# (SOLVED) ssh problem (Permission denied (publickey,keyboard

## nihilo

hi,

I have just emerged openssh and configured it as suggested in the ssh section of the gentoo linux security guide.  I have generated the keys using '/usr/bin/ssh-keygen -t rsa', and I have distributed the public key to the server from which I wish to connect, but I get a connection refused error message.  I have read through all the forums ssh/sshd threads I could find, and don't know what else to try.  Google also was not much help.  Figuring that even if couldn't connect remotely, I should be able to connect locally, I tried to do 'ssh nihilo@localhost', but I get the following error message:

```

nihilo@localhost authorized_keys $ ssh nihilo@localhost

Permission denied (publickey,keyboard-interactive).
```

The following is my /etc/ssh/sshd_config file:

```

# All of the following is from the Gentoo security howto

#Only enable version 2

Protocol 2

#No direct root access

PermitRootLogin no

#Turn on RSA key authentication

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

#Disable .rhost files and normal password auth.

RhostsAuthentication no

PasswordAuthentication no

PermitEmptyPasswords no

#AllowHosts *.berkeley.edu

# I had to comment out the AllowHosts line, because it complained

# that it wasn't a valid configuration.

#Noone else than members of wheel or admin should have access

AllowGroups wheel admin

# nihilo belongs to wheel

#And 1 user

AllowUsers nihilo

#add logging level

SyslogFacility AUTH

LogLevel INFO

#bind

ListenAddress 127.0.0.1
```

Does anybody out there know what this error message means?

[EDIT Just noticed 4.5 years later that I didn't mark it solved  :Wink: ]Last edited by nihilo on Wed Mar 14, 2007 8:47 pm; edited 1 time in total

----------

## zhenlin

Perhaps you forgot to add the public keys into the ~/.ssh/authorizedkeys of the remote users?

Maybe the local ssh client cannot support SSH2? Perhaps the passphrase is wrong?

----------

## Anubis

It's late, if you read my post before I edited it...disregard my stupidity before fully reading the post   :Very Happy:  .  

First, in order to connect locally you may want to make sure that sshd is running.

Also, it does look like you have ssh 2 enabled, in which case I'm not sure that if you can connect using simply ssh instead of ssh -2 loginname address.  Again, I'm not for certain on this but I think you might want to try the ssh -2.    Sorry I don't have time to fully test much of this...  But you may also (as stated above) want to make sure the server you're connecting to can handle ssh2. 

You'll also want to make sure that your private key is in the .ssh directory on your server (although I believe you said this has already been checked).

----------

## nihilo

 *zhenlin wrote:*   

> Perhaps you forgot to add the public keys into the ~/.ssh/authorizedkeys of the remote users?
> 
> 

 

No, I added the public key to the ~/.ssh/authorized_keys directory of the remote user (and the local user for testing to localhost).

 *zhenlin wrote:*   

> 
> 
> Maybe the local ssh client cannot support SSH2? 

 

The local ssh client is openssh (latest version in portage), so that isn't the problem.

 *zhenlin wrote:*   

> 
> 
> Perhaps the passphrase is wrong?
> 
> 

 

I don't even get to enter the passphrase.  It just issues that error message before giving me a chance to enter a passphrase.

----------

## niqdanger

Do an 

ssh -v hostname

and see the debugging output. It looks more like the client and server cant decide on a valid authentication mechanism. But the verbose output will give more info on that.

----------

## nihilo

 *niqdanger wrote:*   

> Do an 
> 
> ssh -v hostname
> 
> and see the debugging output. It looks more like the client and server cant decide on a valid authentication mechanism. But the verbose output will give more info on that.

