# putty -> openssh error: Server refused our key.

## machinelou

I'm trying to connect from my work computer (windows) to my home computer (gentoo) using key authentication.  I generated the keys using puttygen following this guide (http://www.cs.uwaterloo.ca/cscf/howto/ssh/public_key/#putty).  It was working, but then I broke it by screwing with the permissions of my home directory (sshd was complaining about permissions in the logs).

I fixed the permissions (the error doesn't appear in the logs anymore) but, when I try to log in using putty and the key file, it says "Server refused our key." and makes me type in the password.  I can log in when I type in the password, but want it to be able to accept my key so that I can automate various file transfers.  Is there anything else I should check?

Here's the output of stat for my home directory:

```
  File: `.'

  Size: 128             Blocks: 0          IO Block: 131072 directory

Device: 304h/772d       Inode: 31992       Links: 4

Access: (0700/drwx------)  Uid: ( 1002/rachelle)   Gid: (  100/   users)

Access: 2004-12-29 13:10:25.000000000 +0000

Modify: 2005-12-28 11:04:19.245264040 +0000

Change: 2005-12-28 11:04:39.938118248 +0000

```

Here's the output of stat for .ssh

```
  File: `.ssh'

  Size: 80              Blocks: 0          IO Block: 131072 directory

Device: 304h/772d       Inode: 43245       Links: 2

Access: (0700/drwx------)  Uid: ( 1002/rachelle)   Gid: (    0/    root)

Access: 2005-12-21 15:35:59.000000000 +0000

Modify: 2005-12-28 10:55:09.052905992 +0000

Change: 2005-12-28 11:21:51.177346056 +0000

```

Here's authorized_keys

```
  File: `authorized_keys'

  Size: 1142            Blocks: 8          IO Block: 131072 regular file

Device: 304h/772d       Inode: 43015       Links: 1

Access: (0700/-rwx------)  Uid: ( 1002/rachelle)   Gid: (  100/   users)

Access: 2005-12-28 10:55:09.049906448 +0000

Modify: 2005-12-28 10:55:09.049906448 +0000

Change: 2005-12-28 11:21:51.177346056 +0000

```

----------

## magic919

I'd be tempted to regenerate the keys before digging too deep.  You could change ownership of .ssh dir to match user:users, rather than user:root.  Mine is like that and mode 600.

You can restart sshd with -d [1-3] to increase verbosity of logging to see what is happening.

----------

## daeghrefn

According to my system, the /home/user directory is set to 755 user:users, the /home/user/.ssh directory is set to 600 user:users, and the /home/user/.ssh/authorized_keys file is set to 600 user:users.

I use PuTTY to get into my system all the time.

----------

## machinelou

Bah!  I tried to startup sshd with the -d option but, by coincoidence, I happen to be getting hit with an sshd worm ATM and sshd shuts down after each failed connection when using the -d option.  I'll have to wait a bit before I give it another shot.  I also changed the permissions to your suggestions but that hasn't worked.  I already tried regenerating the keys but I might as well try again.

