Related

Is it possible to configure an sftp user for uploading and editing but NOT downloading files? Question Question
Set umask for another user Question Question

Question

SSH Server refused our key

Posted June 4, 2017 63.8k views
SecurityUbuntu 16.04

I’ve been at this an hour and just cannot get SSH to bloody work. I tried this last year and gave up, thought I would give it a crack.

I follow the tutorial: https://www.digitalocean.com/community/tutorials/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps

One difference is the command to close was “Esc, :, w, q, Enter” That did not work so I looked it up and SHIFT + Z + Z saves the file and closes it. I rechecked the file and it indeed saved it.

I go to connect and no lucky, big fat “Server refused our key”
I don’t know what to do, why is SSH not easy to setup, I want it to be secure but no lets make it stupidly hard! I’m a go grumble over here and be incredibly appreciative of any help lol

Add a comment
Thrax
By:
Thrax
Add a comment
1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
5 answers
jtittle1 June 5, 2017

@Thrax

How you’d go about setting it up really depends on whether you’re trying to set it up for root or for a non-root user. The steps are almost the same, but differ slightly.

For example, for root, ~/.ssh already exists so it doesn’t need to be created. For all other users, it does and you need to set proper permissions on those directories.

That being said, the easiest method of deploying SSH keys is to simply deploy them with the server so that you don’t need to physically add the initial one (for the root user).

How you log in also depends on your OS. If you’re on MacOS (or OS X), then you’d run:

ssh user@server_ip -i ~/.ssh/private_key

Where user is the username (such as root or the user you created), server_ip is the Droplet IP, and the path at the end, ~/.ssh/private_key, is the path to your private key that was generated when you created your key pair.

If you’re on Windows, it’s a little different depending on what you use to log in. Most commonly, PuTTy is used, which requires that you convert the OpenSSH key to a PuTTy formatted key, and then use that key to login. It’s an extra step, but many programs use PuTTy key format (such as FileZilla).

So my first question would be, what OS are you using (MacOS or Windows)?

Next, what program are you using to try to login, Terminal (Mac OS), PuTTy, or something else?

Reply Report
  • Thrax June 5, 2017

    I am using a windows to access the server via PuTTY. The keys were created using PuTTy Key Gen. I made sure I used the OpenSSH key to paste into this nano ~/.ssh/authorized_keys
    I went through the setup using a user I setup but then I redid it all using the root just to be sure.

    Reply Report
    • jtittle1 June 5, 2017

      @Thrax

      Ok, just to confirm, the string that’s in ~/.ssh/authorized_keys does start with either:

      ssh-rsa ....

      or

      ssh-ed25519 ....

      … correct? (the .... is just short for the rest of the string)

      If so, just to troubleshoot from a different perspective, I would log in to the Droplet and then generate a key on the server.

      First off, log in as root, then run:

      ssh-keygen -a 1000 -b 4096 -o -t rsa

      You’ll be prompted for a save location, use:

      ~/.ssh/name_of_key

      Choose a passphrase when prompted; confirm it. What you’ll see once the key is generated is:

      ~/.ssh/name_of_key (this is your private key)
~/.ssh/name_of_key.pub (this is your public key)

      Now, we’ll add the key to authorized_keys.

      cat ~/.ssh/name_of_key.pub >> ~/.ssh/authorized_keys

      The above command gets the contents of your key and adds it to the file. Confirm that the key was added by running:

      cat ~/.ssh/authorized_keys

      If the public key shows up, we’ll delete the public key from the server using:

      rm -rf ~/.ssh/name_of_key.pub

      Now you need to download your private key to your PC/Laptop. We’ll convert it to PPK using puttygen.

      Open puttygen and click on Conversions => Import Key. Choose the private key that you downloaded from your Droplet.

      You’ll need to confirm the passphrase to do the import. Once that’s done, all you need to do to use the key is click on Save Private Key and make sure you save it as:

      name_of_key.ppk

      You’ll use name_of_key.ppk to login within PuTTy.

      Once you’re able to login, you need to delete the private key on the Droplet.

      rm -rf ~/.ssh/name_of_key

      That’ll get you setup for root. From there, the steps for a user are generally the same, but the directory paths differ.

      Change name_of_key to whatever you like :-).

      Reply Report
      • Thrax June 6, 2017

        The key made by putty starts with ssh-rsa

        I signed in using root. I tried setting it all up again, deleting the authorized_keys to be even more sure. Came up with the below error. I then tried again going through the console on the site to see if that would work and still no luck. 

        open ~/.ssh/name_of_key~/.ssh/name_of_key failed: No such file or directory.
Saving the key failed: ~/.ssh/name_of_key~/.ssh/name_of_key.

