Recently, a project I was working on was heavily dependent on SSH and keys, and due to the multitude of errors and requests I recieved, I felt it was necessary to pull together some helpful information for troubleshooting SSH connections and their corresponding keys. If you are having problems connecting to an SSH server, this guide should help you track down your problem, as well as prevent future problems. Follow the guide, while testing your connection after every step.
less /var/log/secureThis will contain the logs pertaining to ssh authentication. It might be a good idea to turn on debuging in /etc/ssh/sshd_config to better clarify the problem. Add the following line to /etc/ssh/sshd_config
LogLevel DEBUG3After making any change to the config file, restart the service.
service sshd restartYou can now view the connection attempts in the console by issuing:
tail -f /var/log/secureTo exit, just do a control+C
ssh-keygen -yThis can be used to generate the public key for a known private key. By comparing the output of this command to what you believe to be the public key, you can determine if the key's match. For Example:
[user@linux .ssh]$ ssh-keygen -y Enter file in which the key is (/home/user/.ssh/id_rsa): /home/user/.ssh/id_dsa [KEY Here...................................... . . .................................. ] [user@linux .ssh]$ cat /home/user/.ssh/id_dsa.pub [KEY Here...................................... . . .................................. ] user@linuxVerify that most of the numbers look ok. The odds of two keys being off by only a few numbers are very small. The error would be blatant. If the key's do not match (or do not exist), generate new key's. See Generating New Key's at the end of this article.
# Do these as root. This assumes that your user's name is user, # so you should change the name accordingly. chown user:user /home/user/.ssh chmod 700 /home/user/.ssh chown user:user /home/user/.ssh/* chmod 640 /home/user/.ssh/* # These files may not exist chmod 600 /home/user/.ssh/identity chmod 600 /home/user/.ssh/id_dsa chmod 600 /home/user/.ssh/id_rsa
nano -w /etc/ssh/sshd_configThis file contains the settings used by the SSH Daemon. Any line preceded by a "#" is commented out and shows the default setting. For Example:
#Port 22Means that no change has been made from the default, and the default is Port 22 for SSH connections. Look through the file for the following settings, and note their values. The defaults are listed here.
#AuthorizedKeysFile .ssh/authorized_keys2 #PasswordAuthentication yesFor troubleshooting purposes you should comment out the lines. Also look for:
AllowUsersIf that line is present, make sure that your user's name is listed. (If its not listed, you can add it for extra security.) For Example:
AllowUsers user user1 user2Remember to restart the service:
service sshd restart
# This is to be done as a normal user. I'm using DSA keypairs for an example. ssh-keygen -t DSA # This will create two files: ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub # You can optionally create a passphrase for the keys, as an added level of security. # Copy the public key to your authorized_keys2 file. cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys2 # Copy the id_dsa to your client machine # mv id_dsa .ssh/id_dsa # chmod 600 .ssh/id_dsa