There is a set of generic steps if one has to find the reason why sshd is refusing to accept a connection or keys.
The details below are for a systemd based system but alternative systems users would be able to find their way easily.
How to debug sshd systematically?
Start watching the journal
journalctl -u sshd -f
Set sshd logging to debug mode in /etc/ssh/sshd_config
LogLevel DEBUG
Restart the daemon to let the change take effect
systemctl restart sshd
We are set on the server side.
Try the client connection now
ssh -o IdentitiesOnly=yes -v -i ~/.ssh/key_to_the_kingdom king@kingdom.gov
- IdentitiesOnly disables trying other than the identity specified.
- -v to increase the client verbosity so one can see if the client is doing what is expected. (Is able to find and use the key on the client system, is able to negotiate the encryption algorithm, etc.)
(Not posting an example for the client.)
On the server (kingdom.gov in our example), we should see something like the following in the debug mode log:
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: userauth-request for user king service ssh-connection method none [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: attempt 0 failures 0 [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: PAM: initializing for "king"
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: PAM: setting PAM_RHOST to "75.73.78.71"
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: PAM: setting PAM_TTY to "ssh"
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: userauth-request for user king service ssh-connection method publickey [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: attempt 1 failures 0 [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:0hjXPXkM8d91W2D8bg3fcapifm5QJd7QV9wwOEMU1 [preauth]
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: temporarily_use_uid: 112233/10 (e=0/0)
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: trying public key file /home/king/.ssh/authorized_keys
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: Could not open authorized keys '/home/king/.ssh/authorized_keys': Permission denied
Jul 14 12:46:39 kingdom.gov sshd[4665]: debug1: restore_uid: 0/0
Jul 14 12:46:39 kingdom.gov sshd[4665]: Failed publickey for king from 83.69.65.84 port 52756 ssh2: RSA SHA256:0hjXPXkM8d91W2D8bg3fcapifm5QJd7QV9wwOEMU1
In my case, the problem was in SELinux not allowing to use authorized_keys
stored in the NFS home directory.
You may be asking: How can I check the permissions? What is the identity sshd uses to access the files?
Look at temporarily_use_uid: 112233/10
in the log above. There should be correct UID and primary GID for the user.
In my case, these values were taken from the name service (LDAP) and were as expected.
If the client user identity is incorrect, look into the name service configuration and resolve this issue first.
The directory and file ownership and permissions were as expected (at least u=x for ~
and ~/.ssh
directories, at least u=r for authorized_keys
, if owned by the user).
It was clear the reason must be in something like SELinux.
Let's check it:
getsebool use_nfs_home_dirs
use_nfs_home_dirs --> off
For that case, the answer by Nadav Aharoni resolves the problem.
setsebool -P use_nfs_home_dirs 1
Cleanup
- Restore
LogLevel DEBUG
in sshd_config
to the previous value. (Or comment it out to restore the default.)
systemctl restart sshd