Specifically to only using PasswordAuthentication to make a connection. I know there are many posts with regards to public key permission denied. With remote SSH connection attempt:
sshd PC UserName#staticIP : Permission denied (publickey,
keyboard-interactive)
root#staticIP : Permission denied (publickey,
keyboard-interactive)
I have a windows PC behind a (public) router which has a static IP assigned to it. For now I just want to get an initial ssh connection before moving to key authentication. I am not getting a password prompt:
Settings sshd_config:
PermitRootLogin yes
PubkeyAuthentication no
PasswordAuthentication yes
Logging yes
LogLevel VERBOSE
On the public router with static IP:
SSH and port 22 is allowed on my router, inbound and outbound.
I get no log message in my router's Firewall Log when trying to ssh in.
I have port forwarding on, for port 22 to the PC where I have the
sshd running.
sshd PC: Firewall has inbound rule allowed for port 22 SSH. The "Allow apps to communicate through Windows Defender Firewall" is allso allowed on Private and Public for both OpenSSH Server and OpenSSH SSH Server.
HrPing is successful: hrping staticIP -p 22 -n 4 -l 1000
Using PowerShell as administrator as well as from an Ubuntu PC I have tried:
ssh sshd PC UserName#staticIP -p 22
ssh root#staticIP -p 22
On the sshd/Server PC > Services > OpenSSH SSH Server > Log On: should that be selected as Local System Account or This account - and the you select a user?
In ProgramData > SSH > Logs:
10952 2022-06-15 16:36:18.724 Connection from 102.250.4.93 port 12692 on <Local LAN IP address sshd PC> port 22
10952 2022-06-15 16:36:18.987 Connection reset by authenticating user <UserName> 102.250.4.93 port 12692 [preauth]
I get no messages in windows eventViewer under OpenSSH. There are no key's at either the client or sshd PC. With the initial connection attempt, the sshd PC's fingerprint is copied over to the client's known_hosts folder, but that also ends in permission denied.
PS C:\users\myUser\.ssh> ssh UserName#staticIP -p 22 -v
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to staticIP [staticIP] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\myUser/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\myUser/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to staticIP:22 as 'UserName'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:gYkCT81kmqzhDjEIFipnAl2N8ZjtrF3WwOeIKYBQy98
debug1: Host 'staticIP' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\myUser/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\myUser/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\myUser/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
UserName#staticIP: Permission denied (publickey,keyboard-interactive).
sshd_config file:
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/id_ed25519
# Ciphers and keying
#RekeyLimit default none
#Logging yes
#SyslogFacility AUTH
#LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication no
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /etc/ssh/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
You can see from the debug output
debug1: Authentications that can continue: publickey,keyboard-interactive
and from the final error message
Permission denied (publickey, keyboard-interactive)
That the server is not accepting password authentication method (otherwise the word password would've been included in the list).
If you have set PasswordAuthentication to yes by yourself then make sure to restart the ssh service in order for the changes to take effect.
Related
When I try to connect using Windows ssh to Windows OpenSSH server using a private key, ssh still ask for password.
I have installed OpenSSH by adding OpenSSH Server Windows additional capabilites.
I started manually the OpenSSH SSH Server Windows service using Windows service management console.
Then I created a public/private key pair using ssh-keygen -t ed255519
I have copied the public key in clientssh account .ssh directory with:
PS C:\Users\user> ssh clientssh#127.0.0.1 mkdir C:\Users\clientssh\.ssh\
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:FD9uvvMTBBDMF3jkzZTMEk7iUImY/a7oZRe+wwusCN4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
clientssh#127.0.0.1's password:
PS C:\Users\user> scp .ssh\id_ed25519.pub clientssh#127.0.0.1:C:\Users\clientssh\.ssh\authorized_keys
clientssh#127.0.0.1's password:
id_ed25519.pub 100% 103 51.5KB/s 00:00
And then when I try to connect to clientssh account I am asked the password of the private key which shows that ssh has found it, that it succeeded to uncrypt it (no requested again) but then the key seems to be ignored because I am also requested the clientssh password.
