others-How to solve 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic)'

1. The purpose of this post

I would demo how to solve this error when do ssh works in linux:

➜  .ssh ssh-copy-id -i id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

2. Environments

  • Linux CentOS 7

3. Basics

In the context of SSH (Secure Shell) login on a Linux system, publickey, gssapi-keyex, and gssapi-with-mic are authentication methods that can be used to establish a secure connection. Here’s a brief introduction to each:

  1. Publickey Authentication:
    • This is one of the most common and secure methods of authentication used by SSH. It relies on public-private key pairs where the private key is held by the client, and the public key is stored on the server.
    • When a user attempts to log in, the SSH client presents its public key. The server checks this against the list of authorized public keys it maintains. If a match is found, the server then sends a challenge to the client, which the client must sign with its private key to prove ownership.
    • Publickey authentication is preferred for its security and convenience, as it doesn’t require the user to enter a password during the login process.
  2. GSSAPI Key Exchange (gssapi-keyex):
    • GSSAPI stands for Generic Security Services Application Program Interface. It’s a standard for authentication and delegation of rights to various services, including SSH.
    • In the context of SSH, GSSAPI key exchange is a method that uses GSSAPI to establish the secure connection between the client and the server. It’s particularly useful in environments that use Kerberos for centralized authentication.
    • GSSAPI key exchange can provide a seamless login experience for users who are already authenticated to a Kerberos realm, as it can delegate credentials to the SSH session without the need for the user to manually enter a password.
  3. GSSAPI with MIC (gssapi-with-mic):
    • This method extends GSSAPI authentication by adding a Message Integrity Check (MIC). It ensures that not only are the clients and servers authenticated against each other, but also that the data exchanged during the session has not been tampered with.
    • The “with-mic” part of the name refers to the use of cryptographic checksums (hashes) to verify the integrity of messages. This provides an additional layer of security on top of the authentication provided by GSSAPI.
    • GSSAPI with MIC is often used in environments where data integrity is crucial, such as in financial or government sectors.

To use these authentication methods, they must be enabled in the SSH server configuration file (/etc/ssh/sshd_config) and the appropriate keys or Kerberos infrastructure must be set up. The configuration might look something like this:

# In /etc/ssh/sshd_config

PubkeyAuthentication yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
UsePAM yes

# To use GSSAPI with MIC, ensure that the GSSAPI authentication is enabled
# and that the client and server are configured to use it.

After making changes to the SSH configuration, the SSH service must be restarted to apply the changes.

It’s important to note that while these methods can enhance security, they also require careful configuration and management, especially in complex environments with multiple authentication services.

4. Solution and commands

This error is caused by the misconfiguration of SSH service, it does not allow the password login, so the ssh-copy-id complains about the “permission denied(publickey,gssapi-keyex,gssapi-with-mic)”

How to solve it? Just enable the password authentication temporarily:

4.1 Open sshd_config

vi /etc/ssh/sshd_config

4.2 find the line

find this line: PasswordAuthentication no

change to: PasswordAuthentication yes

4.3 restart ssh service

service sshd restart

4.4 retry the ssh command

➜  .ssh ssh-copy-id -i id_rsa.pub [email protected]

Everything should be ok now.

4.5 disable the password authentication of SSH service

Just undo the changes in the /etc/ssh/sshd_config, then restart the SSH service again.