60t0qFCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0 LVgDEIc= ---- END SSH2 PUBLIC KEY ----

So, I read that I have to remove the first two lines and the last one and add on the first line a "ssh-rsa "

That is what I have now:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lqVEmAPFT+7ifc5XEeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggMVZZBzXH63MlxCMhb2CcYc6ck3Co7kmStXV4ov28w4uDEe60t0qFCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0LVgDEIc=

All in one line.
And I did this changes:

chmod 700 /.ssh chmod 600 /.ssh/authorized_keys

In Putty I select my private key file and try to login, but the server send a “Server refused our key” and i don’t know what I have to do…

I took a look at my sshd_config and try to change some options:

The SSHD_config:

[CODE]# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

Protocol 2

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile ~/.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

Set this to ‘yes’ to enable support for the deprecated ‘gssapi’ authentication

mechanism to OpenSSH 3.8p1. The newer ‘gssapi-with-mic’ mechanism is included

in this release. The use of ‘gssapi’ is deprecated due to the presence of

potential man-in-the-middle attacks, which ‘gssapi-with-mic’ is not susceptible to.

#GSSAPIEnableMITMAttack no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to ‘no’.

UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/lib64/ssh/sftp-server

This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

[/CODE]

A reload/restart of sshd doesn’t change something. What can I do? Where is my fault? I have no idea…

Thank you in advance :slight_smile:

2

Get debug output from Putty to perhaps help; point #4 on this page:

http://www.thegeekstuff.com/2009/07/10-practical-putty-tips-and-tricks-you-probably-didnt-know/

For convenience:

PuTTY Trick 4: View PuTTY Event log

When you are logged-in to a PuTTY SSH session, right mouse-click on the
PuTTY window title, which will display PuTTY menu. Select ‘Event Log’
menu-item, which will display the following PuTTY event log window.

This will be very helpful to debug any PuTTY SSH session issues.

It may also be useful to do a simple test on the server itself to ensure
that public key authentication works on that side; as some user on the
system (non-root preferably):

ssh-keygen -t rsa
#press [enter] a bunch of times; ignore the passphrase for now

#Copy new key to the "server", even though it's this same box
ssh-copy-id -i ~/.ssh/id_rsa localhost

#Try to login with the key
ssh -i ~/.ssh/id_rsa localhost

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

3

On 03/12/2014 12:24, nase1337 wrote:
[color=blue]

I tried to log in to my server with the public/private keys. But all I
tried - it failed :confused:

  • Client: Windows 8
  • Server: SLES11
  • Putty and Puttygen

On my Windows Client, I generated my public and private keys with
puttygen and copied the public key into the authorized_keys file in my
home directory

Code:

 /home/user/.ssh/authorized_keys

This is my public key:

Code:

 ---- BEGIN SSH2 PUBLIC KEY ----

Comment: “rsa-key-20141203”
AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lqVEmAPFT+7ifc5X
EeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggMVZZBzXH63MlxCMhb2CcYc6ck3Co7
kmStXV4ov28w4uDEe60t0qFCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0
LVgDEIc=
---- END SSH2 PUBLIC KEY ----

So, I read that I have to remove the first two lines and the last one
and add on the first line a "ssh-rsa "

That is what I have now:

Code:

 ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lqVEmAPFT+7ifc5XEeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggMVZZBzXH63MlxCMhb2CcYc6ck3Co7kmStXV4ov28w4uDEe60t0qFCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0LVgDEIc=

All in one line.[/color]

The above all sounds and looks okay. Which type of key did you choose to
generate? Depending on the version of PuTTYgen you’re using (latest is
0.63) the default is either SSH-1 (RSA) or SSH-2 (RSA).
[color=blue]

And I did this changes:

Code:

 chmod 700 /.ssh

chmod 600 /.ssh/authorized_keys
--------------------[/color]

As written, the above would not do anything to
/home/user/.ssh/authorized_keys as it would deal with the .ssh directory
in / not /home/user/ or ~.
[color=blue]

In Putty I select my private key file and try to login, but the server
send a “Server refused our key” and i don’t know what I have to
do…[/color]

If the key was copied to the .ssh directory within the home directory of
the user you’re trying to log in as that should still be okay despite
your two odd chmod commands above.
[color=blue]

I took a look at my sshd_config and try to change some options:[/color]

I’m guessing (hoping) that you’ve written changed things in UPPERCASE to
highlight them here but that’s not actually the case with the actual
/etc/ssh/sshd_config file itself?!
[color=blue]

The SSHD_config:

Code:

 #       $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

PROTOCOL 2[/color]

This is the default.
[color=blue]

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAUTHENTICATION YES
PUBKEYAUTHENTICATION YES[/color]

These are the defaults.
[color=blue]

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AUTHORIZEDKEYSFILE ~/.SSH/AUTHORIZED_KEYS[/color]

If this is as written then it’s looking for a file called
AUTHORIZED_KEYS (not authorized_keys) within .SSH (not .ssh) directory
of user’s home directory - case is important.
[color=blue]

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

Set this to ‘yes’ to enable support for the deprecated ‘gssapi’ authentication

mechanism to OpenSSH 3.8p1. The newer ‘gssapi-with-mic’ mechanism is included

in this release. The use of ‘gssapi’ is deprecated due to the presence of

potential man-in-the-middle attacks, which ‘gssapi-with-mic’ is not susceptible to.

#GSSAPIEnableMITMAttack no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to ‘no’.

UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/lib64/ssh/sftp-server

This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

Code:

A reload/restart of sshd doesn’t change something. What can I do? Where
is my fault? I have no idea…[/color]

How I use SSH keys to authenticate to servers is generate a public key
and copy it to .ssh/authorized_key (as you’ve done) with private key
saved on workstation. I then run Pageant at startup against that private
key which prompts me for my passphrase which unlocks the key. After that
I can SSH to any server I’ve copied my public key to as a particular user.

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.