PS C:\Users\user> ssh -v clientssh#127.0.0.1 dir .ssh
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\user/.ssh/id_rsa type -1
debug1: identity file C:\\Users\\user/.ssh/id_rsa-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_dsa type -1
debug1: identity file C:\\Users\\user/.ssh/id_dsa-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_ecdsa type -1
debug1: identity file C:\\Users\\user/.ssh/id_ecdsa-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_ed25519 type -1
debug1: identity file C:\\Users\\user/.ssh/id_ed25519-cert type -1
debug1: identity file C:\\Users\\user/.ssh/id_xmss type -1
debug1: identity file C:\\Users\\user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 127.0.0.1:22 as 'clientssh'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:FD9uvvMTBBDMF3jkzZTMEk7iUImY/a7oZRe+wwusCN4
debug1: Host '127.0.0.1' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\user/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: Will attempt key: C:\\Users\\user/.ssh/id_rsa
debug1: Will attempt key: C:\\Users\\user/.ssh/id_dsa
debug1: Will attempt key: C:\\Users\\user/.ssh/id_ecdsa
debug1: Will attempt key: C:\\Users\\user/.ssh/id_ed25519
debug1: Will attempt key: C:\\Users\\user/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\user/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\user/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\user/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\user/.ssh/id_ed25519
debug1: read_passphrase: can't open /dev/tty: No such file or directory
Enter passphrase for key 'C:\Users\user/.ssh/id_ed25519':
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: C:\\Users\\user/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
clientssh#127.0.0.1's password:
debug1: Authentication succeeded (password).
Authenticated to 127.0.0.1 ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: Sending command: dir .ssh
Le volume dans le lecteur C n'a pas de nom.
Le numéro de série du volume est FA33-B148
Répertoire de C:\Users\clientssh\.ssh
22/08/2022 16:38 <DIR> .
22/08/2022 16:38 <DIR> ..
22/08/2022 16:38 103 authorized_keys
1 fichier(s) 103 octets
2 Rep(s) 54860242944 octets libres
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2136, received 3084 bytes, in 0.1 seconds
note: I fixed few invalid code page characters in above capture.
I read the other topics close to this one but either they are not applicable because Linux oriented or because there is no real solution. The only thing I get from them is the idea to use -v on ssh. Though this does not helped me a lot...
I finally found Windows OpenSSH troubleshooting documentation that is located on GitHub (not on traditional Microsoft site!):
https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps
As explained in that documentation, I added the DEBUG3 log level to OpenSSH server configuration file (lower debug levels do not reveal the issue). And I found that the access to authorization file in clientssh account was authorized for user account.
16004 2022-08-24 10:01:54.598 debug1: trying public key file C:\\Users\\clientssh\\.ssh/authorized_keys
16004 2022-08-24 10:01:54.599 debug3: Bad permissions. Try removing permissions for user: DESKTOP-N2I2AHF\\user (S-1-5-21-2546763314-2673200902-885207948-1001) on file C:/Users/clientssh/.ssh/authorized_keys.
16004 2022-08-24 10:01:54.599 Authentication refused.
This was surprising because I copied the file using ssh.
But I finally understood how the access rights have been corrupted: I had verified with the user account that the authorized file had been correctly copied. This was possible because user account has administrative privileges. And it appears that when you ask to access to a directory you normally have no access rights, instead of impersonating administrator to get the rights, the Explorer modifies the directory access rights to give you permanent access to the directory!
Removing user access to clientssh account allows OpenSSH to work properly.
I have just set up my own gitea service on the Ubuntu server (the server is run with user gitea). The following steps have been done:
generate ssh key on my windows pc, and store at C:\Users<user_name>\.ssh, namely id_rsa_gitea and id_rsa_gitea.pub
copy and set the public key on my gitea account setting page
There are existing key files for my GitHub account in the directory, namely id_rsa and id_rsa.pub. I modified the file config in the same directory as
Host github.com
HostName github.com
User git
IdentityFile C:/Users/<user_name>/.ssh/id_rsa
IdentitiesOnly yes
Host 192.168.200.101
HostName 192.168.200.101
User gitea
IdentityFile C:/Users/<user_name>/.ssh/id_rsa_gitea
IdentitiesOnly yes
Pushing to GitHub works fine. But when I try to push to gitea, it gets
$ git push -u origin master
gitea#192.168.200.101's password:
Permission denied, please try again.
gitea#192.168.200.101's password:
Permission denied, please try again.
gitea#192.168.200.101's password:
\302\226gitea#192.168.200.101: Permission denied (publickey,password).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I have tested the ssh connection in the git bash console with ssh -v gitea#192.168.200.101, and gets
OpenSSH_7.6p1, OpenSSL 1.0.2m 2 Nov 2017
debug1: Reading configuration data /c/Users/admin/.ssh/config
debug1: /c/Users/admin/.ssh/config line 26: Applying options for 192.168.200.101
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.200.101 [192.168.200.101] port 22.
