SSH Access - Authentication Failed: The key has been rejected
Hi,
I'm trying to connect to my server via SSH however it's failing to connect.
We've done the following: Edited the file:
Updated PermitRootLogin to No:
Updated SSH port:
Modified ConfigServer Firewall
Added Wheel:
Added the user to the "wheel group" via:
Added SSH Public Key via WHM
Added SSH Public Key via Terminal / authorized_keys file:
Copied my SSH key into the file:
Restarted SSH:
Bitvise SSH Client - The connection details are as follows: - It will accept the following key exchanges, host keys, encryptions, data integrities and compressions: I can't figure out why the authentication is failing... anyone know what I am doing wrong? Thanks
19:27:12.248 Started a new SSH session.
19:27:12.266 Connecting to SSH server IP HERE:987.
19:27:12.446 Connection established.
19:27:12.650 Server version: SSH-2.0-OpenSSH_7.4
19:27:12.650 First key exchange started. Cryptographic provider: Windows CNG (x86) with additions
19:27:13.037 Received host key from the server. Algorithm: RSA, size: 2048 bits, SHA-256 fingerprint: xgHrBQBceI3Su7.
19:27:13.057 First key exchange completed using Curve25519. Session encryption and integrity: aes256-gcm, compression: none.
19:27:13.227 Attempting publickey authentication. Testing client key 'Profile 1' for acceptance.
19:27:13.432 Authentication failed. The key has been rejected. Remaining authentication methods: 'publickey,gssapi-keyex,gssapi-with-mic'.We've done the following: Edited the file:
vi /etc/ssh/sshd_configUpdated PermitRootLogin to No:
PermitRootLogin noUpdated SSH port:
Port 987Modified ConfigServer Firewall
WHM --> Plugins --> ConfigServer Security & Firewall --> Firewall Configuration --> TCP_IN and add the port 987Added Wheel:
adduser deployAdded the user to the "wheel group" via:
WHM --> Security Center --> Manage Wheel Group Users --> Selected "Deploy" and click "Add to Group".Added SSH Public Key via WHM
WHM --> Security --> Manage root"s SSH Keys --> Import Key --> Set a name for the key, add the key passphrase, paste the public key into the second box --> Import.WHM --> Security --> Manage root"s SSH Keys --> Manage Authorization --> AuthorizeAdded SSH Public Key via Terminal / authorized_keys file:
nano /home/deploy/.ssh/authorized_keysCopied my SSH key into the file:
ssh-rsa HEREISMYHASH RyanRRestarted SSH:
/etc/init.d/sshd restartBitvise SSH Client - The connection details are as follows: - It will accept the following key exchanges, host keys, encryptions, data integrities and compressions: I can't figure out why the authentication is failing... anyone know what I am doing wrong? Thanks
-
Update on things I've tried Disabled Firewall: - Disabling ConfigServer Firewall by both turning it off and by uninstalling it. Checked SSH Key: - I installed my SSH key on to a different, unrelated server and it connected just fine. - I checked that the SSH configuration file accepted RSA keys, which it did. - I tried an RSA key, ecdsa key, ed25519 key and all 3 failed Generating a SSH Key via WHM: - I imported the key into my Bitvise SSH client but it still failed to connect Edited the file: vi /etc/ssh/sshd_config
Tried Protocols 1 and 2:Protocol 2,1
Tried to "AllowUsers" within the SSH configuration:AllowUsers deploy
Checked Authorized Keys Permissions: - .ssh has a permission of 700 - authorized_keys ahs a permission of 600 Checked the server logs with a login from "root"sshd[1527417]: User root from x.x.x.x not allowed because not listed in AllowUsers sshd[1527417]: input_userauth_request: invalid user root [preauth]
Checked the server logs with a login from "deploy"sshd[1527417]: error: Received disconnect from x.x.x.x port 55887:13: User request [preauth] sshd[1527417]: Disconnected from x.x.x.x port 55887 [preauth] sshd[1529799]: error: Received disconnect from x.x.x.x port 55967:13: User request [preauth] sshd[1529799]: Disconnected from x.x.x.x port 55967 [preauth]
