SSH: Permission denied (publickey,gssapi-with-mic,password)

ssh ssh-agent

====================================================================

UPDATE: It turned out the configuration of sshd on host2 wont allow password login. Thanks to people answered this.

====================================================================

Scenario: Working with a company for my college project. I need to use PuTTy to SSH into host1 first, and from there SSH into host2 (see below). I was given a username and password on host2.

I do not have access of host2 at all, so I have no knowledge of its sshd_config.

This is what happened when I was trying to SSH into host2 from host1 :

ff@host1:~$ ssh -v host2
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/ff/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to host2 [192.*.*.*] port 22.
debug1: Connection established.
debug1: identity file /home/ff/.ssh/identity type -1
debug1: identity file /home/ff/.ssh/id_rsa type -1
debug1: identity file /home/ff/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sd01' is known and matches the RSA host key.
debug1: Found key in /home/ff/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Next authentication method: publickey
debug1: Trying private key: /home/ff/.ssh/identity
debug1: Trying private key: /home/ff/.ssh/id_rsa
debug1: Trying private key: /home/ff/.ssh/id_dsa
debug1: Next authentication method: password
ff@sd01's password:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
Permission denied, please try again.
ff@sd01's password:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
Permission denied, please try again.
ff@sd01's password:
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).

and my /home/ff/.ssh/config :

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   HostbasedAuthentication no
    BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   AuthorizedKeysFile .ssh/authorized_keys
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

I wonder is there anything I can do before go to the company.


The username and password you are trying are not accepted by the host. That means either you are connecting to the wrong server, or the username or password is incorrect. You should ask the administrator to check the logs on host2, that should tell you which of the three is the case.


First

 chmod 700 .ssh

and then :

 chmod 600 .ssh/authorized_keys

and test this : 

restorecon -r -vv .ssh/authorized_keys

In my case, It was caused by encryption of the home directory. I have changed the location of the ssh keys and it resolved the issue : (Web Archive copy) http://tweaktheserver.com/ssh-cant-connect-authentications-that-can-continue-publickeygssapi-keyexgssapi-with-micpassword/


GSSAPI authentication seems to be enabled in the client, yet it fails and falls back to password authentication. If you cannot login with supplied login and password, then the only sensible thing to do is to contact someone responsible for managing the server (the "company").


I had the same problem, but the issue for me was that the default configuration of the operating system (CentOS 7) was to encrypt the user directory, so that the authorized_keys file placed in ~/.ssh/ would not work. The solution came from here but basically:

  1. in /etc/ssh/sshd_config set the AuthorizedKeysFile property to something outside of the user's directory (/etc/ssh/authorized_keys)
  2. restart the sshd service

Related

NTP is running, system clock still not in time - what gives?
How to tell which Ubuntu package a tool is in
nginx reverse proxy - try upstream A, then B, then A again
How do I specify Windows file paths in nginx
Log MySQL login attempts
Terminology: Bounce versus restart [closed]
Difference Between Private Memory Limit and Virtual Memory Limit in IIS
Disable IPv6 in nginx proxy_pass
Send mail from Docker container with host's Postfix
Reload my.cnf without restarting MySQL service
How to connect a cdrom device to a kvm/qemu domain (using command-line tools)?
Auto-storing server host key in cache with plink