When facing SSH key authentication failures like "Server refused our key," examining SSHD logs is crucial for debugging. In Ubuntu systems, SSH daemon (sshd) typically logs authentication attempts to /var/log/auth.log. The logging behavior is controlled by two main parameters in /etc/ssh/sshd_config:

SyslogFacility AUTH
LogLevel INFO

Depending on your system configuration, SSHD logs might appear in different locations:

• /var/log/auth.log (Ubuntu/Debian)
• /var/log/secure (RHEL/CentOS)
• journalctl -u sshd (Systems using systemd)

If /var/log/auth.log is empty despite SSH connection attempts, try these diagnostic steps:

# Check if rsyslog is running
sudo systemctl status rsyslog

# Verify syslog is capturing auth messages
grep auth /etc/rsyslog.conf

# Restart logging services
sudo systemctl restart rsyslog
sudo systemctl restart sshd

For more detailed logging, modify sshd_config:

LogLevel DEBUG3
SyslogFacility AUTHPRIV

Then restart SSHD:

sudo systemctl restart sshd

If system logging isn't working, you can run sshd in debug mode:

sudo /usr/sbin/sshd -d -p 2222

Then connect to the test port:

ssh -p 2222 user@localhost

For key authentication issues, look for these patterns in logs:

# Permission issues
Authentication refused: bad ownership or modes for directory

# Key format problems
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes

# Key file access errors
Could not open authorized keys '/home/user/.ssh/authorized_keys': No such file or directory

Here's a complete debugging workflow:

# 1. Set verbose logging
sudo sed -i 's/LogLevel.*/LogLevel DEBUG3/' /etc/ssh/sshd_config

# 2. Restart services
sudo systemctl restart sshd rsyslog

# 3. Monitor logs in real-time
sudo tail -f /var/log/auth.log | grep sshd

# 4. Attempt connection from another terminal
ssh -v user@localhost

For persistent logging, create a dedicated SSH log file:

# Add to /etc/rsyslog.conf
if $programname == 'sshd' then /var/log/sshd.log
& stop

# Create log file and set permissions
sudo touch /var/log/sshd.log
sudo chmod 640 /var/log/sshd.log
sudo chown syslog:adm /var/log/sshd.log

# Restart services
sudo systemctl restart rsyslog sshd

---

By default, SSH daemon (sshd) logs to the system's auth log in Ubuntu. The primary location is:

/var/log/auth.log

First, check your current sshd configuration with:

sudo grep -E "SyslogFacility|LogLevel" /etc/ssh/sshd_config

Typical output should show:

SyslogFacility AUTH
LogLevel INFO

If /var/log/auth.log is empty, try these troubleshooting steps:

# Check if rsyslog is running
sudo systemctl status rsyslog

# Verify permissions on auth.log
ls -la /var/log/auth.log

# Check if logging is working for other services
sudo tail -f /var/log/syslog

To get detailed debug information, temporarily run sshd in debug mode:

sudo /usr/sbin/sshd -d -p 2222

Then connect to this debug instance:

ssh -p 2222 user@localhost

Typical RSA key authentication issues include:

# Permission issues
sudo chmod 600 ~/.ssh/authorized_keys
sudo chmod 700 ~/.ssh

# SELinux context problems (if enabled)
sudo restorecon -Rv ~/.ssh

Depending on your system configuration, logs might appear in:

/var/log/secure
/var/log/messages
journalctl -u sshd

For persistent logging, create a dedicated sshd log file:

# Add to /etc/rsyslog.d/10-sshd.conf
if $programname == 'sshd' then /var/log/sshd.log
& stop

# Then restart services
sudo systemctl restart rsyslog sshd