# SSH public key login fails.

## sputnik_uk

I'm trying to use Public Key authentication in open SSH.  I get the message 

```
Permission denied (publickey,keyboard-interactive).
```

If I set "PasswordAuthentication yes" Password logins will be allowed, just can't get the key to work.

The .ssh directory exists in home and root, neither root or a normal user will connect.  the permissions are set correctly and the keys are there.

Any ideas?

Thanks,

         Rob.

Here's my sshd_config file:

```

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

LoginGraceTime 2m

PermitRootLogin yes

StrictModes yes

MaxAuthTries 6

MaxSessions 10

RSAAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

horizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication

# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included

# in this release. The use of 'gssapi' is deprecated due to the presence of

# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.

#GSSAPIEnableMITMAttack no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM no

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

#ChrootDirectory none

# no default banner path

#Banner none

# override default of no subsystems

Subsystem       sftp    /usr/lib/ssh/sftp-server

# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server

```

rob@linux-n5e7:~/.ssh> ssh localhost -v -i ~/.ssh/id_rsa.pub

OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to localhost [::1] port 22.

debug1: Connection established.

debug1: identity file /home/rob/.ssh/id_rsa.pub type 1

debug1: identity file /home/rob/.ssh/id_rsa type 1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2

debug1: match: OpenSSH_5.2 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'localhost' is known and matches the RSA host key.

debug1: Found key in /home/rob/.ssh/known_hosts:2

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering public key: /home/rob/.ssh/id_rsa.pub

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Offering public key: /home/rob/.ssh/id_rsa

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: No more authentication methods to try.

Permission denied (publickey,keyboard-interactive).

[/code]

here' the output of ssh -v localhost -i pub_key.pub

[code]

----------

## Rexilion

heh lol, you gave debug output on the wrong side of the wire   :Wink: 

On the server do:

```
/etc/init.d/sshd stop
```

and then start sshd like so:

```
/usr/sbin/sshd -D -d
```

That command enables SSH's debug mode. If you cannot figure out what is going wrong, feel free to post the output of a failed pubkey login   :Smile: 

----------

## Herring42

Have you got the keys the right way round?

Private key on the client, public key in .ssh/authorized_keys on the server.

----------

## krinn

as herring42 suggest:

```

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
```

----------

## sputnik_uk

Oopse.

Got my keys the wrong way round, was putting the private one in authorized_keys.

----------