----------

## machinelou

Here's the output of sshd -d when I try to login:

```
debug1: sshd version OpenSSH_4.2p1

debug1: read PEM private key done: type RSA

debug1: private host key: #0 type 1 RSA

debug1: read PEM private key done: type DSA

debug1: private host key: #1 type 2 DSA

debug1: rexec_argv[0]='/usr/sbin/sshd'

debug1: rexec_argv[1]='-d'

debug1: Bind to port 22 on 0.0.0.0.

Server listening on 0.0.0.0 port 22.

socket: Address family not supported by protocol

debug1: Server will not fork when running in debugging mode.

debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7

debug1: inetd sockets after dupping: 3, 3

Connection from 128.227.13.117 port 1317

debug1: Client protocol version 2.0; client software version PuTTY-Release-0.53b

debug1: no match: PuTTY-Release-0.53b

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.2

debug1: permanently_set_uid: 22/22

debug1: list_hostkey_types: ssh-rsa,ssh-dss

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: client->server aes256-cbc hmac-sha1 none

debug1: kex: server->client aes256-cbc hmac-sha1 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received

debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user rachelle service ssh-connection method none

debug1: attempt 0 failures 0

Failed none for rachelle from 128.227.13.117 port 1317 ssh2

debug1: PAM: initializing for "rachelle"

debug1: PAM: setting PAM_RHOST to "n128-227-13-117.xlate.ufl.edu"

debug1: PAM: setting PAM_TTY to "ssh"

debug1: userauth-request for user rachelle service ssh-connection method publickey

debug1: attempt 1 failures 1

debug1: test whether pkalg/pkblob are acceptable

debug1: temporarily_use_uid: 1002/100 (e=0/0)

debug1: trying public key file /home/rachelle/.ssh/authorized_keys

debug1: restore_uid: 0/0

debug1: temporarily_use_uid: 1002/100 (e=0/0)

debug1: trying public key file /home/rachelle/.ssh/authorized_keys2

debug1: restore_uid: 0/0

Failed publickey for rachelle from 128.227.13.117 port 1317 ssh2

debug1: userauth-request for user rachelle service ssh-connection method keyboard-interactive

debug1: attempt 2 failures 2

debug1: keyboard-interactive devs

debug1: auth2_challenge: user=rachelle devs=

debug1: kbdint_alloc: devices 'pam'

debug1: auth2_challenge_start: trying authentication method 'pam'

Postponed keyboard-interactive for rachelle from 128.227.13.117 port 1317 ssh2

Read from socket failed: Connection reset by peer

debug1: do_cleanup

debug1: PAM: cleanup

debug1: do_cleanup

debug1: PAM: cleanup

```

----------

## magic919

It says it is trying the key and failing it.  Might be worth trying higher d level (3 is max) to see if you get any more data.

----------

## machinelou

Thanks.. There's a lot of output, this looks like the most important part.  Here's the output of sshd -ddd

```
Failed none for rachelle from 128.227.13.117 port 1331 ssh2

debug3: monitor_read: checking request 45

debug1: PAM: initializing for "rachelle"

debug3: Trying to reverse map address 128.227.13.117.

debug1: PAM: setting PAM_RHOST to "n128-227-13-117.xlate.ufl.edu"

debug1: PAM: setting PAM_TTY to "ssh"

debug2: monitor_read: 45 used once, disabling now

debug3: mm_request_receive entering

debug3: monitor_read: checking request 3

debug3: mm_answer_authserv: service=ssh-connection, style=

debug2: monitor_read: 3 used once, disabling now

debug3: mm_request_receive entering

debug1: userauth-request for user rachelle service ssh-connection method publickey

debug1: attempt 1 failures 1

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: mm_key_allowed entering

debug3: mm_request_send entering: type 20

debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED

debug3: mm_request_receive_expect entering: type 21

debug3: mm_request_receive entering

debug3: monitor_read: checking request 20

debug3: mm_answer_keyallowed entering

debug3: mm_answer_keyallowed: key_from_blob: 0x80a6748

debug1: temporarily_use_uid: 1002/100 (e=0/0)

debug1: trying public key file /home/rachelle/.ssh/authorized_keys

debug3: secure_filename: checking '/home/rachelle/.ssh'

debug3: secure_filename: checking '/home/rachelle'

debug3: secure_filename: terminating check at '/home/rachelle'

debug2: key_type_from_name: unknown key type 'sh-dss'

debug3: key_read: missing keytype

debug2: user_key_allowed: check options: 'sh-dss AAAAB3Nz(key removed)5SHrKeVRitTEdXQjVdebug2: key_type_from_name: unknown key type 'AAAAB3Nz(key removed)5SHrKeVRitTEdXQjVGcYdebug3: key_read: missing keytype

debug2: user_key_allowed: advance: 'AAAAB3Nz(key removed)5SHrKeVRitTEdXQjVGcYLthqxJ2y5Pdebug1: restore_uid: 0/0

debug2: key not found

debug1: temporarily_use_uid: 1002/100 (e=0/0)

debug1: trying public key file /home/rachelle/.ssh/authorized_keys2

debug1: restore_uid: 0/0

debug3: mm_answer_keyallowed: key 0x80a6748 is disallowed

debug3: mm_request_send entering: type 21

debug3: mm_request_receive entering

debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss

Failed publickey for rachelle from 128.227.13.117 port 1331 ssh2

debug1: userauth-request for user rachelle service ssh-connection method keyboard-interactive

debug1: attempt 2 failures 2

debug2: input_userauth_request: try method keyboard-interactive

debug1: keyboard-interactive devs

debug1: auth2_challenge: user=rachelle devs=

debug1: kbdint_alloc: devices 'pam'

debug2: auth2_challenge_start: devices pam

debug2: kbdint_next_device: devices <empty>

debug1: auth2_challenge_start: trying authentication method 'pam'

debug3: mm_sshpam_init_ctx

debug3: mm_request_send entering: type 48

debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX

debug3: mm_request_receive_expect entering: type 49

debug3: mm_request_receive entering

debug3: monitor_read: checking request 48

debug3: mm_answer_pam_init_ctx

debug3: PAM: sshpam_init_ctx entering

debug3: PAM: sshpam_thread_conv entering, 1 messages

debug3: ssh_msg_send: type 1

debug3: ssh_msg_recv entering

debug3: mm_request_send entering: type 49

debug3: mm_request_receive entering

debug3: mm_sshpam_query

debug3: mm_request_send entering: type 50

debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY

debug3: mm_request_receive_expect entering: type 51

debug3: mm_request_receive entering

debug3: monitor_read: checking request 50

debug3: mm_answer_pam_query

debug3: PAM: sshpam_query entering

debug3: ssh_msg_recv entering

debug3: mm_request_send entering: type 51

debug3: mm_request_receive entering

debug3: mm_sshpam_query: pam_query returned 0

Postponed keyboard-interactive for rachelle from 128.227.13.117 port 1331 ssh2

Read from socket failed: Connection reset by peer

debug1: do_cleanup

debug1: PAM: cleanup

debug3: PAM: sshpam_thread_cleanup entering

debug1: do_cleanup

debug1: PAM: cleanup

debug3: PAM: sshpam_thread_cleanup entering

