Cannot login to my server with SSH Keys "Server Refused Our Key"

1st Official Post

    I'm trying to setup automatic-login so that I don't have to type in my username and password every single time I want to access my server through SSH. I followed this guide start to finish to set it up. When I attempt to connect to the server it spits out the error "Server refused our key" then asks for my regular password afterward.


    I turned on DEBUG3 in SSH logging settings, it gives me this:


    Code
    May 25 17:23:08 toaster sshd[4715]: debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
May 25 17:23:08 toaster sshd[4715]: Failed publickey for exhaust from 192.168.0.10 port 56614 ssh2: RSA SHA256:XEgeZngtzAb63fsgT5RIw6eL+j86fNtQ2KOflgIFaag
May 25 17:23:08 toaster sshd[4715]: debug3: mm_request_send entering: type 23
May 25 17:23:08 toaster sshd[4715]: debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-512 [preauth]
May 25 17:23:08 toaster sshd[4715]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
May 25 17:23:08 toaster sshd[4715]: debug3: ensure_minimum_time_since: elapsed 5.196ms, delaying 1.827ms (requested 7.024ms) [preauth]
May 25 17:23:08 toaster sshd[4715]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]

    I made sure that the .ssh folder has permissions set to 700, and the authorized_keys file is set to 600. The correct private key is imported into Putty. The type of key I generated is "SSH-2 RSA".


    Here is the exact text inside my authorized keys file:


    Code
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCQ/3K0Ovk4nwtxRddVqMB8E6MkxRoxdAG+h0B/UsWzE6zSUCzxaAJxA0mglTdrZ+G065l60LApLfG9mxoVwInBtQExxBknaZ6euWogvpb5IYwmPR/1oGg7/jaU+dXALFG1CD9/7X2TETF18btBjrGivH6u2sdAdJu86rI/NUqU3kzCbONdd/R9vCEMbLKq9BnjtY+LJPL1id0+cjXCDaJxudLi6229n9ON7jRODBzNgcy4j487IKb0txF6igbG5ZW5NKDWaGytLqloWmNunTpZQSj+sfngRgcs9AK7y04CepvddhRrT2Bw2/2XrVJJs1UPz0c5vdnYCSMstDnrM/Nz exhaust@192.168.0.42

    Any idea what could be going wrong here? It should not be rejecting RSA, should it? All guides recommend this exact setup.

    do not use weak rsa keys, the, are disabled by default.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Quote from Zoki

    do not use weak rsa keys, the, are disabled by default.

    In what sense are they weak? I heard the old RSA keys are disabled but the new ones are good. So far looking around I have seen literally 100% of recommendations use RSA with zero exceptions.

    I am not an crypto expert, but you can read here. https://goteleport.com/blog/comparing-ssh-keys/

    My reccomendation is to use eliptic curve keys.


    It was not my choice to disable RSA keys in SSH, but if you know better, you can enable it in sshd_conf and are able to log in with your key.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    And in the change log of openssh: https://www.openssh.com/txt/release-8.7


    You are right, only the old RSA keys signed with sha1 have been turned off:


    Code
    Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Edited once, last by Zoki ().

    Can you try to convert the key to openssh format and use


    ssh -vvv  -i <path/to/converted/key> exhaust@192.168.0.42 (if this if the ip of omv) from the windows cmd termional?

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Quote from Zoki

    Can you try to convert the key to openssh format and use


    ssh -vvv  -i <path/to/converted/key> exhaust@192.168.0.42 (if this if the ip of omv) from the windows cmd termional?

    It's in openssh format by default apparently.


    c3DqV1g.png

    I tried doing it with CMD but everything broke severely, I never use SSH from cmd so it probably is not even configured. "Failed to open .ssh/config error:2" "async io completed with error 100061" "connection refused".

    You will have to use the conversions menu and export the private key to %USERPROFILE%\.ssh

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Quote from Zoki

    You will have to use the conversions menu and export the private key to %USERPROFILE%\.ssh

    Exactly the same list of errors if I do that exactly. If there is a setup process that needs to be completed to use ssh from command prompt, I have not done it, I used putty only before this.

    Can you post the command and complete output in a codebox. it should give more details on how it tries to authenticate and what the server answers.

    Connection refused is only the last part.

