Question
Answer and Explanation
The "permission denied (publickey, gssapi-keyex, gssapi-with-mic)" error when using SSH indicates that the server is unable to authenticate you using any of the methods it is trying: public key authentication, GSSAPI key exchange, or GSSAPI with MIC (Message Integrity Check).
Here's a breakdown of the common causes and how to resolve them:
1. Incorrect Public Key Authentication:
- Missing or Incorrect Public Key: The most frequent cause. Ensure your public key (e.g., `~/.ssh/id_rsa.pub`) is properly copied to the `~/.ssh/authorized_keys` file on the remote server. Use `ssh-copy-id user@host` to simplify this process if available.
- Incorrect Permissions: The `~/.ssh` directory and `~/.ssh/authorized_keys` file on the server must have the correct permissions. They should be:
- `~/.ssh`: `drwx------ (700)`
- `~/.ssh/authorized_keys`: `-rw------- (600)`
Use the following commands on the server to fix permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
- Key Mismatch: The private key you are using locally (e.g., `~/.ssh/id_rsa`) must correspond to the public key in `authorized_keys` on the server. If you've generated a new key pair, update the `authorized_keys` file.
2. GSSAPI Issues:
- GSSAPI Configuration: If GSSAPI authentication is enabled but not properly configured on either the client or server, it can lead to this error. GSSAPI (Generic Security Services Application Programming Interface) often involves Kerberos. Check the `/etc/ssh/sshd_config` file (server) and your SSH client configuration. Look for lines related to `GSSAPIAuthentication` and `GSSAPIKeyExchange`. If you're not intentionally using GSSAPI, try disabling it in the client's SSH configuration (`~/.ssh/config` or `/etc/ssh/ssh_config`) by setting `GSSAPIAuthentication no`.
- Kerberos Problems: If you are using Kerberos, ensure your Kerberos ticket is valid (`kinit`) and that the server is properly configured for Kerberos authentication.
3. SSH Configuration Problems:
- `sshd_config` Settings: The server's `sshd_config` file might have settings that are preventing public key authentication. Check for directives like `PubkeyAuthentication yes` and `PasswordAuthentication no`. `PasswordAuthentication no` requires successful public key authentication.
- `AuthorizedKeysFile`: Verify the `AuthorizedKeysFile` directive in `sshd_config` points to the correct path (usually `.ssh/authorized_keys`).
4. SSH Client Configuration:
- IdentityFile: The SSH client might be trying to use the wrong private key. In your `~/.ssh/config` file, specify the correct private key using the `IdentityFile` directive for the specific host. For example:
Host your_host_alias
Hostname your.remote.host
User your_username
IdentityFile ~/.ssh/your_private_key
- Authentication Methods: You can also explicitly specify the authentication methods to use in the `~/.ssh/config` file with the `PreferredAuthentications` directive. For instance, to force public key authentication, you could use `PreferredAuthentications publickey`.
5. Server-Side Issues:
- SELinux or AppArmor: Security-Enhanced Linux (SELinux) or AppArmor might be interfering with SSH access. Check the system logs (`/var/log/audit/audit.log` for SELinux, or the AppArmor logs) for any access denials related to SSH. You may need to adjust SELinux/AppArmor policies to allow SSH access to the user's home directory and `.ssh` files.
- Disk Quota: If the user on the remote server has exceeded their disk quota, it can prevent SSH from writing to the `authorized_keys` file or accessing other necessary files.
Troubleshooting Steps:
1. Verbose Mode: Use the `-v`, `-vv`, or `-vvv` options with the `ssh` command to get more detailed output. This can help pinpoint the authentication steps that are failing.
2. Check Server Logs: Examine the SSH server logs (usually in `/var/log/auth.log` or `/var/log/secure`) for error messages.
3. Simplify: Start with a very basic setup to eliminate variables. Ensure you can connect with a simple key pair and default SSH configurations before introducing more complex settings like GSSAPI.
By systematically checking these potential issues, you should be able to diagnose and resolve the "permission denied" error.