 

Here is the output with the verbose flag:

```

nihilo@localhost nihilo $ ssh -v localhost

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

debug1: identity file /home/nihilo/.ssh/identity type -1

debug1: identity file /home/nihilo/.ssh/id_rsa type 1

debug1: identity file /home/nihilo/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1

debug1: match: OpenSSH_3.5p1 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.5p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: dh_gen_key: priv key bits set: 134/256

debug1: bits set: 1561/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'localhost' is known and matches the RSA host key.

debug1: Found key in /home/nihilo/.ssh/known_hosts:5

debug1: bits set: 1633/3191

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: next auth method to try is publickey

debug1: try privkey: /home/nihilo/.ssh/identity

debug1: try pubkey: /home/nihilo/.ssh/id_rsa

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: try privkey: /home/nihilo/.ssh/id_dsa

debug1: next auth method to try is keyboard-interactive

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: no more auth methods to try

Permission denied (publickey,keyboard-interactive).

debug1: Calling cleanup 0x80697c0(0x0)

nihilo@localhost nihilo $

```

----------

## fyerk

If you used the 'rsa' flag to generate your key instead of 'rsa1' try using authorized_keys2 instead of authorized_keys.

```

# cat id_rsa.pub >> $HOME/.ssh/authorized_keys2

```

----------

## nihilo

 *edge wrote:*   

> If you used the 'rsa' flag to generate your key instead of 'rsa1' try using authorized_keys2 instead of authorized_keys.
> 
> ```
> 
> # cat id_rsa.pub >> $HOME/.ssh/authorized_keys2
> ...

 

I did as you suggested, but it didn't make a difference. Same error message.

----------

## nihilo

Here is some more information on my problem.  When I try to start sshd through 

```
/etc/init.d/sshd start
```

, it complains that 

```
 WARNING:  "sshd" has already been started.
```

 and when I do ps -e I notice that it isn't currently running, even though it was supposed to be started or already running.  I can start it with sshd, but then I run in to the same problem that I mentioned above.

I think that I need to start it through the init.d script in order for certain settings to be set, but it always complains that it's already running, when it isn't, and fails to actually start it.  Does this mean anything to anybody?  I am working with a freshly emerged openssh 3.5_p1, and I am trying to use all the settings that were mentioned in the gentoo security howto at http://www.gentoo.org/doc/en/gentoo-security.xml (in particular, only Protocol 2 and using RSA for authentication).  Any help would be really appreciated.  This is my last problem to solve before I am in Linux bliss.

----------

## rac

Look in /etc/init.d/ssh for the start-stop-daemon line in start().  Try running that from the command line, but don't include "--quiet".  That may give you more information.  You can always force the rc-scripts to think that something isn't running with the "zap" option.

----------

## nihilo

 *rac wrote:*   

> Look in /etc/init.d/ssh for the start-stop-daemon line in start().  Try running that from the command line, but don't include "--quiet".  That may give you more information.  You can always force the rc-scripts to think that something isn't running with the "zap" option.

 

Thanks for the help.  The output was not very helpful.  There was no output at all, which means success, but then I am back in the same boat that I was in before, which is that the daemon is listening, but something goes wrong with the authentication:

```
nihilo@localhost nihilo $ ssh -v localhost

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

debug1: identity file /home/nihilo/.ssh/identity type -1

debug1: identity file /home/nihilo/.ssh/id_rsa type 1

debug1: identity file /home/nihilo/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1

debug1: match: OpenSSH_3.5p1 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.5p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: dh_gen_key: priv key bits set: 127/256

debug1: bits set: 1609/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'localhost' is known and matches the RSA host key.

debug1: Found key in /home/nihilo/.ssh/known_hosts:5

debug1: bits set: 1651/3191

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,keyboard-interactive // everything seemed fine till here

debug1: next auth method to try is publickey

debug1: try privkey: /home/nihilo/.ssh/identity

debug1: try pubkey: /home/nihilo/.ssh/id_rsa

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: try privkey: /home/nihilo/.ssh/id_dsa

debug1: next auth method to try is keyboard-interactive

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: no more auth methods to try

Permission denied (publickey,keyboard-interactive).

debug1: Calling cleanup 0x80697c0(0x0)

```

----------

## rac

Does it work if you use DSA keys, generated with "ssh-keygen -t dsa"?

----------

## nihilo

 *rac wrote:*   

> Does it work if you use DSA keys, generated with "ssh-keygen -t dsa"?

 

No, I just tried that, and it issued the exact same error message.

