0

After trying some tips from various blogs on how to secure ssh connections to a server, I’m now unable to access my server. I receive this error message:

(Disconnected: No supported authentication methods available (Server sent: publickey, gssapi-keyex, gssapi-with-mic)))

This is my config file for sshd:

#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 7777
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
StrictModes no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

I don’t think that this is anything to do with SELinux.

This is the output for my .ssh folder listing:

ls -laZ ~/.ssh/

drwx------. smghanen apache unconfined_u:object_r:ssh_home_t:s0 .
drwx------. smghanen apache unconfined_u:object_r:user_home_dir_t:s0 ..
-rw-------. smghanen apache unconfined_u:object_r:user_home_t:s0 authorized_keys

How can I solve this? And what would be some tips to make it even more secure?

Improve this question
2
  • 1
    Did you generate a key and pass it to the server before disabling password authentication? Are you attempting to log in as a non-root user, and is it the user that has the matching key? And did you run the semanage command in the comments at the top of the sshd_config?
    – Kefka
    Commented Nov 3, 2016 at 15:18
  • 1) yes i generated the key and passed it to the server before disabling password authentication 2) yes i am attempting to log in as a non-root user, and yes it is the user that has the matching key 3) and yes i runned the semanage command above i dont think it's a port issue, because if i try a different port i get 'Network Error, Connection refused' and for the key, i was able to log in with the non-root user before this happened when i disabled password authentication and changed default port number
    – Soufiaane
    Commented Nov 3, 2016 at 15:26

2 Answers 2

Reset to default
0

With CentOS7 you use firewallcmd. The best way is to disable the firewallcmd service, try to connect and if connection is successful, create a rule in firewallcmd.

Improve this answer
3
  • firewall-cmd --list-all public (default, active) interfaces: eth0 sources: services: dhcpv6-client ssh ports: 7431/tcp 25672/tcp 4369/tcp 8089/tcp 7432/tcp 5671-5672/tcp 7777/tcp 8883/tcp 61613-61614/tcp 15672/tcp masquerade: no forward-ports: icmp-blocks: rich rules: sudo semanage port -l | grep ssh_port_t ssh_port_t tcp 7777, 22 i don't think it's a Port issue
    – Soufiaane
    Commented Nov 3, 2016 at 16:02
  • "Which operation system do you use?" - This is a comment and does not belong in your answer. In the future you should seek clarification by submitting a comment, to the author's question, and once you have the clarification submit your answer.
    – Ramhound
    Commented Nov 4, 2016 at 13:49
  • "Which operation system do you use?" doesn't need to be in the answer because the original question is tagged with centos-7 so the second and third paragraphs do answer the original question.
    – karel
    Commented Nov 4, 2016 at 16:55
-1

My bad, i changed the location of the private key on my client and i didn't notice it wasn't loaded by Pageant

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .