I was trying to enable SSH key-based authentication on a Photon OS VM I created on my ESXi host. After adding my public key in the
authorized_keys file, it still would not let me login with my private key. All I got was: "server refused our key."
Running sshd with debug flag helps reveal the cause. Make sure to use a key generated by a secure algorithm (e.g., ECDSA or ED25519).
A quick Google search brought me nowhere. The common cause (1,2,3) seems to be incorrect permissions set for the
authorized_keys file, which prevents
sshd from reading the public keys. I tried
chmod and moving the file around, neither helped.
Eventually I decided to see if I can get any more useful information out of
sshd. Strangely, enabling
LOGLEVEL Debug3 in
/etc/ssh/sshd_config did nothing. No log file was generated in
The only option left is to kill the
sshd daemon and run it interactively in debug mode to observe the output. This can be done as follows:
# find absolute path of sshd and run it with the -dd flag (Debug2) `which sshd` -dd
Then I restarted the putty session and found the root cause of the "server refused our key" message.
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
It looks like the algorithm (
ssh-rsa) used to generate my key is not accepted.
The obvious solution would be to add
ssh-rsa to the accepted algorithm list. However, as pointed out by this article, the main reason why the
ssh-rsa (SHA-1) algorithm is no longer accepted by default is because it was deprecated due to security vulnerabilities.
The correct solution is to use a key generated with a secure algorithm such as ECDSA and ED25519. You can do this with either PUTTYGEN.EXE or
ssh-keygen -t ecdsa.