----------

## nihilo

For the record, here is my sshd_config file:

```

root@localhost nihilo # cat /etc/ssh/sshd_config

# All of the following is from the Gentoo security howto

#Only enable version 2

Protocol 2

#No direct root access

PermitRootLogin no

#Turn on RSA key authentication

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

#Disable .rhost files and normal password auth.

RhostsAuthentication no

PasswordAuthentication no

PermitEmptyPasswords no

#AllowHosts *.berkeley.edu

#Noone else than members of wheel or admin should have access

AllowGroups wheel admin

#And 1 user

AllowUsers nihilo

#add logging level

SyslogFacility AUTH

LogLevel INFO

#bind

ListenAddress 127.0.0.1

```

And yes, nihilo belongs to the wheel group, so that's not the problem.

----------

## kashani

Since this looks like it might be the definitive post of the subject I'll list all the stupid things I did the first time I tried to get it to work.

1. write out your pass phrase in a test editor, cut and paste it when you generate your key. This makes sure you don't fumble finger it.

2. include the "ssh-dss " or "ssh-rsa " line when you copy your key to the server.

3. use dsa it's supposed to better and then use ~/.ssh/authorized_keys2 though in testing plain authorized_keys worked fine.

4. Make sure your entry into authorized_keys is on a single line. Cutting and pasting will break it up and it won't work. No extra spaces, line, etc. In fact if you can do it scp your id_dsa.pub file over and rename it to authorized_keys.

5. Make sure the perssions are 600 on authorized_keys. sshd will usually bitch if the file permissions are too open IIRC.

6. ssh-agent doesn't work correctly in the Cygwin enviroment... at least the last time I tried.

7. I used an unmodified copy of /etc/ssh/sshd_config from a fresh emerge of openssh 3.5_p1 other than changing the protocal to 2 only and allow x11 forwarding.

8. Test the whole thing as a normal user, if things work you can move it over to root, turn off normal auth, etc.

9. [missed this the first time] Get it working first, THEN lock it down. Never ever ever lock down first and then figure out why it won't authenticate you. This is 16 hours of Postfix insanity after prematurely messing with config before testing that the basic config worked talking.

kashani, making mistakes so you don't have to.

----------

## RagManX

First, I would attempt to get ssh working with passphrase authentication before attempting authorized keys.  As for sshd not in your process list but appearing as running via /etc/init.d/sshd stop, you can fix this.  First, start sshd manually from the command line, edit your /var/run/sshd.pid file to hold the correct process id for the newly started sshd, then execute the /etc/init.d/sshd stop command again.  I wish there was a --force option for those /etc/init.d scripts that would just silently do everything necessary as part of the stop command.  That way, if the start-stop-script command thinks something is running because a pid file exists in /var/run, it would just remove that and accept that the program is stopped.

RagManX

----------

## rac

 *RagManX wrote:*   

> I wish there was a --force option for those /etc/init.d scripts

 I don't know if it's exactly what you want, but there is 'zap'.

----------

## pikkumyy

Did you check /etc/hosts.allow and hosts.deny?

----------

## mr_b

Hm. I had a similar problem with mine. Whilst hunting around for an answer, I happened upon this post. None of these suggestions seemed to work for me, however a friendly IRC user suggested the following:

mv /etc/pam.d/sshd /etc/pam.d/sshd_some_backup_name

then

cp /etc/pam.d/login /etc/pam.d/sshd

After that (and a quick /etc/init.d/sshd stop; /etc/init.d/sshd start) everything worked sweetly once more. Just thought I would mention it here as it's possibly something that's not overt to people; certainly wasn't for me  :Smile: 

Cheers,

Rich.

----------

## rac

Thanks to mr_b's post, a light bulb went on in my head.  I diffed /etc/pam.d/login and /etc/pam.d/sshd, and one thing jumped out at me: 

```
auth       required     pam_shells.so
```

Is it possible that your user has no login shell?

----------

## nihilo

 *pikkumyy wrote:*   

> Did you check /etc/hosts.allow and hosts.deny?