```

It looks like it's complaining about not being able to read the keytype.  I'll try regenerating the keys again...

----------

## machinelou

Yep, regenerating the keys worked this time.. Thanks

----------

## magic919

Excellent.  Glad it all worked out.  And we all get to see some stuff and learn along the way.  Maybe you could mark [SOLVED]

----------

## bigbob73

 *magic919 wrote:*   

> I'd be tempted to regenerate the keys before digging too deep.  You could change ownership of .ssh dir to match user:users, rather than user:root.  Mine is like that and mode 600.
> 
> You can restart sshd with -d [1-3] to increase verbosity of logging to see what is happening.

 

Is this a security feature of ssh? I had my permissions at 700, but it wouldn't accept the key.  do you have to change permissions to add a key and then change them back?

Bigbob

----------

## machinelou

Yes -- I think.. I read in another thread here that the permissions of .ssh have to be specific otherwise it might not actually be you logging in, just someone with enough permissions to fiddle with your .ssh directory.

----------

## bigbob73

 *machinelou wrote:*   

> Yes -- I think.. I read in another thread here that the permissions of .ssh have to be specific otherwise it might not actually be you logging in, just someone with enough permissions to fiddle with your .ssh directory.

 

i have set ~/.ssh, ~/.ssh/authorized_keys, and the key all to 600 and I still can't get putty to connect using the key only.  I must be missing something somewhere.

----------

## daeghrefn

yeah, sshd will not accept a key if the permissions on /home/user/.ssh and contained files are not correct.  

 *Quote:*   

> i have set ~/.ssh, ~/.ssh/authorized_keys, and the key all to 600 and I still can't get putty to connect using the key only. I must be missing something somewhere.

 

Check your sshd logs to see what sshd is telling you.  Usually it gives you a reason as to why it rejects a key.

----------

## bigbob73

[quote="daeghrefn"]yeah, sshd will not accept a key if the permissions on /home/user/.ssh and contained files are not correct.  

 *Quote:*   

> i have set ~/.ssh, ~/.ssh/authorized_keys, and the key all to 600 and I still can't get putty to connect using the key only. I must be missing something somewhere.

 

Check your sshd logs to see what sshd is telling you.  Usually it gives you a reason as to why it rejects a key.[/]

log says that [sshd] socket: Address family not supported by protocol.  this comes up after restarting sshd.

----------

