Debian Question posted in
The oficial documentation can be found here.

SSH Key still asking for password for user – Debian

On Debian 10 (proxmox environment) I can access ssh remote as root using ssh-key.
On remote system I have installed new user (myuser), created ssh-key with ssh-keygen with no passphrase.
I copied the content of public key to /home/myuser/.ssh/authorized_keys (same as for root).

Now, ssh to remote for root works without password. ssh to remote for myuser will ask me for password.

It looks like sshd config is correct. But why I cannot login for myuser using ssh-key?

My finally goal is to have access from windows using winSCP with ssh-keys

ssh output:

root@srv1 ~ # ssh -vvv [email protected]
> OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k  25 Mar 2021
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
> debug1: /etc/ssh/ssh_config line 21: Applying options for *
> debug2: resolve_canonicalize: hostname 192.168.100.8 is address
> debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
> debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
> debug2: ssh_connect_direct
> debug1: Connecting to 192.168.100.8 [192.168.100.8] port 22.
> debug1: Connection established.
> debug1: identity file /root/.ssh/id_rsa type 0
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: identity file /root/.ssh/id_dsa-cert type -1
> debug1: identity file /root/.ssh/id_ecdsa type -1
> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
> debug1: identity file /root/.ssh/id_ecdsa_sk type -1
> debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
> debug1: identity file /root/.ssh/id_ed25519 type -1
> debug1: identity file /root/.ssh/id_ed25519-cert type -1
> debug1: identity file /root/.ssh/id_ed25519_sk type -1
> debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
> debug1: identity file /root/.ssh/id_xmss type -1
> debug1: identity file /root/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5
> debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2 debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 192.168.100.8:22 as 'myuser'
> debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys from 192.168.100.8
> debug3: order_hostkeyalgs: have matching best-preference key type [email protected], using HostkeyAlgorithms verbatim
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
> debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,[email protected],zlib
> debug2: compression stoc: none,[email protected],zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
> debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
> debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,[email protected]
> debug2: compression stoc: none,[email protected]
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
> debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
> debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host key: ecdsa-sha2-nistp256 SHA256:MAQ9SRm/{snipped}
> debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:1
> debug3: load_hostkeys: loaded 1 keys from 192.168.100.8
> debug1: Host '192.168.100.8' is known and matches the ECDSA host key.
> debug1: Found key in /root/.ssh/known_hosts:1
> debug3: send packet: type 21
> debug2: set_newkeys: mode 1
> debug1: rekey out after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: receive packet: type 21
> debug1: SSH2_MSG_NEWKEYS received
> debug2: set_newkeys: mode 0
> debug1: rekey in after 134217728 blocks
> debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:G+sbTZiyYh23IP{snipped}
> debug1: Will attempt key: /root/.ssh/id_dsa
> debug1: Will attempt key: /root/.ssh/id_ecdsa
> debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
> debug1: Will attempt key: /root/.ssh/id_ed25519
> debug1: Will attempt key: /root/.ssh/id_ed25519_sk
> debug1: Will attempt key: /root/.ssh/id_xmss
> debug2: pubkey_prepare: done debug3: send packet: type 5
> debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue: publickey,password
> debug3: start over, passed a different list publickey,password
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:G+sbTZiyYh23IP{snipped}
> debug3: send
> packet: type 50 debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password
> debug1: Trying private key:/root/.ssh/id_dsa
> debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
> debug1: Trying private key: /root/.ssh/id_ecdsa
> debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
> debug1: Trying private key: /root/.ssh/id_ecdsa_sk
> debug3: no such identity: /root/.ssh/id_ecdsa_sk: No such file or directory
> debug1: Trying private key: /root/.ssh/id_ed25519
> debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug1:
 Trying private key: /root/.ssh/id_ed25519_sk
> debug3: no such identity: /root/.ssh/id_ed25519_sk: No such file or directory debug1: Trying private key: /root/.ssh/id_xmss
> debug3: no such identity: /root/.ssh/id_xmss: No such file or directory
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password [email protected]'s
> password:
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I found the error (based on using SSH key authentification on a Synology NAS):

    this is important: connect to the NAS by SSH and check the files permissions :

 - chmod 0711 ~ 
 - chmod 0711 ~/.ssh
 - chmod 0600 ~/.ssh/authorized_keys

  2. 0

    Double check that authorized_keys have right permission and owner:group

    should be

    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search