 

My hosts.deny denies everything, and the hosts.allow allows the specific hosts that I want to allow.

----------

## nihilo

 *rac wrote:*   

> Thanks to mr_b's post, a light bulb went on in my head.  I diffed /etc/pam.d/login and /etc/pam.d/sshd, and one thing jumped out at me: 
> 
> ```
> auth       required     pam_shells.so
> ```
> ...

 

I tried mr_b's suggestion, and it didn't make a difference.  And the user does have a shell.

Right now, I can do password or dsa authentication from localhost, but nothing from a remote host.  All I am getting now is "connection refused":

```

dream% ssh -2 -p **** -l nihilo <ip_address>

ssh: connect to address <ip_address> port ****: Connection refused

dream%
```

I am using a non-standard port for ssh, but it is definitely the correct port, as it works when I substitute localhost for the ip_address.  However, if instead of trying ssh localhost, I substitute the ip address of my machine, then I get the same error message.

Here are the host files, in case anybody can recognize an error:

```
 

root@localhost etc # cat hosts.allow

ALL: LOCAL @wheel

ALL: 128.32.226.

sshd : 127.0.0.1 128.32.226.93 128.32.226.87 128.32.226.49

root@localhost etc # cat hosts.deny

ALL: ALL 
```

Basically I just want to allow connections from the 128.32.226.0 network, specifically the three hosts I included on the sshd line, or from localhost for testing.

----------

## kashani

```

#add logging level

SyslogFacility AUTH

LogLevel INFO

#bind

ListenAddress 127.0.0.1
```

Since you only bound it to 127.0.0.1 it's not surprising that it doesn't work for any other IP address.

kashani

----------

## nihilo

 *kashani wrote:*   

> 
> 
> ```
> 
> #add logging level
> ...

 

I wasn't sure what listening on that address meant.  I didn't think it meant listening for the address that it's bound to.  The man  page for sshd_config says:

```

     ListenAddress

             Specifies the local addresses sshd should listen on.  The follow-

             ing forms may be used:

                   ListenAddress host|IPv4_addr|IPv6_addr

                   ListenAddress host|IPv4_addr:port

                   ListenAddress [host|IPv6_addr]:port

             If port is not specified, sshd will listen on the address and all

             prior Port options specified. The default is to listen on all

             local addresses.  Multiple ListenAddress options are permitted.

             Additionally, any Port options must precede this option for non

             port qualified addresses.

```

What local addresses should sshd listen on in order for me to be able ssh in (only) from hosts in the 128.32.226.0 network (and localhost)? The man page doesn't say how to do multiple addresses.  Do I just put it in every host, separated by whitespace, like other multiple values in the sshd_config file?  I tried just commenting out the ListenAddresses, which would default to listening on all local addresses, but that doesn't make a difference when I restart and try to connect from a remote host.

----------

## rac

 *nihilo wrote:*   

> What local addresses should sshd listen on in order for me to be able ssh in (only) from hosts in the 128.32.226.0 network (and localhost)?

 

Could you try just commenting that line out?  By default, it listens on all local addresses, which would include both 127.0.0.1 and whatever the externally visible IP address is for that host.

----------

## nihilo

 *rac wrote:*   

>  *nihilo wrote:*   What local addresses should sshd listen on in order for me to be able ssh in (only) from hosts in the 128.32.226.0 network (and localhost)? 
> 
> Could you try just commenting that line out?  By default, it listens on all local addresses, which would include both 127.0.0.1 and whatever the externally visible IP address is for that host.

 

Yeah, I did comment it out, but it didn't make a difference.

----------

## Carlo

 *rac wrote:*   

> Thanks to mr_b's post, a light bulb went on in my head.  I diffed /etc/pam.d/login and /etc/pam.d/sshd, and one thing jumped out at me: 
> 
> ```
> auth       required     pam_shells.so
> ```
> ...

 

Thanks! That was my problem, with new created users. Just chsh USER, enter a shell and the ssh login will work.

Carlo

----------

## nihilo

Success at last.  Thanks for the help everybody.  It was the address being bound to 127.0.0.1 that was the problem -- well, the last problem, at least. Uncommenting that line, it works fine now using only dsa authentication.

