Ssh yields "Permission denied (publickey,keyboard-interactive)"

local host: ssh v9.9p1
remote host: ssh v8.4

Today there was a significant update to Tumbleweed. Both ssh and Gnome were updated.

Gnome/ssh are now requesting the passphrase for connecting to remote systems. Ordinarily not a problem; except that I have forgotten the passphrase for one of the keys. No request for it has been made in 6 years.

I have followed numerous online recommendations for recovering from this issue. Mainly, fix file permissions, or create a new key pair. Which I did. The adamant result for attempts to connect to one particular host has been:

$ ssh -p 2022 sma-user3x@sma-server3
sma-user3x@sma-server3: Permission denied (publickey,keyboard-interactive).

I had recorded other passphrases and can connect to all other remote hosts. In fact, the only host that refuses connection is the one show above. Other hosts can log into sma-server3. sma-server3 logs into other hosts. In fact, sma-server3 can log into this host.

It is some particular issue from the local host to sma-server3.

I added a section to the config file for sma-server3. It made no difference.

$ cat .ssh/config
AddKeysToAgent yes
#
IdentityFile ~/.ssh/sma-stn14l
#
 host sma-server3
 user sma-user3x
 Port 2022
 PreferredAuthentications password

 host *
 PreferredAuthentications publickey,password
 IdentitiesOnly yes

Maybe on server sma-server3 is something as
AuthorizedKeysFile .ssh/authorized_keys
on other implementations known_hosts ?

For this kind of problem it is a good idea to set up the connection using “ssh -v -v -v” and study the output.

If you have access to the server setting LogLevel to “LogLevel DEBUG3” is also a good idea.

Why are you not using passwordless login for the remote host?
That can be done using ssh-copy-id

Post full output of

ssh -vvv -p 2022 sma-user3x@sma-server3

To be clear,
all systems involved are running on flavors of opensuse?

I did that. It is a lot of technical output. The end result is: Cannot agree on a protocol.

$ ssh-copy-id sma-user3x@sma-server3
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ssh-add -L
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 10 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sma-user3x@sma-server3: Permission denied (publickey,keyboard-interactive).
$ ssh -vvv -p 2022 sma-user3x@sma-server3
OpenSSH_9.9p1, OpenSSL 3.1.4 24 Oct 2023
debug1: Reading configuration data /home/jmoe/.ssh/config
debug1: /home/jmoe/.ssh/config line 51: Applying options for sma-server3
debug1: /home/jmoe/.ssh/config line 56: Applying options for *
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug3: /usr/etc/ssh/ssh_config line 30: Including file /etc/ssh/ssh_config.d/50-suse.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug2: checking match for 'final all' host sma-server3 originally sma-server3
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: /usr/etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/jmoe/.ssh/config
debug2: add_identity_file: ignoring duplicate key ~/.ssh/sma-stn14l
debug1: /home/jmoe/.ssh/config line 51: Applying options for sma-server3
debug1: /home/jmoe/.ssh/config line 56: Applying options for *
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug3: /usr/etc/ssh/ssh_config line 30: Including file /etc/ssh/ssh_config.d/50-suse.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug2: checking match for 'final all' host sma-server3 originally sma-server3
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: /usr/etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/jmoe/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/jmoe/.ssh/known_hosts2'
debug2: resolving "sma-server3" port 2022
debug3: resolve_host: lookup sma-server3:2022
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to sma-server3 [fd2f:4760:521f:3f3c::c0a8:45f6] port 2022.
debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x10
debug1: Connection established.
debug1: identity file /home/jmoe/.ssh/sma-stn14l type 3
debug1: identity file /home/jmoe/.ssh/sma-stn14l-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: compat_banner: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sma-server3:2022 as 'sma-user3x'
debug3: put_host_port: [sma-server3]:2022
debug3: record_hostkey: found key type ED25519 in file /home/jmoe/.ssh/known_hosts:45
debug3: load_hostkeys_file: loaded 1 keys from [sma-server3]:2022
debug1: load_hostkeys: fopen /home/jmoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:THVxQkA//Kp5WQXal1a+fq2UWPImoRLAo4jiddcol10
debug3: put_host_port: [fd2f:4760:521f:3f3c::c0a8:45f6]:2022
debug3: put_host_port: [sma-server3]:2022
debug3: record_hostkey: found key type ED25519 in file /home/jmoe/.ssh/known_hosts:45
debug3: load_hostkeys_file: loaded 1 keys from [sma-server3]:2022
debug1: load_hostkeys: fopen /home/jmoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[sma-server3]:2022' is known and matches the ED25519 host key.
debug1: Found key in /home/jmoe/.ssh/known_hosts:45
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred password
debug1: No more authentication methods to try.
sma-user3x@sma-server3: Permission denied (publickey,keyboard-interactive).

Yes. The local host is tumbleweed; sma-server3 is LEAP 15.5. Other remote hosts I have successfully connected are linux, windows, or a specialty OS as for a firewall.

Your config isn’t going to work.

You have a local config that says only use publickey or password, the server is presenting publickey or keyboard-interactive.

You’re trying to set up publickey so we don’t expect that to work, but that is the only authentication mechanism that the client and server share.

Ah. That provided a clue. Thank you!
By changing the config entry “PreferredAuthentications publickey,password” to “PreferredAuthentications publickey,password,keyboard-interactive” allowed password entry. ssh-copy-id then proceeded normally and life has returned to its previous glorious state.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.