SSH : Permission denied (publickey,gssapi-with-mic).

2009 July 6 at 07:34 » Tagged as :security, google apps,

I've been using the same SSH keys for a long time and had a need  to create a new one to connect to a new server. I did the usual things like adding the user account, setting a password on the server followed by using ssh-keygen on the local machine to create the key. Next, I went back in with the root account, copied the contents of the .ssh/ and pasted it into a newly created .ssh/authorized_keys2. Then I carefully set the .ssh folders permissions to 700 and the authorized_keys2 file to 600, now it was time to try to login only to see an error:

Permission denied (publickey,gssapi-with-mic)

Since this error message isn't particularly usefully, I looked into the /var/log/secure file to find this:

error: key_read: uudecode AAAAB3NzaC1kc3MAAACBAJOciWES5OqZiuLHF9DpB//3isft6qVbApeH9H6fdjmLEpLBWbCKmms8sDZyLa8bUe9DYqmQdEG+aMih4VmD+wGD5KzjUdSzmOrLOdEOh5YhkMb+/tJ5BY0GvAKCcgKd6QVAg0BDqBr7qVyPG/n failed

It was then that I realized that copying the output of cat ~/.ssh/ doesn't work. Why? because when you copy from the terminal output hard linefeeds are introduced at incorrect locations. If you resize your window you will see them. Simply take out the line feeds and you will be just fine. In other words the whole key is just one line of text, even though the terminal would wrap it into several lines. If hard breaks are introduced (as would happen when you copy from the terminal) it would end up with the key being corrupted and you will not be able to login. Now you might ask, isn't it a security issue for me to post my key here? no. what you are seeing is the public key not the private key. The public key is something that can be transferred over an insecure connection. By the way, if you are signing up with a new hosting company, and they send you the password through email run from there as fast as you can. Sending a password through email means anyone can get hold of it and just goes to show that the hosting company is careless about security. The correct way is for the hosting company to ask you to send your public_key to them. They can then install it on the server and you will then be able to login securely. But then again, we live in a world where people calling themselves webmasters or system administrators are perfectly happy to use FTP to manage websites.