Ye blog of Adam Wright

DIY, tutorials, stuff for geeks, all updated when I have the time to spare.

SSH error “Server refused our key” and how to fix it

I was getting this error for awhile when trying to use an authentication key in Putty to connect to an Ubuntu Server machine:
Server refused our key.

Long story short, the problem lies within my home directory being encrypted when I’m not logged in. Read below for further explanation.

The solution is to move the authorized_keys file location outside the home folder so the SSH daemon can access it even when you’re not logged in:

  1. sudo mkdir /etc/ssh/publicSSHkeys # Create a folder for public SSH keys
  2. sudo mv ~/.ssh/authorized_keys /etc/ssh/publicSSHkeys/ # Move the authorized_keys file there
  3. sudo nano  /etc/ssh/sshd_config # Modify sshd_config to the new location
    change this… “AuthorizedKeysFile    %h/.ssh/authorized_keys
    to this… “AuthorizedKeysFile    /etc/ssh/publicSSHkeys/authorized_keys
    NOTE: Sometimes the “AuthorizedKeysFile” variable is commented out, so remove the number sign if it is (Thanks to Frank for the tip!).
  4. sudo service sshd reload # Then you just need to reload the server
  5. You’ll still need to make sure your public key is in /etc/ssh/publicSSHkeys/authorized_keys, and your SSH client (in my case Putty) is loading your private key. There are numerous SSH key tutorials on the webernets.

Automatic home directory encryption is an option when installing Ubuntu systems (both desktop and server), and I recommend using it. I like knowing that, if I’m not logged in, my home directory is encrypted. However, this means that any server or daemon that requires access to a file or folders in your home directory will fail if you’re not logged in. Keep that in mind.

Advertisements

38 responses to “SSH error “Server refused our key” and how to fix it

  1. Amir 08/16/2011 at 3:16 AM

    Thanks!
    I was having the same problem, and I tried heaps of other links, but your guide was the first one that actually worked for me 🙂

  2. Josh 11/17/2011 at 5:14 PM

    Thank you, this guide helped me on CentOS 6 as well.

    • Adam 11/17/2011 at 5:27 PM

      You’re welcome. I wasn’t aware that CentOS encrypted home directories. I guess it might not but you may have done encryption manually. Either way, good to hear you got it working.

  3. quin 12/20/2011 at 5:09 AM

    Thanks a lot..it helped! 🙂

  4. Mike Miller (@shelzmike) 02/02/2012 at 2:56 PM

    You, my friend, are a freaking genius. It is always the little things. As you mentioned, there are loads of tutorials on how to create the keys (both in PuTTy and in Linux) but none ever seem to know about this (or fail to say anything about it). Been struggling with this for a few hours now and your solution worked like a charm! Thanks again.

  5. kamal 03/01/2012 at 10:55 AM

    thank you very much small post but very useful.
    Kamal chikh echioukh

  6. Pingback: Server refused our key UBUNTU Solution | Ycsoftware.net

  7. Stijn 04/21/2012 at 5:36 AM

    Good job!!!

  8. Leonardo Dias 05/18/2012 at 11:29 AM

    Cara, ninguém diz onde precisa configurar o sshd_config para só funcionar com chaves, você acertou realmente nessa dica.
    Meu problema foi resolvido, parabéns pela iniciativa.
    Abraços

  9. Ole Martin Graae 06/19/2012 at 4:50 AM

    This is great! However some applications of this solution may require, that different users have different credentials. The above solution allows any user, possessing any authorized key, to log in as any user.

    with a slight alteration to sshd_config, we can create authorized keys for each user.
    AuthorizedKeysFile /etc/ssh/publicsshkeys/%u/authorized_keys

    • Adam 06/19/2012 at 11:23 AM

      Nice, then each user’s public keys would be in separate folders. However, I don’t think the %u variable would set permissions for that user would it? You’d want to go in and set the users’ folder permissions to only that user wouldn’t you? I mean, just in case.

      • Ole Martin Graae 06/20/2012 at 6:50 AM

        I just did a “chmod -R 755 publicsshkeys/”. Folder owner is root.
        So anyone can read anyones public/authorized_keys. I don’t think, that is a security issue.

      • Adam 06/20/2012 at 1:36 PM

        I agree, its probably not an issue.

  10. Todd Morrow 08/05/2012 at 5:08 PM

    is publicSSHkeys a system folder or can the name be anything, or can authorized_keys just live in /etc/ssh/ ?

