SSH keys Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

darrencperry

Registered
Oct 3, 2012
1
0
1
cPanel Access Level
Root Administrator
I've been troubleshooting this since yesterday afternoon.

I have a centos server running whm and I had ssh access working with a key. SSH Password Authorization Tweak is Disabled.

My SSH key had a passphrase and I was working on a backup solution for which I wanted to try using a key with no passphrase. WHM doesn't allow null password keys it seems so I created one locally on my mac with ssh-keygen, uploaded the public key and this didn't work.

I ended up removing the working ssh key from the server, not a big problem I thought as I can just make a new one.

Now I can't get any keys working for ssh access. Here are the steps I've been taking for the last few hours:

1) Manage root’s SSH Keys > Generate a new key
2) I have copied and pasted the text from the private key into a key on my computer
2 a) I have also used scp (by enabling ssh password authorization temporarily) to retrieve the private key
3) Manage Authorization > Enable
4) Attempt login > ssh -i <id_dsa/id_rsa> [email protected]<server>
type key password

Code:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
5) chmod 600 <id_dsa/id_rsa>

Code:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
OK. Next.

On mac
1) ssh-keygen -t id_dsa
1 a) I have also tried ssh-keygen -t id_rsa, the difference is not significant i know.
1 b) I've done this with a password and without a password, neither work
2) copy id_dsa.pub/id_rsa.pub to remote server through Manage root’s SSH Keys > Import Key
2 a) I've also used scp (by enabling ssh password authorization temporarily) to copy the key to the server
3) Manage Authorization > Enable
4) Attempt login > ssh -i <id_dsa/id_rsa> [email protected]<server>
type key password

Code:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
5) chmod 600 <id_dsa/id_rsa>

Code:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
OK. Permissions.

on server in /root/.ssh
Code:
-rw-------.  1 root root  422 Oct  3 10:57 authorized_keys
-rw-------.  1 root root  422 Oct  3 10:57 authorized_keys2
-rw-r--r--.  1 root root  422 Oct  3 10:57 id_rsa.pub
and from /root
Code:
drwx------.  2 root root     4096 Oct  3 10:57 .ssh/
on mac in ~/
Code:
drwx------   3 darrencperry  staff    102  3 Oct 00:54 .ssh
and in ~/.ssh
Code:
-rw-r--r--   1 darrencperry  staff  418  3 Oct 00:54 known_hosts
my private key permissions
Code:
-rw-------   1 darrencperry  staff   1675  3 Oct 10:56 id_rsa
Firewall:

I've made sure port 22 is open on my server and am using port 22 for SSH.


read out from ssh -vvv -i <id_dsa/id_rsa> [email protected]<server>

(I've hidden addresses and IPs)

Code:
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver.co.uk [my.ip.address] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "id_rsa" as a RSA1 public key
debug1: identity file id_rsa type 1
debug1: identity file id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "myserver.co.uk" from file "/Users/darrencperry/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/darrencperry/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 493/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA hi:dd:en:so:me:of:th:is:42:b2:0b:10:10:25:4f:3f
debug3: load_hostkeys: loading entries for host "myserver.co.uk" from file "/Users/darrencperry/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/darrencperry/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "my.ip.address" from file "/Users/darrencperry/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/darrencperry/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'myserver.co.uk' is known and matches the RSA host key.
debug1: Found key in /Users/darrencperry/.ssh/known_hosts:1
debug2: bits set: 507/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: id_rsa (0x7fe2f241d220)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I've also run:

tail -f /var/log/secure

on the server and all that's logged when I attempt and fail to login with the SSH key is this:

Code:
Oct  3 11:31:52 host-my-server-ip sshd[13261]: Connection closed by <my.ip>
I've also tried to ssh in from another machine using the same methods...

Any help would be GREATLY appreciated!!

Thanks!
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello,

I'm not seeing anything obvious that's causing this to occur. Could you try opening up a ticket for us to test adding a public key to the machine ourselves to test it? You'll need to provide WHM root access for us to try adding the key to the machine.

Thanks!