Troubleshooting SSH Public Key Authentication Failures: Permission Denied Errors and Account Lock Issues


3 views

When attempting SSH public key authentication between local users on the same machine, we're seeing the classic Permission denied (publickey,keyboard-interactive) error despite having:

RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes

First, verify these essential settings in /etc/ssh/sshd_config:

# Authentication methods
PubkeyAuthentication yes
PasswordAuthentication yes

# User permissions
AllowUsers user1 root
PermitRootLogin yes

# PAM handling
UsePAM no

SSH is extremely particular about file permissions. Here's the proper setup:

# For root user
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

# For regular user
chmod 700 /home/user1/.ssh
chmod 600 /home/user1/.ssh/authorized_keys

The auth.log reveals a critical clue:

sshd[8476]: User root not allowed because account is locked

To resolve locked accounts:

# Check lock status
passwd -S root

# Unlock if needed
passwd -u root
usermod -U root

The correct way to copy public keys between users:

# For user1
ssh-copy-id -i ~/.ssh/id_rsa.pub user1@localhost

# For root
ssh-copy-id -i ~/.ssh/id_rsa.pub root@localhost

For detailed error analysis:

ssh -vvv user1@localhost
tail -f /var/log/auth.log

When testing on the same machine, ensure:

# In sshd_config
PermitLocalCommand yes

Try manual key placement:

cat /root/.ssh/id_rsa.pub | ssh user1@localhost "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

When attempting SSH login using public key authentication, you're encountering a critical error: Permission denied (publickey,keyboard-interactive). This indicates the server is rejecting your key-based authentication attempt, despite proper configuration in sshd_config.


# Current problematic config in /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
UsePAM no
AllowUsers user1 root
PermitRootLogin yes

The main warning in logs reveals: User root not allowed because account is locked. This is your primary blocker.

1. Unlock the Root Account


# Check account status
passwd -S root
# Unlock if locked
sudo usermod -U root

2. Proper Key Deployment

Your current approach of copying id_rsa.pub directly won't work. Use ssh-copy-id properly:


# For user1
ssh-copy-id -i ~/.ssh/id_rsa.pub user1@localhost

# For root (after unlocking)
ssh-copy-id -i ~/.ssh/id_rsa.pub root@localhost

3. Correct File Permissions


# On server side
chmod 700 /home/user1/.ssh
chmod 600 /home/user1/.ssh/authorized_keys
chown -R user1:user1 /home/user1/.ssh

# For root
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

Run these to identify where the authentication fails:


# Client-side debug
ssh -vvv user1@localhost

# Server-side logs
tail -f /var/log/auth.log
journalctl -u ssh --no-pager -n 50

Update your sshd_config with these critical settings:


# Authentication:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no # For user1 only

# Security restrictions:
PermitRootLogin prohibit-password
AllowUsers user1 root
UsePAM yes
ChallengeResponseAuthentication no

After implementing all fixes, verify with:


ssh -o PreferredAuthentications=publickey -o PasswordAuthentication=no user1@localhost
ssh root@localhost

Remember to restart sshd after configuration changes:


sudo systemctl restart sshd