debug1: Connection established.
debug1: identity file C:/Users/admin/.ssh/id_rsa_gitea type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:/Users/admin/.ssh/id_rsa_gitea-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.200.101:22 as 'gitea'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm#openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm#openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YqpRDueradBcei52m4ahex5DgTOwI3QvgJohoZSMzTs
debug1: Host '192.168.200.101' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/admin/.ssh/known_hosts:23
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:DCCnO6UzUiXYhZiNxeaS4SV05fIUZhHK/ZGDPPI6cwc C:/Users/admin/.ssh/id_rsa_gitea
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.200.101 ([192.168.200.101]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00#openssh.com want_reply 0
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: PTY allocation disabled.
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: PTY allocation disabled.
PTY allocation request failed on channel 0
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow#openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.200.101 closed.
Transferred: sent 3720, received 3624 bytes, in 0.2 seconds
Bytes per second: sent 15126.0, received 14735.7
debug1: Exit status 1
I've tried multiple variations of this, but none of them seem to work. Any ideas?
Update: Push with http works fine. I switched back to ssh and tried to push again, now I get:
Pushing to gitea#192.168.200.101:guanhuizhe/example-repo.git
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
During this push the sshd log of the ubuntu server is:
Oct 16 18:08:29 DataStorage2 sshd[29981]: Accepted publickey for gitea from 192.168.200.141 port 14967 ssh2: RSA SHA256:DCCnO6UzUiXYhZiNxeaS4SV05fIUZhHK/ZGDPPI6cwc
Oct 16 18:08:29 DataStorage2 sshd[29981]: pam_unix(sshd:session): session opened for user gitea by (uid=0)
Oct 16 18:08:29 DataStorage2 sshd[30017]: Received disconnect from 192.168.200.141 port 14967:11: disconnected by user
Oct 16 18:08:29 DataStorage2 sshd[30017]: Disconnected from 192.168.200.141 port 14967
Oct 16 18:08:29 DataStorage2 sshd[29981]: pam_unix(sshd:session): session closed for user gitea
Update v2:
The problem is caused by the Ubuntu user I used to run the gitea binary. This user does not have shell. I delete the user and configure a normal user. Everything works fine. Thanks for every one!!
\302\226gitea#192.168.200.101 means the origin in the local git config file .git/config is not gitea, but <START OF GUARDED AREA>gitea.
You can change your Host entry (in ~/.ssh/config) with "gitea" (easier to type than 192.168.200.101)
Test it with:
ssh -Tv gitea
Check also the ~gitea/.ssh/authorized_keys file, to ensure the public key has been added by gitea, and is in a SSH forced command line.
You should see something like:
command="/path/to/gitea --config='/path/to/app.ini' serv key-2",\
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty \
ssh-rsa <yourPublicKey>
If you want to use your ~/.ssh/config entry, then you will need to change your remote:
cd /path/to/repo
git remote set-url origin gitea:<me>/myrepo
I am trying to configure git server and client on two local windows machines. I installed git software on both the machines. Enabled openssh server optional feature on the server and created a bare repository on the server. Then tried to clone the server's bare repository on the client, it asked me the password of the server's user but, even after I entered the right password it was giving the below error message.
Permission denied (publickey,password,keyboard-interactive).
I have tried to figure out the cause for the error. After browsing for this error on google I got to know that it is ssh not configured properly. One suggestion I found was to check if ssh working properly without git involvement using the command
ssh -Tv ram-pc1#10.208.27.100, it also failed by giving below error message:
$ ssh -Tv ram-pc1#10.208.27.100
OpenSSH_7.7p1, OpenSSL 1.0.2p 14 Aug 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.208.27.100 [10.208.27.100] port 22.
debug1: Connection established.
debug1: identity file /c/Users/Admin/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Admin/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_7.6
debug1: match: OpenSSH_for_Windows_7.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.208.27.100:22 as 'ram-pc1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:27NSp0TODhiZ68zbYLvsaqPNMp8tE0ZanMeoeQp+u14
debug1: Host '10.208.27.100' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/Admin/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:2KyRU6bbWWkN+IBYN6xiuWQuHl0pKL6Cim6K4/6RBek /c/Users/Admin/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /c/Users/Admin/.ssh/id_dsa
debug1: Trying private key: /c/Users/Admin/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/Admin/.ssh/id_ed25519
debug1: Trying private key: /c/Users/Admin/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
ram-pc1#10.208.27.100's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
ram-pc1#10.208.27.100's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
ram-pc1#10.208.27.100's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: No more authentication methods to try.
ram-pc1#10.208.27.100: Permission denied (publickey,password,keyboard-interactive).
