ssh connection

i install ssh in ubuntu. i start services and it's  runnig. idisabled firewall. i add keygen in authorized_keys.
ssh <ip_host> says  Permission denied (publickey).
Jasmin shahrzadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David MundtDirector of Information TechnologyCommented:
What OS are you trying to ssh from?
0
Jasmin shahrzadAuthor Commented:
ubuntu 14.
0
Jasmin shahrzadAuthor Commented:
i install ubuntu 17 and ssh then i try to ssh from ubuntu 14.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

David MundtDirector of Information TechnologyCommented:
This has happened to me before but on a Mac and I think I had to run ssh from the directory I stored the key in.
0
Gerwin Jansen, EE MVETopic Advisor Commented:
@David Mundt - it does not matter at all from which directory you run ssh

@Jasmin shahrzad
>> i add keygen in authorized_keys
What did you add exactly where on the Ubuntu 17 system? What is file security on the authorized_keys file?

Basically you just use keygen on the Ubuntu 14 system and transfer the public key to the authorized_keys file on the Ubuntu 17 system, in the user's home directory under the .ssh folder.

Then try connecting using ssh ubuntu17user@ubuntu17system from the Ubuntu 14 system
0
Jasmin shahrzadAuthor Commented:
not help. i still get error.
0
David MundtDirector of Information TechnologyCommented:
what are the permissions on the key file?
0
Jasmin shahrzadAuthor Commented:
Yes i keyscan in ubuntu 14 and  then i have push in known_host  and i add keygen from user to authorized file i ubuntu 14. i did the same
in ubuntu 17.
then from ubuntu 14 say ssh user@ip  
it says: The authenticity of host 'ip(ip)' can't be established.
/var/log/auth.log in ubuntu 17 says : session is closed by root

/var/log/auth.log in ubuntu 14 says:
CRON[19585]: pam_unix(cron:session): session closed for user root
0
nociSoftware EngineerCommented:
did you install the public key on the target host?
and the private key in the local system (.ssh/id.... ( depending on use idrsa, iddsa etc.)
Also both keys need to be owned by the user that you login as, and the security should be 600 (Owner read/write only).
0
Jasmin shahrzadAuthor Commented:
no i don't . is ther any document for step by step ?
0
nociSoftware EngineerCommented:
man page for ssh-keygen has a description:

https://linux.die.net/man/1/ssh-keygen
0
Jasmin shahrzadAuthor Commented:
i create public key and private key is under /home/user/.ssh and it have a 600 permission.
i still get the permission denied (publickey).
0
gelonidaCommented:
As I'm jumping qutie late in into this question, some very basic assumptions / questions:

Please correct me whenever I'm wrong.
You can als give me the real names/vales for an easier discussion f you don't mind, but it's not essential

Some Assumptions:
A1.) you have one machine (machine14) with ubuntu 14 and one machine (machine17) with ubuntu 17.
A2.) on machine14 you installed openssh server
A3.) you are one user (e.g. "user1") on machine14
A4.) you want to connect from user1@machine14 to another user on machine17 (e.g. "user2")
A5.) the private key pair that you created is saved in for user1@machine17 $HOME/.ssh/id_rsa and $HOME/.ssh/id_rsa.pub
A6.) you copied the public key file int $HOME/.ssh/authorized_keys of user2@machine14
A7.) you created the private keypair on ubuntu17 ( $HOME/.ssh/id_rsa and $HOME/.ssh/id_rsa.pub) with the command ssh-keygen, confirmed all defaults with enter (except the password)

Now some questions:
Q1) did you ever try to connect from machine14 as user2 to machine14  as user2 with password
Q2.) did you ever try to create a private keypair as user2 on machine14 and connect to yourself with this key pair
Q3.) Did you check the permissions of the private key file on machine17 (and also all the permissions up to '/')
Example:
ls -ld $HOME/.ssh/id_rsa $HOME/.ssh $HOME /home /

Open in new window



You should see that only root or you has write permissions on all entries
and that only you can read  $HOME/.ssh/id_rsa

Q4: Did you check file permissions for $HOME/.ssh/authorized_keys and all higher level directories on machine14
 ls -ld /home/klausf/.ssh/authorized_keys $HOME/.ssh $HOME /home /

Open in new window


You should see that only root or you has write permissions on all entries

Q5: is this the command, that you tried on machine17 to connect to machine14
ssh user1@machine14

you might try

ssh -v user1@machine14

Open in new window

or even
ssh -vv user1@machine14

Open in new window

to get a little more output
0
nociSoftware EngineerCommented:
@gelonida:
Please be more carefull about access advice.... (Q4)
for /home root should be the user and others should have only read or even just exec rights on that directory. (read would allow listing directories to find more directories that could be accessed, exec right will only allow passage)...

so:
 chown root:root /home && chmod 711 /home     # or drwx--x--x   root root ...  /home.
is the right state...  the group may vary here depending on security settings.

