How to resolve 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic)'

Jan 27, 2025

Cowrie

Dev @ Bswen

1. The purpose of this post

I will demonstrate how to resolve this error when working with SSH in Linux:

➜  .ssh ssh-copy-id -i id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

2. Environments

• Linux CentOS 7

3. Basics

In the context of SSH (Secure Shell) login on a Linux system, publickey, gssapi-keyex, and gssapi-with-mic are authentication methods that can be used to establish a secure connection. Here’s a brief introduction to each:

1. Publickey Authentication:

   • This is one of the most common and secure methods of authentication used by SSH. It relies on public-private key pairs where the private key is held by the client, and the public key is stored on the server.
   • When a user attempts to log in, the SSH client presents its public key. The server checks this against the list of authorized public keys it maintains. If a match is found, the server then sends a challenge to the client, which the client must sign with its private key to prove ownership.
   • Publickey authentication is preferred for its security and convenience, as it doesn’t require the user to enter a password during the login process.

2. GSSAPI Key Exchange (gssapi-keyex):

   • GSSAPI stands for Generic Security Services Application Program Interface. It’s a standard for authentication and delegation of rights to various services, including SSH.
   • In the context of SSH, GSSAPI key exchange is a method that uses GSSAPI to establish the secure connection between the client and the server. It’s particularly useful in environments that use Kerberos for centralized authentication.
   • GSSAPI key exchange can provide a seamless login experience for users who are already authenticated to a Kerberos realm, as it can delegate credentials to the SSH session without the need for the user to manually enter a password.

3. GSSAPI with MIC (gssapi-with-mic):

   • This method extends GSSAPI authentication by adding a Message Integrity Check (MIC). It ensures that not only are the clients and servers authenticated against each other, but also that the data exchanged during the session has not been tampered with.
   • The “with-mic” part of the name refers to the use of cryptographic checksums (hashes) to verify the integrity of messages. This provides an additional layer of security on top of the authentication provided by GSSAPI.
   • GSSAPI with MIC is often used in environments where data integrity is crucial, such as in financial or government sectors.

To use these authentication methods, they must be enabled in the SSH server configuration file (/etc/ssh/sshd_config) and the appropriate keys or Kerberos infrastructure must be set up. The configuration might look something like this:

/etc/ssh/sshd_config

PubkeyAuthentication yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
UsePAM yes

After making changes to the SSH configuration, the SSH service must be restarted to apply the changes.

Important Tip

Always ensure that the SSH service is restarted after making changes to the configuration file. This ensures that the new settings take effect.

Security Consideration

While enabling password authentication temporarily can help resolve the issue, it is crucial to disable it afterward to maintain the security of your SSH service.

4. Solution and commands

This error is caused by the misconfiguration of the SSH service, which does not allow password login. As a result, ssh-copy-id complains about “permission denied (publickey,gssapi-keyex,gssapi-with-mic).”

How to resolve it? Just enable password authentication temporarily:

4.1 Open sshd_config

vi /etc/ssh/sshd_config

4.2 Find the line

Find this line:

PasswordAuthentication no

Change it to:

PasswordAuthentication yes

4.3 Restart SSH service

service sshd restart

4.4 Retry the SSH command

➜  .ssh ssh-copy-id -i id_rsa.pub [email protected]

Everything should be working now.

4.5 Disable password authentication for SSH service

Undo the changes in /etc/ssh/sshd_config and restart the SSH service again.

Summary

In this post, we discussed how to resolve the “Permission denied (publickey,gssapi-keyex,gssapi-with-mic)” error in SSH by temporarily enabling password authentication. This involves editing the SSH configuration file (/etc/ssh/sshd_config), restarting the SSH service, and then retrying the ssh-copy-id command. After successfully copying the SSH key, it is important to disable password authentication again to maintain the security of your SSH service.

Final Words + More Resources

My intention with this article was to help others who might be considering solving such a problem. So I hope that’s been the case here. If you still have any questions, don’t hesitate to ask me by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

• 👨‍💻 SSH Configuration Guide

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Tags:

• ssh
• linux

How to resolve 'More than one file was found with OS independent path META-INF/DEPENDENCIES'

How to resolve 'missing : in substitution' when building docker image