Below is my ssh_config file settings:
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp sftp-server.exe
# Example of overriding settings on a per-user basis
#Match User anoncvs
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
I have spent a lot of time to resolve this error. But not succeeded. Please help in solving this problem. Thanks in advance.
Check the content of ~ram-pc1/.ssh/authorized_keys on the 10.208.27.100 server side: it should include your public key.
Said public key should be an rsa one (without passphrase for now) named C:\Users\Admin\.ssh\id_rsa.pub (and id_rsa for the private) key, generated with ssh-keygen -t rsa -P ""
When trying to ssh (from greenplum system user) one of datanode from Master gpdb host.
env - gpdb 4.3.10
Getting error
[gpadmin#mdw ~]$ ssh datanode
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[gpadmin#mdw ~]$
WE Tried
Tried on pivotal docs
https://discuss.pivotal.io/hc/en-us/articles/203777546-gpssh-exkeys-Fails-with-Error-Permission-denied-During-Local-Key-Exchange
Also, observed node not able to SSH any of data node/master host.
**Here is verbose mode -v with SSH info**
debug1: Host 'datanode01' is known and matches the ECDSA host key.
debug1: Found key in /home/gpadmin/.ssh/known_hosts:3
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/gpadmin/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/gpadmin/.ssh/id_dsa
debug1: Trying private key: /home/gpadmin/.ssh/id_ecdsa
debug1: Trying private key: /home/gpadmin/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
I think the problem isn't the root login as that doc suggests but rather, password authentication is disabled. Try running this on ALL nodes:
sudo sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sudo service sshd restart
echo "gpadmin:changeme" | sudo chpasswd
Then retry gpssh-exkeys as gpadmin.
gpssh-exkey -f all_hosts
After you exchange the keys, you can disable password authentication again.
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
I'm starting using Amazon EC2 service. I have installed an Amazon Linux instance, set the PEM file, opened the SSH ports and installed a GIT service.
My local environment it's Windows 8.
Through putty and WinSCP I can connect without problems. I have followed the docs and converted my PEM file to a PPK and everything works fine.
The problem is when I try to do a git push from my local machine. I always get a "permission denied (public key)" when I try to connect. I have made a ssh-add to PEM file using the git bash, generated a custom key trough the GIT Bash and added this key to the key pars at the EC2 Instance and nothing works...
If I try (using git bash) a ssh -i and specify the PEM file, I have a connection.
ssh -i c:/[PATH]/[PEM-FILE].pem ec2-user#[HOST].compute.amazonaws.com
If I try without -i, no connection.
$ ssh ec2-user#[HOST].compute.amazonaws.com
Permission denied (publickey).
Here follows the trace with -vT command:
ssh -vT ec2-user#[HOST].compute.amazonaws.com
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Connecting to [HOST].compute.amazonaws.com [54.201.
110.48] port 22.
debug1: Connection established.
debug1: identity file [PATH]/Usuario/.ssh/identity type -1
debug1: identity file [PATH]/Usuario/.ssh/id_rsa type 1
debug1: identity file [PATH]/Usuario/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[HOST].compute.amazonaws.com' is known and ma
tches the RSA host key.
debug1: Found key in [PATH]/Usuario/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: [PATH]/Usuario/.ssh/identity
debug1: Offering public key: [PATH]/Usuario/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: [PATH]/Usuario/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
So, there's a way to connect via SSH without the -i option?
After several tries, I found an article with some instructions here https://serverfault.com/questions/194567/how-do-i-tell-git-for-windows-where-to-find-my-private-rsa-key
I followed these steps: "After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME.ssh\id_rsa. After you have the key at that location, Git bash will recognize the key and use it"
#Everton Menonca'a asnwer it great. It saved my day in fact. Just for the sake of more details, I am going to mention my case:
Load the private key (generated by EC2) in your PuTTYgen, and from it, export OpenSSH key.
Place the exported file in the home directory of all keys. In my case (windows) was C:\Users\USERNAME\.ssh
Since I have multiple remotes I am connecting to using Bash, I updated my config file (under the same directory), by adding extra entry, to be like the following:
Host bitbucket.org
IdentityFile ~/.ssh/id_rsa1
Host ec2-00-00-000-00.compute-1.amazonaws.com
IdentityFile ~/.ssh/id_rsa2
That's all