Sign in Subscribe
tips 🪤🎉

Fix SSH Failed Permission Denied (publickey, gssapi-keyex, gssapi-with-mic).

This is the second in a series of posts featuring Protips, tips, tricks, hacks, and secrets provided by Our Team 🙊 — We want to share our top tips for the growing and thriving Linux community out there. Because sometimes you need a little help...

yannick Coffi, Kenzo Kylo

2 min read
Fix SSH Failed Permission Denied (publickey, gssapi-keyex, gssapi-with-mic).

SSH Debugging and Logging

When you’re experiencing an SSH connectivity error, there are a few steps you can take to troubleshoot it depending on what causing it. Below is a tip for troubleshooting that particular SSH connectivity denial.

To analyze SSH problems in Linux, you can turn on verbose mode or debugging mode. When you enable this mode, SSH prints out debugging messages which help troubleshoot issues with connection, configuration, and authentication.

There are three levels of verbosity:

  • level 1 (-v)
  • level 2 (-vv)
  • level 3 (-vvv)

Therefore, add the -v option and run:

ssh -v [server_ip]

or

ssh -vv [server_ip]

or 

ssh -vvv [server_ip]

In our case we had an error:

..
.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
..
.


Following the permission denied statement, the bracket contains the attempted authentication methods that failed at the initiation of the connection. The error suggests that the public key is the issue, which is misleading.

Security problems usually relate to a user not having access to a resource because of security restrictions. The SSH configuration option StrictModes protects public and private key files against the opposite problem when security is too relaxed. Simply put SSH does not work if the permissions on certain directories and files are not strict enough.

StrictModes


Specifies whether SSHD should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The StrictModes option is enabled if it is set to yes, commented out, or not present, and can be found at /etc/ssh/sshd_config.

..
.
#StrictModes yes
..
.

Note that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally.

Procedure


The targeted user must own and have the appropriate permissions for the following directories and files.

  • .ssh directory: 700 (drwx------)
  • public key (.pub files): 644 (-rw-r--r--)
  • private key (id_rsa): 600 (-rw-------)
  • lastly, your home directory should not be writeable by the group or others (at most 755 (drwxr-xr-x) ; preferably 700 (drwx------))
$ sudo chmod 700 ~/.ssh
$ sudo chmod 644 ~/.ssh/id_example.pub
$ sudo chmod 600 ~/.ssh/id_example
$ sudo chmod u+rwx /home


Using a TOTP (Google Authenticator)


If you are using Google Authenticator as a Time-based One-time Password (TOTP) for authentication and authorization, make sure its configuration file .google_authenticator has a permission Access Modes of 400 (-r--------). Otherwise, you will be denied access.

Voila!
We hope you have found this post as useful and informative as we do.
Happy day.

Sign up for more like this.

Enter your email
Subscribe