----------

## evidence

hey nihilo,

any chance i can get you to post the exact steps you took to get that puppy working? i've tried everything in this thread and i'm still getting the same error.

thanks

----------

## evidence

 :Embarassed:   :Embarassed:   :Embarassed: 

nevermind...

for those of you who didn't know this...

copy id_rsa.pub and rename authorized_keys from your home directory, not /etc/ssh

hehe

----------

## nihilo

 *evidence wrote:*   

>   
> 
> nevermind...
> 
> for those of you who didn't know this...
> ...

 

Yeah, I made that mistake first too.  Let me know if you still have any trouble, as I probably made every mistake possible before I finally got it working  :Wink: 

----------

## bps7j

I couldn't get it going either, and my /etc/passwd DID have a shell for my user, but not the full path to /bin/bash, which is what it needed.  I had to do 

```
# chsh foo

Changing the login shell for foo

Enter the new value, or press return for the default

        Login Shell [bash]: /bin/bash
```

----------

## striscio

To enable password authentication I had to change my sshd_config file from

```

PasswordAuthentication no

PAMAuthenticationViaKbdInt yes

```

(that is happily working on a debian box)

to

```

PasswordAuthentication yes

PAMAuthenticationViaKbdInt yes

```

hope it helps

----------

## keratos68

Got a similar error, didnt want to start a new thread!!

I can get to the password phase, however I'm locked out, the same password works on the local machine, user has a shell. I dont want to send public/private keys out, but rather be authenticated via username/password....

```
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090609f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug2: ssh_connect: needpriv 0

debug1: Connecting to keratos.no-ip.com [0.0.0.0] port 22.

debug1: Connection established.

debug1: identity file /home/xyz/.ssh/id_rsa type -1

debug1: identity file /home/xyz/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.6.1p2

debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 132/256

debug2: bits set: 1591/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug3: check_host_in_hostfile: filename /home/xyz/.ssh/known_host

debug3: check_host_in_hostfile: match line 1

debug3: check_host_in_hostfile: filename /home/xyz/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 1

debug1: Host 'keratos.no-ip.com' is known and matches the RSA host key.

debug1: Found key in /home/xyz/.ssh/known_hosts:1

debug2: bits set: 1655/3191

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug3: start over, passed a different list publickey,password,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Trying private key: /home/xyz/.ssh/id_rsa

debug3: no such identity: /home/xyz/.ssh/id_rsa

debug1: Trying private key: /home/xyz/.ssh/id_dsa

debug3: no such identity: /home/xyz/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug3: authmethod_lookup keyboard-interactive

debug3: remaining preferred: password

debug3: authmethod_is_enabled keyboard-interactive

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug2: we sent a keyboard-interactive packet, wait for reply

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug3: userauth_kbdint: disable: no info_req_seen

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred:

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

xyz@keratos.no-ip.com's password:

debug3: packet_send2: adding 64 (len 55 padlen 9 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password,keyboard-interactive

Permission denied, please try again.

xyz@keratos.no-ip.com's password:
```

And my /etc/ssh/sshd_config is 

```

#       $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 120

#PermitRootLogin yes

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used

RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt yes

X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server

AllowGroups     sshd
```

The user I'm trying to log in as , remotely , is in the "users" and "sshd" groups.

Ideas??

TIA

----------

## outspoken

hey thanks! this solved my issue. i was getting the same permission-denied response that nihilo was getting but i had missed the step to echo my pubkey into authorized_keys

 *fyerk wrote:*   

> If you used the 'rsa' flag to generate your key instead of 'rsa1' try using authorized_keys2 instead of authorized_keys.
> 
> ```
> 
> # cat id_rsa.pub >> $HOME/.ssh/authorized_keys2
> ...

 

----------

## Dirk.R.Gently

My Error:

Permission denied (publickey).

I fix the problem by making sure in "/etc/ssh/sshd_config"

was uncommenting:

ChallengeResponseAuthentification yes

----------

