Cannot activate ssh publickey auth

[Anonym42]

I hope this is the right place to post this issue.

I could connect from host1 to host2 through ssh using a password, this is working properly.
But I want to connect from host1 to host2 through ssh, using the publickey authentication method.

Regarding the information below:
The content of the files id_rsa.pub (host1) and authorized_keys (host2) is the same.
Security currently ignored for settings in sshd_config - I just want to get it working.
sshd was restarted of course.
SELinux is disabled.
Nothing on filesystem was encrypted, still I run the 'restorecon'-command for /home/xxx

Host1
Version: Centos 7.7.1908

Code: Select all

[xxx@yyy .ssh]$ ls -la /home/xxx/.ssh/

drwx------   2 xxx xxx .
drwx------. 23 xxx xxx ..
-rw-------   1 xxx xxx id_rsa
-rw-r--r--   1 xxx xxx id_rsa.pub
-rw-r--r--   1 xxx xxx known_hosts

Code: Select all

[xxx@yyy .ssh]$ lsattr -l
./known_hosts                Extents
./id_rsa                     Extents
./id_rsa.pub                 Extents

Host2
Version: Centos 7.6.1810

Code: Select all

[xxx@zzz .ssh]# ls -la /home/xxx/.ssh/

drwx------   2 xxx xxx .
drwx------. 10 xxx xxx ..
-rw-------   1 xxx xxx authorized_keys

Code: Select all

[root@zzz .ssh]# lsattr -l
./authorized_keys            Extents

Code: Select all

[root@zzz .ssh]# cat /etc/ssh/sshd_config


HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Lets go? No.

Code: Select all

[xxx@yyy .ssh]$ ssh -v xxx@zzz.***.local -o PreferredAuthentications=publickey

...
debug1: Authentications that can continue: password
debug1: No more authentication methods to try.
Permission denied (password).

So the only method that host2 offers to authenticate is "password", even though 'PubkeyAuthentication yes' is set in sshd_config and sshd was restarted several times.

What could cause that issue?
I have set up another server (Centos 7.6.1810) just for testing, did the same configs as on host2 and I was able to connect through ssh with publickey auth within a few minutes....

[TrevorH]

SELinux is disabled.

Don't do that, it's not sensible.

Reset all your changes to everything. None of them were required as publickeys are enabled out of the box and just work. Once you've done that, try to login and if it fails then read /var/log/secure on the server that you attempted to login to and it will tell you what the problem was.

[Anonym42]

SELinux is disabled.

Don't do that, it's not sensible.

I am totally with you. There is a background story to this and I only mentioned that since I've read that encrypted home directories may cause issues using ssh publickey. If it is not essential to get the ssh publickey working, I wont enable it (at least right now).

Reset all your changes to everything. None of them were required as publickeys are enabled out of the box and just work. Once you've done that, try to login and if it fails then read /var/log/secure on the server that you attempted to login to and it will tell you what the problem was.

I did the following changes
- generating an ssh-key (host1 ofc)
- copying the public key to the destination server (host2)
- edit sshd_config on host2 (without the ' )
=> 'GSSAPIAuthentication yes' to '#GSSAPIAuthentication yes'
=> 'GSSAPICleanupCredentials no' to '#GSSAPICleanupCredentials no'
=> '#PubkeyAuthentication yes' to 'PubkeyAuthentication yes'
Any other entries mentioned have been set by default.

If I undo the changes to sshd_config (host2) and try to connect, I get:

Code: Select all

debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic,password).

Compared to my test server, there is only 'publickey' missing:

Code: Select all

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

I have commented out 'PubkeyAuthentication yes' in sshd_config on test server and realized that after a restart of the sshd I was still able to connect to it using publickey.
Does that mean that as long as 'PubkeyAuthentication' is not explicitly set to 'no' the sshd will accept publickeys?

I have checked '/var/log/secure' on host2.
There is only one entry if I run the ssh command on host1:

Code: Select all

Connection closed by [ip-of-host1] port ***** [preauth]

Edit1:
host2 is running on an ESXi environment with two nodes.
host2 may be moved from one node to the other automatically.
Might that cause the issue? For me it looks like as host2 does not allow publickey auth at all (regarding to the debug1 message)