Hi

After reinstalling my computer the ssh keys I've had for years aren't working anymore for my VPS. When I try to login with the keys I get error Permission denied (publickey).
Its been so long since I've set it up, so I don't know if something is wrong or if I'm doing something wrong. From what I understand I should run ssh-keygen on the client, and copy the .pub content to the .ssh/authorized_keys on the server and that should be it.. or am I missing something? After doing this, I'm still getting the same error. Thankful for help.

How are you invoking the SSH session? The exact command would help and if there is an error message with -v or -v -v that would help too.

Did you have any special settings in ~/.ssh/config and how are the permissions for the private keys?

.ssh directory on target should be mode 700. authorized_keys file should be 600. Also, check that the pub string you inserted does not have embedded
newlines, often from cut/paste.

https://frankindev.com/2020/11/26/pe...and-key-files/

I try connecting with: ssh -i .ssh/KEY user@ip

I created the keys with: ssh-keygen -t rsa -f ~/.ssh/KEY -C user

I copy the content of the .pub file created to the authorized_keys file on the server, but without any change in result. Its a Google compute VM, and they have a specific page where existing keys can be edited under web interface which I have also done. After adding it to the web interface, I can see the same line added to autorized_keys as if I did it manually.

Here is a copy of the log with -v (users and hosts redacted):
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file .ssh/KEY type 0
debug1: identity file .ssh/KEY-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u8
debug1: compat_banner: match: OpenSSH_6.7p1 Debian-5+deb8u8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to xxx.xxx.xxx.xxx:22 as 'user'
debug1: load_hostkeys: fopen /home/xxx/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:IdH410ytoj2G2Hc1TsFrkT74OutSXlxddUzlm/ehpos
debug1: load_hostkeys: fopen /home/xxx/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the ED25519 host key.
debug1: Found key in /home/xxx/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: .ssh/KEY RSA SHA256:lIhpMIOC08sTCGm+SZK55aWcO+w7gJOFWYbFF67a6Pk explicit agent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/KEY RSA SHA256:lIhpMIOC08sTCGm+SZK55aWcO+w7gJOFWYbFF67a6Pk explicit agent
debug1: send_pubkey_test: no mutual signature algorithm
debug1: No more authentication methods to try.
user@xxx.xxx.xxx.xxx: Permission denied (publickey).

Yes, these permissions are all as mentioned.

Thanks.

What version of the OpenSSH-server is running on the remote host? It looks like it might be an old or abandoned version and in need of update.

Try adding -oPubkeyAcceptedKeyTypes=+ssh-rsa to the end of the command or add PubkeyAcceptedKeyTypes=+ssh-rsa to your ~/.ssh/config

If the SSH server is an old version that should work around the problem until you can update it.

That worked perfectly. Thank you kindly good sir!


And yes, the ssh server was very outdated.
Although I'm not sure if I'm looking at the wrong package, but listing apt list --upgradable does not show openssh-server at all. Should not openssh-server be listed if it requires upgrade?

And, thus, another security hole was opened intentionally. :/

OpenSSH-server is the right package but if you have an outdated version of it, then it has most likely come from an outdated repository on an outdated distro. Even if you are using an outdated distro, there is a chance that the distro will have a backports repository which you can draw from once it gets activated. However the details vary from distro to distro, so which distro do you have, including version?

Understood.
Haven't done any updates for years on the server. Since its hosted at Google and there really isn't anyone to call if things go belly up in case an update crashes something I've just avoided it all together... Stupid, I'm sure.

Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux

I think its time to move away from Google and set up a server at home instead so it can be managed physically if needed.

Version three would have been Woody from 2002 and which reached end of life in 2006. Perhaps that was the output of uname by mistake?

What is the output of
lsb_release -rd
or
hostnamectl | grep -i 'operating system'
or
cat /etc/issue
there?

The output should include the code name for the version (e.g. Bullseye, Buster, Stretch, etc) and a version number (e.g. 11, 10, 9, etc)

Ah, I see. Okay,
hostnamectl | grep -i 'operating system' says:

Operating System: Debian GNU/Linux 8 (jessie)

1 members found this post helpful.

Thanks. Debian 8, Jessie, (https://www.debian.org/releases/jessie/) is no longer current. It's still in Extended Long Term Support though for a limited amount of help until 2025.

The search web page does not go back as far as Jessie. https://packages.debian.org/

Therefore I would try adding the backports repository and see if a newer version of OpenSSH-server is there. The instructions here are probably relevant if you swap out "bullseye" with "jessie" But perhaps it is best if schedule a migration sooner than later if there is not a better version of OpenSSH-server there.

(Edit: https://backports.debian.org/Instructions/ )

Moving to self-hosting, as you have proposed, is almost always a good move. So I'd encourage checking out the options for that.