The users directory should show user as the owner of the directory   probably with either 700 or 710 (with some group setting) possibly even 750  / 770 to allow access to group members.
the .ssh directory should be owned by the user and 700 protection. (drwx------).
The same holds for most file in there...  Only the public key (not used from here) may have 644 (-rw-r--r--)
and the same hold for known_hosts.

The group & world rights MUST BE 0 (---) for almost all files within the .ssh directory.
0
Jasmin shahrzadAuthor Commented:
observ:
user1@ubun14 from ubunt 14 is ok
user1@ubunt17 from ubuntu17 not ok (permission denied (publickey)


ssh -vv user1@ubuntu17
OpenSSH_7.5p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "user1.ubuntu17" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to user1.ubuntu17 [IP] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user1/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Ubuntu-10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5p1 Ubuntu-10
debug1: match: OpenSSH_7.5p1 Ubuntu-10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to user1.ubuntu17:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:eR3zHSczFfbqkvWpDZ2qPKLtrlv7rgnAOo6d0lrbjJ0
debug1: Host 'user1.ubuntu17' is known and matches the ECDSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:5
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/user1/.ssh/id_rsa (0x56236c7004c0)
debug2: key: /home/user1/.ssh/id_dsa ((nil))
debug2: key: /home/user1/.ssh/id_ecdsa ((nil))
debug2: key: /home/user1/.ssh/id_ed25519 ((nil))
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
0
serialbandCommented:
Where did you put your private key?  It's looking specifically in /home/user1/.ssh/ and can't find the
.
.
.
-debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
.
.
.
0
Jasmin shahrzadAuthor Commented:
All the files is on /home/user1/.ssh/

-rw-rw-r-- 1 user1 user1 authorized_key
-rw--------- 1 user1 user1 ida_rsa
-rw-r--r--   1 user1 user1 ida_rsa.pub
-rw-r--r--   1 user1 user1 known_host

and debug ask for all of them.
0
Gerwin Jansen, EE MVETopic Advisor Commented:
1. authorized_key must be named authorized_keys - use: mv authorized_key authorized_keys
2. security on authorized_keys must be 600 instead of 664 - use: chmod 600 authorized_keys
0
gelonidaCommented:
@noci:

I think you misinterpreted my access question. You are completely right with your comments. However my goal was a completely different one. I just mentionedthe absolute minimum to keep ssh happy.

@Jasmin shahrzad:

can you please send the output of following command:
ls -ld $HOME/.ssh/id_rsa $$HOME/.ssh/authorized_keys HOME/.ssh $HOME /home /

Open in new window

pls execute this command once on each host.


I assume you executed the command:

Open in new window

on ubuntu17 as user1, right?

As you see in your trace:
ssh tries to find the private key, that you created with ssh-keygen:



the interesting lines in your trace:

 debug1: identity file /home/user1/.ssh/id_rsa type 1
# this (the trailing 1) means the file was found

 debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
# this (the trailing -1) means the file was NOT found

 debug1: Authenticating to user1.ubuntu17:22 as 'user1'
# here you see as which user you want to connect to which machine. (I'm just a little confused about the hostname user1.ubuntu17)

 debug1: Host 'user1.ubuntu17' is known and matches the ECDSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:5
# means, that you connected (or tried to connect) already to this host

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/user1/.ssh/id_rsa
# your client tried to authenticate with your key file

The fact, that the following lines are
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/user1/.ssh/id_dsa
debug1: Trying private key: /home/user1/.ssh/id_ecdsa
debug1: Trying private key: /home/user1/.ssh/id_ed25519
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.

tells you, that the key was not accepted and that ther is no other

Are you sure, that the contents of your client's ~/.ssh/id_rsa.pub has been added correctly to the target server's
~/.ssh/authorized_keys?


You can try following on ubuntu17
mv $HOME/.ssh/authorized_keys $HOME/.ssh/authorized_keys.backup
cp $HOME/.ssh/id_rsa.pub $HOME/.ssh/authorized_keys

and retry to a connect
0
gelonidaCommented:
Oops: I saw the comment of Gerwin Jansen, EE MVE just after having posted.

Yes indeed. the file has the wrong name and is therefore not looked at.
0
Jasmin shahrzadAuthor Commented:
@gelonida,
is not a case. i just type the wrong name. the file name is authorized_keys.

result of command 1: is

drwxr-xr-x 23 root   root   4096 Jan 10 09:33 /
drwxr-xr-x  3 root   root   4096 Jan  9 14:54 /home
drwxr-xr-x 18 user1 user1 4096 Jan 12 08:17 /home/user1
drwx------  2 user1 user1 4096 Jan 12 08:17 /home/user1/.ssh
-rw-rw-r--  1 user1 user1  776 Jan 10 14:52 /home/user1/.ssh/authorized_keys
-rw-rw-rw-  1 user1 user1 1766 Jan 11 16:07 /home/user1/.ssh/id_rsa
0
Jasmin shahrzadAuthor Commented:
@gelonida,
i cp id_rsa.pub authorizes_keys.
and correct the permission of id_rsa. chmod 600 .
now i can ssh fra ubuntu17 to selv.
ssh user1@ubuntu17
is login correct . but i can't ssh from ubuntu 14
ubuntu14> ssh user1@ubuntu17
Permission denied (publickey).
0
gelonidaCommented:
ok can you please type the ls command on host14 AND on host17

can you also type following command on both hosts and indicate clearly which one is whih host?

