SSH Access - Authentication Failed: The key has been rejected

[RyanR]

Hi,

I'm trying to connect to my server via SSH however it's failing to connect.

19:27:12.248 Started a new SSH session.
19:27:12.266 Connecting to SSH server IP HERE:987.
19:27:12.446 Connection established.
19:27:12.650 Server version: SSH-2.0-OpenSSH_7.4
19:27:12.650 First key exchange started. Cryptographic provider: Windows CNG (x86) with additions
19:27:13.037 Received host key from the server. Algorithm: RSA, size: 2048 bits, SHA-256 fingerprint: xgHrBQBceI3Su7.
19:27:13.057 First key exchange completed using Curve25519. Session encryption and integrity: aes256-gcm, compression: none.
19:27:13.227 Attempting publickey authentication. Testing client key 'Profile 1' for acceptance.
19:27:13.432 Authentication failed. The key has been rejected. Remaining authentication methods: 'publickey,gssapi-keyex,gssapi-with-mic'.

We've done the following:

Edited the file:

vi /etc/ssh/sshd_config

Updated PermitRootLogin to No:

PermitRootLogin no

Updated SSH port:

Port 987

Modified ConfigServer Firewall

WHM --> Plugins --> ConfigServer Security & Firewall --> Firewall Configuration --> TCP_IN and add the port 987

Added Wheel:

adduser deploy

Added the user to the "wheel group" via:

WHM --> Security Center --> Manage Wheel Group Users --> Selected "Deploy" and click "Add to Group".

Added SSH Public Key via WHM

WHM --> Security --> Manage root’s SSH Keys --> Import Key --> Set a name for the key, add the key passphrase, paste the public key into the second box --> Import.

WHM --> Security --> Manage root’s SSH Keys --> Manage Authorization --> Authorize

Added SSH Public Key via Terminal / authorized_keys file:

nano /home/deploy/.ssh/authorized_keys

Copied my SSH key into the file:

ssh-rsa HEREISMYHASH RyanR

Restarted SSH:

/etc/init.d/sshd restart

Bitvise SSH Client
- The connection details are as follows:


- It will accept the following key exchanges, host keys, encryptions, data integrities and compressions:



I can't figure out why the authentication is failing... anyone know what I am doing wrong?

Thanks

 

[RyanR]

Update on things I've tried

Disabled Firewall:
- Disabling ConfigServer Firewall by both turning it off and by uninstalling it.

Checked SSH Key:
- I installed my SSH key on to a different, unrelated server and it connected just fine.
- I checked that the SSH configuration file accepted RSA keys, which it did.
- I tried an RSA key, ecdsa key, ed25519 key and all 3 failed

Generating a SSH Key via WHM:
- I imported the key into my Bitvise SSH client but it still failed to connect

Edited the file:

vi /etc/ssh/sshd_config

Tried Protocols 1 and 2:

Protocol 2,1

Tried to "AllowUsers" within the SSH configuration:

AllowUsers deploy

Checked Authorized Keys Permissions:
- .ssh has a permission of 700
- authorized_keys ahs a permission of 600

Checked the server logs with a login from "root"

sshd[1527417]: User root from x.x.x.x not allowed because not listed in AllowUsers
sshd[1527417]: input_userauth_request: invalid user root [preauth]

[/code]

Checked the server logs with a login from "deploy"

sshd[1527417]: error: Received disconnect from x.x.x.x port 55887:13: User request [preauth]
sshd[1527417]: Disconnected from x.x.x.x port 55887 [preauth]
sshd[1529799]: error: Received disconnect from x.x.x.x port 55967:13: User request [preauth]
sshd[1529799]: Disconnected from x.x.x.x port 55967 [preauth]

^ I'm not sure why it's showing port 55967... we connect over port 987



Copy of my sshd_config:

#    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 987
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysFile  %h/.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    PermitTTY no
#    ForceCommand cvs server
UseDNS no
DenyGroups cpaneldemo cpanelsuspended
Protocol 2
AllowUsers deploy

 

[ZenHostingTravis]

Do you have the Linux subsystem in Windows installed? If so, can you try connecting using the shell?