    Connection refused normaly indicates a network error / firewall.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Code
    >ssh -vvv  -i ~/.ssh/opensshkey.ppk exhaust@192.168.0.42
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug3: Failed to open file:C:/Users/exhaust/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 192.168.0.42 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.0.42 [192.168.0.42] port 22.
debug3: finish_connect - ERROR: async io completed with error: 10061, io:000001CE2AA12B60
debug1: connect to address 192.168.0.42 port 22: Connection refused
ssh: connect to host 192.168.0.42 port 22: Connection refused

    Are you sure, sshd is listening on port 22 on 192.168.0.4?

    It only complains about not finding client side config files (not needed) and can not get a connection to the server.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Good call, I thought I had my NAS set to port 22 still but it turns out I switched it. Here is what it looks like when I fixed the port number.


    I skimmed through this myself, nothing really stood out to me as obviously causing the issue. It does look like it is reading and sending the key correctly.

    Did you choose the ppk extention fpr the key yourself? This usually is the key in putty format.


    can you give me head -3  C:\Users\exhaust\.ssh\opensshkey.ppk (The first three lines of the file).

    It should be something like this:

    Code
    -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBs3tMRjoic71cULuVQlDoENO7Vz+RmPhc7bKMbGtIfDwAAAKALz/WBC8/1

    not this:

    Code
    PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: xxxxx


    But I think ssh would complain if you used the wrong key format.


    Here the problem occurs:

    Code
    debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51

    ... packet type '51' is defined as 'SSH_MSG_USERAUTH_FAILURE' (per rfc 4250).



    What is in the server logs at the time you try to connect with ssh from your client? (debug level 3)



    Stupid questions:

    - Is exhaust e user name on the server?

    - Is the .ssh directory in the users home directory (cat /etc/passwd | grep exhaust)?

    - Do you have a type in the authorized_hosts file name?



    And post the contents of your /etc/ssh/sshd_config file.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Quote from Zoki

    Did you choose the ppk extention fpr the key yourself? This usually is the key in putty format.


    can you give me head -3  C:\Users\exhaust\.ssh\opensshkey.ppk (The first three lines of the file).

    It should be something like this:

    Yes I did write .ppk onto the end myself, I think mainly because it wouldn't import back into putty to look at unless I did, can't remember what the exact reason was now. Contents of that files first 3 lines:


    Code
    -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAkP9ytDr5OJ8LcUXXVajAfBOjJMUaMXQBvodAf1LFsxOs0lAs
8WgCcQNJoJU3a2fhtOuZetCwKS3xvZsaFcCJwbUBMcQZJ2menrlqIL6W+SGMJj0f

    There is an enormous log from when I tried to connect. First part that appears to be the most important to my eyes:


    I'll paste the rest in here:

    Kinda looks like it's just repeating the same thing over and over again, I have no idea why.


    - Is exhaust e user name on the server?


    Actual user name is just my irl name, I translate it to exhaust to paste here, I made sure I use exactly the correct username in commands.


    - Is the .ssh directory in the users home directory (cat /etc/passwd | grep exhaust)?

    I don't know what that command is supposed to do, the directory is /home/exhaust/.ssh/ with one file in it caulled authorized_keys.


    -- Do you have a type in the authorized_hosts file name?

    I think you mean authorized_keys, in that case I don't think so no.. This is the result of checking:


    Code
    /home/exhaust/.ssh# file authorized_keys
authorized_keys: OpenSSH RSA public key


    I'm really certain I haven't meddled with anything else, besides setting the permissions of the .ssh directory and the authorized_keys file to I think 700 and 600 manually, according to what guides said to do. These logs seem extremely arcane, the log produced from trying to connect was so long that it violated the 10,000 character limit of this forum so I just deleted most of it.


    edit: I counted, ALL of this was generated within 3 seconds of trying to connect with RSA key.


    lW6HJ0e.png

    switched port on that one

    I do not see, that sshd is trying to load your public key on the server side. It may be a problem with the ssh_sandbox.


    I would like to see log files (client + server) when doing a ssh login on the command line (PN if you like, and attach as file) and the sshd_config

    for your ssh daemon.


    I assume cd ~ puts you inside /home/exaust (this is what the command you did not understand would have shown).

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    cd ~ does put me in /home/exhaust. I don't where I would find log files for doing an ssh login from cmd, unless you mean just the output on the command line when I do the command with the debugging arguments.

    Quote from Exhaust

    cd ~ does put me in /home/exhaust. I don't where I would find log files for doing an ssh login from cmd, unless you mean just the output on the command line when I do the command with the debugging arguments.

    yes, that is the log / debug output.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login