        I used FTP to have a look at the ssh folder. I can create files and delete them, I cannot create directories though. That was also using the root account to access. I was curious if I created a file with the name name_of_key then possibly it could somehow help it just write to the file. That didn’t work either. I tried going through the steps again and again a bust. This image of the console may help.
        It’s like I don’t have rights to create the files. I have to be doing something wrong.

        Mother f… I thought maybe I screwed up when I created the .ssh folder so I deleted it and created it again using root.. yeah no still failed.

        I just wanted to say thank you so much for taking the time to help me with this and having so much patience!

        Reply Report
      • Thrax June 6, 2017

        SSH hates me and the commenting system now hates me because I wrote a detailed reply and it decided to mark it as spam. The fates are conspiring against me here.
        I first want to say thank you very much for being so incredibly patient and detailed in your replies! However as you may have guessed SSH hates me :(

        The key I used previously started with SSH-RSA

        I am being more concise in this comment at least. I did this multiple times to get it to work and always using the root account. I tried it via PuTTy and via the website console.

        I followed your steps but when it comes to saving it fails and the below error is displayed.

        open ~/.ssh/name_of_key failed: No such file or directory.
Saving the key failed: ~/.ssh/name_of_key.

        I go back through the steps further and decide to delete the .ssh folder entirely (via FTP) and start again with root and the commands:

        mkdir ~/.ssh
        chmod 0700 ~/.ssh
        touch ~/.ssh/authorized_keys
        chmod 0644 ~/.ssh/authorized_keys

        It creates the folder and the above file. Still get the failed message.
        I then try to use FTP to create a file called name_of_key and it is created. Failed too.
        I try to create a directory in that .ssh folder and it won’t allow me too. A sure I thought I would try.

        It’s like it doesn’t have permission to create the file or something.

        Kay copying this bloody comment and hope it doesn’t get marked as spam.

        Reply Report
        • jtittle1 June 6, 2017

          @Thrax

          When prompted for the save path, try using the direct path.

          If logged in as root, that’d be /root/.ssh, so to save a key, you’d use:

          /root/.ssh/key_name

          If you’re creating a key as a user, then it’d be the users’ home directory plus .ssh. So if my user home directory was:

          /home/myuser

          …then I’d use:

          /home/myuser/.ssh/key_name
          Reply Report
          • Thrax June 6, 2017

            The amount of appreciation I have for you is insane, you are amazing! I can’t believe it was /root/.ssh/ that caused all of this. Thank you thank you thank you thank!! No seriously freaking THANK YOU!! Finally SSH!

            Reply Report
          • minwpteam September 10, 2017

            Really thank you so much this help. Now I understand what mean ~ = root.
            Thank you again.

            Reply Report
hansen June 5, 2017

Hi @Thrax

I have no idea why the tutorial is using vim or even sudo.
In bullet 3, simply run this nano ~/.ssh/authorized_keys to edit your key. And skip 4+5.

The only thing I can think of would be that you didn’t convert from PuTTY to OpenSSH.
Or that you’re connecting with a wrong private key, after you’ve added the public key to the server.

When you log in to the server to add the public key, do you do that as root?

Reply Report
  • Thrax June 5, 2017

    Yep I assumed for SSH stuff I would need root to be safe.
    Ah nano is so much easier to use. However the key is still there. I used PuTTY Key Generator to do it. I read that in their latest update they do SSH-2 as standard so they call it RSA instead. So I created the key using that. I go to Generate and save the two files. I can then copy the “Public key for pasting into OpenSSH authorized_keys file.
    The start of the key is "ssh-rsa”
    Is it something to do with puttygen?

    Reply Report
cbenhenderson October 10, 2017

Just throwing it out there for anyone who may have a similar issue in the future: I always forget to set file permissions properly when I set up ssh for a new user on my server.

cd ~
chmod -r 700 .ssh
chmod 600 .ssh/authorized_keys

Additionally, check that the correct user:group is assigned.

ls -la | grep ssh

If not:

sudo chown -R <user>:<group> .ssh

Reply Report
minisaez March 9, 2018

This is an amazing post thank you so much for the detailed answers. I had a similar problem - Filezilla gave an error when trying to upload a file, even though it logged in correctly, showed the directory tree of the server correctly, too.

After genning a new key, making sure I didn’t accidentally remove any of the first characters in the cut and paste of the public key (great hint btw), I found this:

In putty, under File, SiteManager, Advanced tab, click “UNIX” for server type. This clears up the Filezilla rejecting the transfer even though correctly logged in. so random....

Reply Report
jeffoire May 14, 2020

If you still have your key rejected despite having all of the permissions and ownership set correctly, you may need to change the user’s password from the default “locked” (which is a hash that is or starts with !) to an “impossible” hash (assuming you don’t want the user to log in with a password) with usermod -p "*" username. the full explanation is available at https://arlimus.github.io/articles/usepam/

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help