md5sum $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa.pu $HOME/.ssh/authorized_keys

Open in new window

0
Jasmin shahrzadAuthor Commented:
now i can ssh from ubuntu 17 and login to ubuntu 14

ubuntu17 > ssh user2@ubuntu14
then connect
... ...
but reverse from ubuntu 14 to 17 can't

ubuntu14 > ssh user1@ubuntu17
Permission denied (publickey).
on ubuntu 14  user1@ubuntu17  is in authorized_keys  (the same key is copied from id_rsa.pub)
but i don't have id_rsa or id_rsa.pub from any of ubuntu14 and i can connect to any of them with ssh!
0
Jasmin shahrzadAuthor Commented:
from ubuntu 17:
5e2d7a2ce9e2de1c819afec9a3d27ad8  /home/user1/.ssh/id_rsa
md5sum: /home/user1/.ssh/id_rsa.pu: No such file or directory
adb6bf6e095afe6b9539cc739cc6f891  /home/user1/.ssh/authorized_keys
"i have a file id_rsa.pub but not id_rsa.pu

from ubuntu 14:
md5sum: /home/user2/.ssh/id_rsa: No such file or directory
md5sum: /home/user2/.ssh/id_rsa.pu: No such file or directory
0703a9362bfc561af5e21ef56b47cccf  /home/user2/.ssh/authorized_keys
0
Jasmin shahrzadAuthor Commented:
sorry it was me.
on ubuntu14
md5sum: /home/user2/.ssh/id_rsa: No such file or directory
md5sum: /home/user2/.ssh/id_rsa.pub: No such file or directory
0703a9362bfc561af5e21ef56b47cccf  /home/user2/.ssh/authorized_keys

and 17
5e2d7a2ce9e2de1c819afec9a3d27ad8  /home/user1/.ssh/id_rsa
90a9182b09079f734c41deefa9ab936 /home/user1/id_rsa.pub
0703a9362bfc561af5e21ef56b47cccf  /home/user2/.ssh/authorized_keys
0
gelonidaCommented:
but reverse from ubuntu 14 to 17 can't

This is normal as you showed the file ~/.ssh/id_rsa does not exist on  14


id_rsa is the private key file, that is required in the client machine.
on the target machine you have to have a line with the correspunding id_rsa.pub in the file authorized_keys

If you copy the file id_rsa from the 17 machine to the 14 machine you should be able to ssh.


As I don't know your context as all.

If both machines (14 and 17) are your machines and you trust both of them, then you can place the same ~/.ssh/id_rsa on both machines.

In many other cases it is better you create your own ~/.ssh/id_rsa on each machine and add a line with the coresponding id_rsa.pub to the ~/.ssh/authorized_keys file of the machine you want to connect to.
0
Jasmin shahrzadAuthor Commented:
Do you mean copy id_rsa from 17 to known_host in 14? or what?
0
serialbandCommented:
No, id_rsa is the private key.  You should use the public key, id_rsa.pub.  Also, although you could copy those keys to the other system.  You should generate new keys with ssh-keygen.
0
Jasmin shahrzadAuthor Commented:
ok i just confuse. i generate ssh-keygen i 17 and copy it to known_host in 14?
0
serialbandCommented:
Yes.  Both systems should have their own sets of keys.
0
nociSoftware EngineerCommented:
2nd to that. Each system you own should have it's own private key, consequently all other systems that you need to access need the public key registered as one of the allowed keys.
0
gelonidaCommented:
Do you mean copy id_rsa from 17 to known_host in 14? or what?

Yes this is in one option.

However it really depends on your setup and how paranoid you are / want to be in your specific context. In case of doubt it's safer to use two separate keys.

As serialband and noci stated:
The safer  / more common  / professional approach  is to have one id_rsa / id_rsa.pub pair for each individual machine / user and to add the corresponding pub keys  to the ~/.ssh/authorized_keys file of the hosts you want to connect to.

If you use the identical id_rsa on both machines, then both servers will be compromised if one of them is hacked. This might or might not be acceptable in your context.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
I found out yesterday there is some tools with ssh to handle part of the hard job for you ....

ssh-keygen   to create the right key pair...
then
ssh-copy-id -i keyid user@remote.system

for the default key use keyid = id_dsa or id_rsa (depending on which you chose to generate)
if ssh-keygen was used with -f keyid    then keyid is the right keyword.
Obviously for passwordless logons you need no password on the secret key.

will handle the nitty gritty details.  (that could have helped me in that past a few times).....
Hope this can still help.
0
Jasmin shahrzadAuthor Commented:
Tnx. it's running now
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.