    • Adam 08/12/2012 at 2:24 PM

      In this tutorial, we’re creating the publicSSHkeys folder, so its not a system folder really. You can name it whatever you like, or you could put authorized_keys in /etc/ssh.

  11. RP 09/21/2012 at 12:41 PM

    Thanks. Does this mean, I have to login as root user always?

    • Adam 09/21/2012 at 12:51 PM

      No, you shouldn’t need to login as root. Actually, by default on Ubuntu installations, its impossible to login via SSH as root. You can however, login via SSH as a normal user, and then do a “sudo bash” or “sudo /bin/bash”, assuming your username is added to the sudoers file.

      • RP 09/21/2012 at 3:40 PM

        After following the instructions to place authorized_key under ssh/publicSSHkeys, do I need to copy the same file, under /home//.ssh directory. That part is not clear to me. Pls help.

      • Adam 09/21/2012 at 7:59 PM

        No, as long as you change the settings for your ssh server, it should now look in “/etc/ssh/publicSSHkeys” for the keys. You should only need to keep the key in that location.

  12. Stuart 12/17/2012 at 11:34 PM

    Step 4 – should that be
    sudo service ssh reload #
    and not
    sudo service sshd reload #

    I had no sshd service in Ubuntu 12.10

    • Adam 12/18/2012 at 1:48 AM

      ssh is the client end, and sshd is the daemon or server end. If you’re just running unity desktop instead of ubuntu server, you won’t have sshd installed by default.

  13. Frank 12/21/2012 at 3:29 PM

    Hi Adam,

    Thank you very much for putting this up here. I had noticed that I had to be logged in locally for SSH to work, and nothing made sense until I came across what you wrote.

    I had one little thing to add for newbies such as myself. By default, the /etc/ssh/sshd_config file has the “AuthorizedKeysFile” section commented out. It will only recognize a different directory if you un-comment it. After having followed your directions…changing permissions/ownership multiple times along with recreating the directory a few times in different places (that’s called newbie troubleshooting), I finally noticed the # in front of the file location parameter.

    Removing that fixed the issue completely. Again, thank you.

  14. Alan 02/07/2013 at 1:38 PM

    After moving the keys to /etc/ssh/publicSSHKeys/ I still kept running into the “Server refused..” error. To resolve I had to make sure I had the correct permissions, probably a noob linux issue but I hit it.

    sudo chown username:username publicSSHKeys/
    sudo chown username:username authorized_keys
    in addition to the standard
    sudo chmod 700 /publicSSHKeys
    sudo chmod 600 authorized_keys

  15. akismet-4a5a3d9ebdbe1e10516597ae6b2f8b3c 02/17/2013 at 3:26 PM

    Thanks, it worked for me on Ubuntu Server 12.04.

  16. DavidDavid 04/21/2013 at 11:50 PM

    Just forget creating your keys with puttygen. Do it the linux way => “ssh-keygen” then import private key in puttygen, then save your new private key in your windows for putty-use.

    On server do ” cat id_rsa.pub >> authorized_keys2 ”

    http://www.debuntu.org/secure-your-ssh-server-with-publicprivate-key-authentification/

    • Adam 04/22/2013 at 6:19 AM

      Actually that won’t work. While it’s true that you can indeed create SSH keys on your Linux machine rather than make them on your Windows machine, this post was about the problem you come across when using a key to log in with an encrypted home directory. It doesn’t matter if you make the key in Windows or in Linux, if your home directory is encrypted and the authorized_keys file is in the home directory, your Linux system won’t be able to read the file until you’re logged in to the machine. To fix this, you can relocate the authorized_keys file outside your home directory, as I explained above.

      • david 04/22/2013 at 11:30 PM

        You should specify it in the title of your post. Your blog comes in the first response from google searching “server refused our key” and your specific solution is not recommandable for 99% of the people seeking this problem. Which is simply bad key format.

        or add that solution to your post and keep the title. That way, you keep the trafic and give the correct solution to both problems 😉

      • Adam 05/02/2013 at 2:02 PM

        I think this is a common solution for that problem. If you’d like to add a solution that you think would help people as well, I’d be glad to link to an article of yours. Let me know!

  17. Pingback: Ubuntu 12.04 - I can ssh into the server but sshd is an unrecognized service | Ubuntu InfoUbuntu Info

  18. nana 07/01/2013 at 5:38 AM

    worked on centos 5, thanks alot man been working on this issue for days until i found this article

  19. Sartaj 08/31/2015 at 5:02 PM

    Thanks the comment by Alan about doing chown on the directory and file worked for me on Ubuntu 14.04.3 LTS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: