Today I encountered a strange SSH behavior where the server accepted my public key authentication (debug1: Server accepts key: pkalg ssh-rsa blen 277) but then still prompted for password authentication. Here's how I investigated and solved it.
The debug output shows the complete authentication sequence:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/sam/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: fp <>
debug1: Authentications that can continue: publickey,password,keyboard-interactive
The key line here is Authentications that can continue which indicates the server accepted the key but still allows other authentication methods.
This typically happens when:
- The server's
sshd_confighasAuthenticationMethodsrequiring multiple factors - The key isn't properly installed in the
authorized_keysfile - Filesystem permissions are incorrect
Here's how to check each scenario:
1. Checking AuthenticationMethods
On the server, examine /etc/ssh/sshd_config:
grep AuthenticationMethods /etc/ssh/sshd_config
grep PubkeyAuthentication /etc/ssh/sshd_config
grep PasswordAuthentication /etc/ssh/sshd_config
If you see something like:
AuthenticationMethods publickey,password
This means both key and password are required.
2. Verifying authorized_keys
Check if your public key exists in ~/.ssh/authorized_keys with proper format:
cat ~/.ssh/authorized_keys
A valid entry should look like:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... user@host
3. Permission Checks
Run these commands on the server:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown -R $USER:$USER ~/.ssh
Add these flags when connecting:
ssh -vvv -o PreferredAuthentications=publickey user@host
This forces publickey auth and provides maximum verbosity.
Try adding these to ~/.ssh/config:
Host *
IdentitiesOnly yes
PreferredAuthentications publickey
PubkeyAuthentication yes
PasswordAuthentication no
In my case, the server had this configuration:
Match User sam
AuthenticationMethods publickey,keyboard-interactive
After discussing with the sysadmin, we changed it to:
Match User sam
AuthenticationMethods publickey
And restarted sshd:
sudo systemctl restart sshd
Now the key authentication works without password prompts.
When your SSH server accepts your public key but still prompts for password authentication, this typically indicates a configuration mismatch between client and server. Let's examine the debug output more closely:
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentications that can continue: publickey,password,keyboard-interactive
First verify your sshd_config settings on the remote server:
# Check these critical parameters in /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no # Recommended setting
AuthenticationMethods publickey # Enforce key-only auth
On your local machine, ensure proper key permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/known_hosts
Enable maximum verbosity on both ends:
ssh -vvv user@host
# On server:
sudo tail -f /var/log/auth.logThe home directory and authorized_keys file must have strict permissions:
# On server:
chmod 700 ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
On RHEL/CentOS systems, verify SELinux context:
restorecon -Rv ~/.ssh
Add this to your local SSH config (~/.ssh/config):
Host myserver
HostName server.example.com
User myuser
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
PreferredAuthentications publickey
Sometimes recreating keys solves mysterious issues:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_new
ssh-copy-id -i ~/.ssh/id_rsa_new.pub user@host