SSH public key authentication between VMs not working for “postgres” user





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







2















I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "192.168.1.104" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.
debug1: Connection established.
debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.104:22 as 'postgres'
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug1: Host '192.168.1.104' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)
debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519
debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?










share|improve this question

























  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05


















2















I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "192.168.1.104" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.
debug1: Connection established.
debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.104:22 as 'postgres'
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug1: Host '192.168.1.104' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)
debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519
debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?










share|improve this question

























  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05














2












2








2








I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "192.168.1.104" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.
debug1: Connection established.
debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.104:22 as 'postgres'
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug1: Host '192.168.1.104' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)
debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519
debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?










share|improve this question
















I have a curious problem - very similar to the question here, but none of the answers have worked for me.



The problem



Public key authentication fails from the primary to the replica node. I used ssh-keygen to create a new key under the "postgres" user on each machine, and then used ssh-copy-id to copy each machine's public key to the other.



Under the postgres account, this only works from the replica to the primary, not vice-versa. Additionally, this process works both ways for all other users on the machines.



Files and logs:



First, the ssh log (truncated slightly):



ssh -vvv 192.168.1.104
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "192.168.1.104" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.104 [192.168.1.104] port 22.
debug1: Connection established.
debug1: identity file /var/lib/pgsql/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.104:22 as 'postgres'
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:D8LwBEs1BC7iSlmZOa3b58/gS6mRIIxfGHl6buMJA/c
debug3: hostkeys_foreach: reading file "/var/lib/pgsql/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /var/lib/pgsql/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.104
debug1: Host '192.168.1.104' is known and matches the ECDSA host key.
debug1: Found key in /var/lib/pgsql/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /var/lib/pgsql/.ssh/id_rsa (0x556e0db5a510)
debug2: key: /var/lib/pgsql/.ssh/id_dsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ecdsa ((nil))
debug2: key: /var/lib/pgsql/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /var/lib/pgsql/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /var/lib/pgsql/.ssh/id_dsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ecdsa
debug3: no such identity: /var/lib/pgsql/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /var/lib/pgsql/.ssh/id_ed25519
debug3: no such identity: /var/lib/pgsql/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


I'm absolutely stumped. Are there other reasons that the public key authentication might fail to work? What troubleshooting should I perform from here?



Edit



Disabling SELinux has fixed the problem, but leaves me with a number questions - some of which are auxiliary and perhaps out of scope for this, but that I think may be useful to future visitors nonetheless:




  1. How do I solve this problem without disabling SELinux? I failed at using audit2allow, Can this be accomplished without any third-party tools (i.e., only what is available on the CentOS 7 minimal ISO)?

  2. Why would SELinux policies be different between the two virtual machines? They were both cloned from the same template.

  3. Why would SELinux only affect one user account, but not another?







linux ssh vmware centos-7 postgresql






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 7 at 23:59







lpm5152

















asked Feb 6 at 1:17









lpm5152lpm5152

113




113













  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05



















  • Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

    – davidgo
    Feb 6 at 3:02











  • @davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

    – lpm5152
    Feb 6 at 13:06











  • The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

    – Kenster
    Feb 6 at 18:14













  • Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

    – davidgo
    Feb 6 at 18:31











  • @Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

    – lpm5152
    Feb 8 at 0:05

















Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

– davidgo
Feb 6 at 3:02





Have you tried (temporarily) disabling selinux and checked the firewall allows port 22?

– davidgo
Feb 6 at 3:02













@davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

– lpm5152
Feb 6 at 13:06





@davidgo: First of all, thank you for your reply! I did an nmap scan against both servers, and both show port 22 as open. I did retry "firewall-cmd --permanent --zone=public --add-port=22/tcp" and got "WARNING: ALREADY_ENABLED". As for SELinux, I did as the other post mentioned, checked the audit log and tried to create some new policies, but I could have done it incorrectly. I will try your suggestion to completely disable it and post back my results.

– lpm5152
Feb 6 at 13:06













The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

– Kenster
Feb 6 at 18:14







The ssh output shows that it offered /var/lib/pgsql/.ssh/id_rsa to the remote server, and the server didn't accept it. You should start by looking at the log on the remote server to see if it logged the reason why. SSHD logs through syslog and its log messages are usually in one of the files in /var/logs. You should also check permissions on the parent directories (/, /var, and /var/lib) of the postgres user's home directory on the remote system to see if they're too generous.

– Kenster
Feb 6 at 18:14















Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

– davidgo
Feb 6 at 18:31





Less likely, but if /etc/ssh/sshd_config has an AllowUsers line this can limit access. I also cam across a really obscure bug with particular vesrsions of ssh which would not negotiate a connection - upgrading ssh fixed that.

– davidgo
Feb 6 at 18:31













@Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

– lpm5152
Feb 8 at 0:05





@Kenster: Thank you for your reply! I checked the permissions, and the /var/lib/pgsql directory is writeable only by the postgres user. I tried Davidgo's suggestion to disable SELinux and it seems to have fixed it, so I'm going to seek a more permanent solution than disabling SELinux. Thank you!

– lpm5152
Feb 8 at 0:05










0






active

oldest

votes












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402486%2fssh-public-key-authentication-between-vms-not-working-for-postgres-user%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402486%2fssh-public-key-authentication-between-vms-not-working-for-postgres-user%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Plaza Victoria

Puebla de Zaragoza

Musa