When facing SSH key authentication failures like "Server refused our key," examining SSHD logs is crucial for debugging. In Ubuntu systems, SSH daemon (sshd) typically logs authentication attempts to /var/log/auth.log. The logging behavior is controlled by two main parameters in /etc/ssh/sshd_config:
SyslogFacility AUTH
LogLevel INFODepending on your system configuration, SSHD logs might appear in different locations:
/var/log/auth.log(Ubuntu/Debian)/var/log/secure(RHEL/CentOS)journalctl -u sshd(Systems using systemd)
If /var/log/auth.log is empty despite SSH connection attempts, try these diagnostic steps:
# Check if rsyslog is running
sudo systemctl status rsyslog
# Verify syslog is capturing auth messages
grep auth /etc/rsyslog.conf
# Restart logging services
sudo systemctl restart rsyslog
sudo systemctl restart sshdFor more detailed logging, modify sshd_config:
LogLevel DEBUG3
SyslogFacility AUTHPRIVThen restart SSHD:
sudo systemctl restart sshdIf system logging isn't working, you can run sshd in debug mode:
sudo /usr/sbin/sshd -d -p 2222Then connect to the test port:
ssh -p 2222 user@localhostFor key authentication issues, look for these patterns in logs:
# Permission issues
Authentication refused: bad ownership or modes for directory
# Key format problems
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes
# Key file access errors
Could not open authorized keys '/home/user/.ssh/authorized_keys': No such file or directoryHere's a complete debugging workflow:
# 1. Set verbose logging
sudo sed -i 's/LogLevel.*/LogLevel DEBUG3/' /etc/ssh/sshd_config
# 2. Restart services
sudo systemctl restart sshd rsyslog
# 3. Monitor logs in real-time
sudo tail -f /var/log/auth.log | grep sshd
# 4. Attempt connection from another terminal
ssh -v user@localhostFor persistent logging, create a dedicated SSH log file:
# Add to /etc/rsyslog.conf
if $programname == 'sshd' then /var/log/sshd.log
& stop
# Create log file and set permissions
sudo touch /var/log/sshd.log
sudo chmod 640 /var/log/sshd.log
sudo chown syslog:adm /var/log/sshd.log
# Restart services
sudo systemctl restart rsyslog sshdBy default, SSH daemon (sshd) logs to the system's auth log in Ubuntu. The primary location is:
/var/log/auth.logFirst, check your current sshd configuration with:
sudo grep -E "SyslogFacility|LogLevel" /etc/ssh/sshd_configTypical output should show:
SyslogFacility AUTH
LogLevel INFOIf /var/log/auth.log is empty, try these troubleshooting steps:
# Check if rsyslog is running
sudo systemctl status rsyslog
# Verify permissions on auth.log
ls -la /var/log/auth.log
# Check if logging is working for other services
sudo tail -f /var/log/syslogTo get detailed debug information, temporarily run sshd in debug mode:
sudo /usr/sbin/sshd -d -p 2222Then connect to this debug instance:
ssh -p 2222 user@localhostTypical RSA key authentication issues include:
# Permission issues
sudo chmod 600 ~/.ssh/authorized_keys
sudo chmod 700 ~/.ssh
# SELinux context problems (if enabled)
sudo restorecon -Rv ~/.sshDepending on your system configuration, logs might appear in:
/var/log/secure
/var/log/messages
journalctl -u sshdFor persistent logging, create a dedicated sshd log file:
# Add to /etc/rsyslog.d/10-sshd.conf
if $programname == 'sshd' then /var/log/sshd.log
& stop
# Then restart services
sudo systemctl restart rsyslog sshd