I'm trying to git clone from my employer's site, but I'm stuck at the "Permission denied (publickey)." error message.
Right now, I just want to connect to the host, using ssh command. Added -o HostKeyAlgorithms=ssh-rsa , because otherwise it was giving up right away.
This is the problematic part:
debug1: Offering public key: ./id_rsa.pub RSA SHA256:sNpI3H2pUhdB/HFFjhF6qW+SHtpaMTY5+b5qk5aDo9s explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
Nothing I try works. I changed the crypto-policies to LEGACY (hearing that newer Fedoras don't support rsa).
I've created a config file, that goes like this:
Host *
PubkeyAcceptedAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
PubKeyAuthentication yes
IdentityFile ./id_rsa.pub
At least the part with PubkeyAcceptedAlgorithms +ssh-rsa seemed to do something, because it removed one error for me (an error which I can't replicate anymore, possibly because of that policy change).
These are the permissions, fiddling with them doesn't seem to change anything, especially since the Internet has mixed opinions on what these permissions should be.
-rwx------. 1 michal michal 124 Jul 22 06:08 config
-rw-------. 1 michal michal 1831 Jul 18 10:25 id_rsa
-rw-r--r--. 1 michal michal 406 Jul 18 10:25 id_rsa.pub
-rwx------. 1 michal michal 640 Jul 21 17:54 known_hosts
I've found that the receive packet: type 51 error is an authentication failure, but I don't know what to do about it. Someone said it might be the username thing, but I'm not sure what usernames should I be comparing, since I'm not giving my credentials anywhere, just the rsa keys.
I've been explicitly told to use rsa, not ed25519, so generating in that standard is out of the question (not like it works, anyway, because I tried).
I even saw the solution "remove the id_rsa.pub file from .ssh", but obviously that didn't do much, only an error when paired with "IdentityFile ./id_rsa.pub" in config (when I remove this part from config, there's still the permission denied error).
What else can I debug? AuthorizedKeys file was uploaded on a server through my employer's site, at least that's how I understand it, because I was uploading my public key there, and the site states the key is valid. I have no access to the server, so I can't check the logs.
If it's helpful, please find the full log here (I x-ed out the ip, port number and other data that might be sensitive):
ssh -v -v -v -p xxxx xx.xx.xx.xx -o HostKeyAlgorithms=ssh-rsa
OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022
debug1: Reading configuration data /home/michal/.ssh/config
debug1: /home/michal/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host xxx.xxx.xxx.xxx originally xxx.xxx.xxx.xxx
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname xxx.xxx.xxx.xxx is address
debug1: re-parsing configuration
debug1: Reading configuration data /home/michal/.ssh/config
debug1: /home/michal/.ssh/config line 1: Applying options for *
debug2: add_identity_file: ignoring duplicate key ./id_rsa.pub
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host xxx.xxx.xxx.xxx originally xxx.xxx.xxx.xxx
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-,gss-group1-sha1-]
debug3: kex names ok: [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/michal/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/michal/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port xxxx.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file ./id_rsa.pub type 0
debug1: identity file ./id_rsa.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version xxxx (SSHD-CORE-2.0.0)
debug1: compat_banner: no match: xxxx (SSHD-CORE-2.0.0)
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to xxx.xxx.xxx.xxx:xxxx as 'michal'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc,3des-cbc
debug2: ciphers stoc: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc,3des-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug1: kex: ecdh-sha2-nistp256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:JL7soi70bRRq805BuKRCOlfzYwyh8wH3Q/a8bVrqIfQ
debug3: put_host_port: [xxx.xxx.xxx.xxx]:xxxx
debug3: put_host_port: [xxx.xxx.xxx.xxx]:xxxx
debug3: record_hostkey: found key type RSA in file /home/michal/.ssh/known_hosts:1
debug3: load_hostkeys_file: loaded 1 keys from [xxx.xxx.xxx.xxx]:xxxx
debug1: load_hostkeys: fopen /home/michal/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[xxx.xxx.xxx.xxx]:xxxx' is known and matches the RSA host key.
debug1: Found key in /home/michal/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: ./id_rsa.pub RSA SHA256:sNpI3H2pUhdB/HFFjhF6qW+SHtpaMTY5+b5qk5aDo9s explicit agent
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ./id_rsa.pub RSA SHA256:sNpI3H2pUhdB/HFFjhF6qW+SHtpaMTY5+b5qk5aDo9s explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
