SSH public key authentication between VMs not working for “postgres” user





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







2















I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 58: Applying options for *

debug2: resolving "192.168.1.104" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.

debug1: Connection established.

debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4

debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 192.168.1.104:22 as 'postgres'

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug1: Host '192.168.1.104' is known and matches the ECDSA host key.

debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)

debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519

debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?






linux ssh vmware centos-7 postgresql







share|improve this question

























  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05


















2















I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 58: Applying options for *

debug2: resolving "192.168.1.104" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.

debug1: Connection established.

debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4

debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 192.168.1.104:22 as 'postgres'

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug1: Host '192.168.1.104' is known and matches the ECDSA host key.

debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)

debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519

debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?






linux ssh vmware centos-7 postgresql







share|improve this question

























  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05














2












2








2








I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 58: Applying options for *

debug2: resolving "192.168.1.104" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.

debug1: Connection established.

debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4

debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 192.168.1.104:22 as 'postgres'

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug1: Host '192.168.1.104' is known and matches the ECDSA host key.

debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)

debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519

debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?






linux ssh vmware centos-7 postgresql







share|improve this question
















I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 58: Applying options for *

debug2: resolving "192.168.1.104" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.

debug1: Connection established.

debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4

debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 192.168.1.104:22 as 'postgres'

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug1: kex: curve25519-sha256 need=64 dh_need=64

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c

debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1

debug3: load_hostkeys: loaded 1 keys from 192.168.1.104

debug1: Host '192.168.1.104' is known and matches the ECDSA host key.

debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)

debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))

debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa

debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519

debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?






linux ssh vmware centos-7 postgresql




linux ssh vmware centos-7 postgresql






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 7 at 23:59







lpm5152

















asked Feb 6 at 1:17









lpm5152lpm5152

113




113













  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05



















  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05

















Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

– davidgo
Feb 6 at 3:02





Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

– davidgo
Feb 6 at 3:02













@davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

– lpm5152
Feb 6 at 13:06





@davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

– lpm5152
Feb 6 at 13:06













The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

– Kenster
Feb 6 at 18:14







The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

– Kenster
Feb 6 at 18:14















Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

– davidgo
Feb 6 at 18:31





Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

– davidgo
Feb 6 at 18:31













@Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

– lpm5152
Feb 8 at 0:05





@Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

– lpm5152
Feb 8 at 0:05










0






active

oldest

votes












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402486%2fssh-public-key-authentication-between-vms-not-working-for-postgres-user%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402486%2fssh-public-key-authentication-between-vms-not-working-for-postgres-user%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Plaza Victoria

Image
Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l
Read more

In PowerPoint, is there a keyboard shortcut for bulleted / numbered list?

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 2 OneNote has two useful keyboard shortcuts for bulleted and numbered lists, namely Ctrl + . and Ctrl + - . Is there something similar for PowerPoint where the work with lists is also very common? Haven't found anything here: Use keyboard shortcuts in PowerPoint. keyboard-shortcuts microsoft-powerpoint share | improve this question edited Aug 14 '14 at 14:49 Linger 2,826 10 28 40
Read more

How to put 3 figures in Latex with 2 figures side by side and 1 below these side by side images but in...

Image
1 0 I want to put 3 images in LateX such as 2 figures are side by side horizotally and 3rd figure below these 2 side by side figures but in middle. I have following code: begin{figure}[H] centering begin{minipage}{.5textwidth} centering includegraphics[width=.50linewidth]{Text/Images/Genelec_8010_AP.jpg} captionof{figure}{Genelec 8010 AP} label{fig:Genelec 8010} end{minipage}% begin{minipage}{.5textwidth} centering includegraphics[width=.69linewidth]{Text/Images/Genelec_8020_CPM.jpg} captionof{figure}{Genelec 8020 CPM} label{fig:Genelec 8020} end{minipage}% end{figure} %%Here is my 3rd picture code begin{figure} centering includegraphics[width=5cm]{Text/Images/Genelec_8030_BPM.jpg} caption{Genelec 8030 BPM} label{fig:Genelec 8030} end{figure} I want to ask ho
Read more