For example, if I connect eg ssh Travis@IP Address -p 1234 I am logged in without having to enter a password because key authentication has been set up properly.

 

[cPAdminsMichael]

Hi Ryan,

You will most likely have a better error message in your /var/log/secure logfile
I assume you created the user's .ssh directory and authorized_keys file "manually"? What ownership and permissions did you give them?

Also note that the "Manage root’s SSH Keys" in WHM is (obviously) just for the root user - and therefore not necessary if you just want the keys authorized for the "deploy" user

 

[cPanelLauren]

I was going to note that the first I see with this is that you've used roots SSH keys. Because you created the user manually you'll need to add the SSH key manually as well, managing Root's SSH Keys only adds the key and authorizes it for the root user. There is an interface that matches this one for cPanel users but because you've added the user manually without a cPanel account you won't be able to do this.

The key for the user you created needs to be stored in /home/$user/.ssh/ so in your case /home/deploy/.ssh/

Here are the steps I performed to make this happen for an account I added which has no associated cPanel account:


On your local machine

• On my Mac terminal I ran the following command:

  ssh-keygen

• Here is the output (I chose not to use a password)

  ssh-keygen
  Generating public/private rsa key pair.
  Enter file in which to save the key (/Users/macuser/.ssh/id_rsa): myuser
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  Your identification has been saved in myuser.
  Your public key has been saved in myuser.pub.

  (I cut out the fingerprint and randomart image from my output here)
  
  
• In the home directory for the user I created I ran

  su myuser

  to do the rest of this as the user (I am logged in as root)

On the server:

• create the .ssh directory as it isn't present by default

  mkdir .ssh

• change its permissions to 700

  chmod 700 .ssh

Copy the key

• There are a few different ways you can do this s
  • SSH-Copy-ID
  • use a one-liner to create and copy the key but this assumes you have password access to the server as the user you're creating the key for

    cat ~/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

• Manually Copy - this is the method I used.
  • The key needs to reside in authorized_keys for your account so you'll run the following to create that file

    touch authorized_keys

  • Run the following on your local machine to view the public key string for the key (I used my mac so the path may be different for you but it was output when you created the key)

     cat /Users/macuser/.ssh/myuser.pub
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1cBQtMclCJMvcQrF2qBTgdENFAmJA3rybjhK6yZDKi4zM8dsuPaZtqgzxYxGl+rojCddp8MwxAJEyDVimLhLEjzvGEzIxmCrkbXaGliuidQ+6aQGElB+rGFakO+zAd5BRJr16LdFQIyMc8BiWI1pLHITyXN+dfdsfSIFJDISOGhdgsS+W3R0wMMCsiVC89QzbmLV4dDDln2Cxv1vkR86O1fJJ1POmfxWWAJ7oaMabrgDPjsLPapIQYXATJk6mrrrbCsfsqF+5QVVPDHMpCpOzpudEGEnPfppqUut0OmxnyYr9TRZNOvIudX5kI2bJI0+w4gXE0cJYnHzMlSBvUT3nTRlkZ

    (I've modified this text so It's not a valid key in case you were concerned about security)
    
    
  • Copy that output and paste it into authorized_users on the server. Or you can do what I did

    echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1cBQtMclCJMvcQrF2qBTgdENFAmJA3rybjhK6yZDKi4zM8dsuPaZtqgzxYxGl+rojCddp8MwxAJEyDVimLhLEjzvGEzIxmCrkbXaGliuidQ+6aQGElB+rGFakO+zAd5BRJr16LdFQIyMc8BiWI1pLHITyXN+dfdsfSIFJDISOGhdgsS+W3R0wMMCsiVC89QzbmLV4dDDln2Cxv1vkR86O1fJJ1POmfxWWAJ7oaMabrgDPjsLPapIQYXATJk6mrrrbCsfsqF+5QVVPDHMpCpOzpudEGEnPfppqUut0OmxnyYr9TRZNOvIudX5kI2bJI0+w4gXE0cJYnHzMlSBvUT3nTRlkZ >> authorized_keys

• Test the login - I typically use the verbose (-v) or very verbose (-vv) flags to troubleshoot SSH related issues.