^ I'm not sure why it's showing port 55967... we connect over port 987 Copy of my sshd_config:# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 987 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile %h/.ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server UseDNS no DenyGroups cpaneldemo cpanelsuspended Protocol 2 AllowUsers deploy0 -
Do you have the Linux subsystem in Windows installed? If so, can you try connecting using the shell? For example, if I connect eg ssh Travis@IP Address -p 1234 I am logged in without having to enter a password because key authentication has been set up properly. 0 -
Hi Ryan, You will most likely have a better error message in your /var/log/secure logfile :) I assume you created the user's .ssh directory and authorized_keys file "manually"? What ownership and permissions did you give them? Also note that the "Manage root"s SSH Keys" in WHM is (obviously) just for the root user - and therefore not necessary if you just want the keys authorized for the "deploy" user ;) 0 -
I was going to note that the first I see with this is that you've used roots SSH keys. Because you created the user manually you'll need to add the SSH key manually as well, managing Root's SSH Keys only adds the key and authorizes it for the root user. There is an interface that matches this one for cPanel users but because you've added the user manually without a cPanel account you won't be able to do this. The key for the user you created needs to be stored in /home/$user/.ssh/
so in your case/home/deploy/.ssh/
Here are the steps I performed to make this happen for an account I added which has no associated cPanel account: On your local machine- On my Mac terminal I ran the following command:
ssh-keygen
- Here is the output (I chose not to use a password)
ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/macuser/.ssh/id_rsa): myuser Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in myuser. Your public key has been saved in myuser.pub.
(I cut out the fingerprint and randomart image from my output here) - In the home directory for the user I created I ran
su myuser
to do the rest of this as the user (I am logged in as root)
- create the .ssh directory as it isn't present by default
mkdir .ssh
- change its permissions to 700
chmod 700 .ssh
- There are a few different ways you can do this s
- Manually Copy - this is the method I used.
- The key needs to reside in
authorized_keys
for your account so you'll run the following to create that filetouch authorized_keys
- Run the following on your local machine to view the public key string for the key (I used my mac so the path may be different for you but it was output when you created the key)
cat /Users/macuser/.ssh/myuser.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1cBQtMclCJMvcQrF2qBTgdENFAmJA3rybjhK6yZDKi4zM8dsuPaZtqgzxYxGl+rojCddp8MwxAJEyDVimLhLEjzvGEzIxmCrkbXaGliuidQ+6aQGElB+rGFakO+zAd5BRJr16LdFQIyMc8BiWI1pLHITyXN+dfdsfSIFJDISOGhdgsS+W3R0wMMCsiVC89QzbmLV4dDDln2Cxv1vkR86O1fJJ1POmfxWWAJ7oaMabrgDPjsLPapIQYXATJk6mrrrbCsfsqF+5QVVPDHMpCpOzpudEGEnPfppqUut0OmxnyYr9TRZNOvIudX5kI2bJI0+w4gXE0cJYnHzMlSBvUT3nTRlkZ
(I've modified this text so It's not a valid key in case you were concerned about security) - Copy that output and paste it into authorized_users on the server. Or you can do what I did
echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1cBQtMclCJMvcQrF2qBTgdENFAmJA3rybjhK6yZDKi4zM8dsuPaZtqgzxYxGl+rojCddp8MwxAJEyDVimLhLEjzvGEzIxmCrkbXaGliuidQ+6aQGElB+rGFakO+zAd5BRJr16LdFQIyMc8BiWI1pLHITyXN+dfdsfSIFJDISOGhdgsS+W3R0wMMCsiVC89QzbmLV4dDDln2Cxv1vkR86O1fJJ1POmfxWWAJ7oaMabrgDPjsLPapIQYXATJk6mrrrbCsfsqF+5QVVPDHMpCpOzpudEGEnPfppqUut0OmxnyYr9TRZNOvIudX5kI2bJI0+w4gXE0cJYnHzMlSBvUT3nTRlkZ >> authorized_keys
- The key needs to reside in
- Test the login - I typically use the verbose (-v) or very verbose (-vv) flags to troubleshoot SSH related issues.
0 - On my Mac terminal I ran the following command:
Please sign in to leave a comment.
Comments
4 comments