Lately my passwordless, SSH logins to all my servers have quit working, at least they seem to have stopped working from the only accessible “work” workstation that I have at the moment, MA7053. Since our enterprise malware mitigation agent, Traps, is blocking my access to my “real” workstation, MA8660, this has become more than just a nuisance.

So here’s what I came up with as a process to try and determine exactly where the problems are…

To Debug SSHD Issues with Key Logins

From a terminal opened in the target (CentOS 7 in this example) server:

sudo su
# stop the sshd service
systemctl stop sshd.service
# as root, restart the sshd service in DEBUG mode.  Note that your terminal will NOT return, it's spooling debug output
/usr/sbin/sshd -d
# attempt to connect again and look for DEBUG output in your terminal window
# once resolved, ctrl-c to kill the above process, then be sure to restart sshd like so:
systemctl start sshd.service

To Create and Engage a New SSH Key

  • On your local workstation open a terminal and enter the following with defaults and NO password or phrase:
    • ssh-keygen
  • Next, using the islandora user at dgdocker1.grinnell.edu as an example, enter the following to copy the key to the target server:

My DGAdmin Experience

Today, January 26, 2021, I set out to configure a new server, namely dgadmin.grinnell.edu. After I’d done all of the above to set the server up for ssh/pubkey authentication it still would not work. I subsequently opened a help ticket and my esteemed colleague, Mike Conner, came to my rescue. Mike’s response to my ticket included this:

Is the private key corresponding to the public key in /home/administrator/.ssh/authorized_keys loaded in your ssh-agent? You can specify which private key to use for the connection using the -i flag:

ssh -i /path/to/id_rsa administrator@dgadmin.grinnell.edu

You can also debug using the verbose flag in your ssh command:

ssh -i /path/to/id_rsa -vvv administrator@dgadmin.grinnell.edu

Mike hit the nail on the head, my ssh-agent must have been using a diffeent pubkey. I executed the command that Mike had suggested and it worked. Specifically that command was: ssh -i ~/.ssh/id_rsa -vvv administrator@dgadmin.grinnell.edu.

Extras Are No Longer Necessary

After the above command logged me in without a password I ran one more test. Would I always need to run my ssh commands in that form? No, I found that once I had run that command successfully the ssh-agent remembers the correct pubkey to use so subsequent logins can use just ssh administrator@dgadmin.grinnell.edu.

And that’s a wrap. Until next time…