Windows SSH keys on CentOS

Question

I have an internal CentOS 7 server which acts as a staging environment for our websites.

I, for the last year or so via SSH from a Linux Mint machine. Now, some other people are trying to get access to the server, so on their machines I

• installed Git bash
• used ssh-keygen (and spammed enter)
• used ssh-copy-id [email protected]

which returned:

[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

With that, I got them to send me their id_rsa.pub files, cat'ed them and then added them to /home/user/.ssh/authorized_keys and tried again, but the ssh/sftp commands return that same permission denied error.

I'm not sure what I'm missing, and like I said, it works for my (Linux) machine, but not their (Windows) machines.

I've set PasswordAuthentication to no in /etc/ssh/sshd_config and then restart the sshd service, but still no affect.

How can I get Windows SSH keys working on my Linux CentOS server?

Answer 1

Can you actually ssh by providing the username and password? If not, then if you can access the file ensure you have an AllowUsers entry in /etc/ssh/sshd_config and also that you are allowing SSH access to the subnet at the top of that file. if you do amend the sshd_config remember to restart the SSH service.

---

1. Check in sshd_config if you have:

---

AllowUsers

DenyGroups

DenyUsers

set and if you are allowed to access the remote.

---

2. Also it sometimes helps to reset this file known_hosts in then $HOME/.ssh directory:

---

cat /dev/null > $HOME/.ssh/known_hosts

---

3. Check if denyhosts is installed and if it's blocked your IP address in the hosts file.

If you mange to blacklist your own IP address by attempting to log in via SSH with the wrong credentials multiple times, then you can connect to your service using the console (Connecting to your VPS using the console / VNC) and remove the block with following:

• Stop denyhosts service (systemctl stop denyhosts or /etc/init.d/denyhosts stop)
• Remove the line with the IP from /etc/hosts.deny
• Remove the lines with the IP from /var/lib/denyhosts/hosts* files (note: not all files will contain the IP)
• Remove the line with the IP from /var/lib/denyhosts/user-hosts
• Remove the lines on the IPTABLES’ table
• Start denyhosts service

---

4. Check if you got the right port

---

If that's not the problem here are the step's to create key's and copy them to the remote:

Create the key on the local system:

ssh-keygen -o -b 4096 -t rsa -C [email protected]

OR:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/vps-cloud.web-server.key -C "My web-server key"

You will be prompted to supply a passphrase (password) for your private key. I suggest that you setup a passphrase when prompted.

---

• -t rsa : Specifies the type of key to create. The possible values are “rsa1” for protocol version 1 and “dsa”, “ecdsa”, “ed25519”, or “rsa” for protocol version 2.
• -b 4096 : Specifies the number of bits in the key to create
• -f ~/.ssh/vps-cloud.web-server.key : Specifies the filename of the key file.
• -C "[email protected]" : Set a new comment.

If you want to be able to access the server from your root account, do su and repeat the above command.

1. $HOME/.ssh/id_rsa– contains your private key.
2. $HOME/.ssh/id_rsa.pub – contains your public key.

Copy the key to remote:

ssh-copy-id [email protected]

OR:

sh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]

OR:

First create .ssh directory on the remote server

ssh [email protected] "umask 077; test -d .ssh || mkdir .ssh"

cat local id.rsa.pub file and pipe over ssh to append the public key in remote server

cat $HOME/.ssh/id_rsa.pub | ssh [email protected] "cat >> .ssh/authorized_keys"

OR:

cat ~/.ssh/id_rsa.pub | ssh -p 22000 [email protected] "cat >> ~/.ssh/authorized_keys"

If you want to be able to only enter your key passphrase once each session then add this to your .bashrc file:

eval `ssh-agent`
ssh-add

then you will be asked for the passphrase on terminal/shell start and not again.