Public Key authentication fails with server error public key refused

  • 7023041
  • 01-Jun-2018
  • 28-Feb-2020

Environment

Reflection for Secure IT Server for Windows

Situation

An ssh, sftp or scp client fails to authenticate to the Reflection for Secure IT Server for Windows (RSSW) using public key authentication.  The RSSW protocol details debug log reports:
"the public key could not be found among the public keys configured for this user or group in RSSHD settings (%D\.ssh2\authorization); public key refused."

RSSW version 8.2 protocol details debug log displays something similar to the following:

000000001347 2020-02-14 18:16:30.468 6408 DOMAIN\username:[Trace][40252] WindowsServerAuthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1928) Reading authorization file: "C:\Users\username\.ssh2\authorization". Found public keys from user's settings: Key ' "2048-bit RSA, exported by username@hostname"' from C:\Users\username\.ssh2\id_RSA_2048_HOSTNAME_a.pub.
000000001348 2020-02-14 18:16:30.468 6408 DOMAIN\username:[Info][30304] WindowsServerAuthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1957) Logon attempt 1 for user name 'username' with logon method 'publickey' (algorithm: 'ssh-rsa', public key fingerprint: 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83, test only): the public key could not be found among the public keys configured for this user or group in RSSHD settings (%D\.ssh2\authorization); public key refused.

RSSW version 8.3 protocol details debug log displays something similar to the following:

Important Note: RSSW version 8.3 will print public key fingerprints in 3 Fingerprint display formats; Base64 (default format), BubbleBabble, and Hexadecimal.  Set format to Hexadecimal.

000001328008 2020-02-14 18:31:46.292 4804 DOMAIN\username[Trace][40252] windowsserverauthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1944) Reading authorization file: "C:\Users\username\.ssh2\authorization". Found public keys from user's settings:
000001328009 2020-02-14 18:31:46.292 4804 DOMAIN\username:[Info][30304] windowsserverauthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1973) Logon attempt 7 for user name 'username' from '10.8.2.115' with logon method 'publickey' (algorithm: 'ssh-rsa', public key fingerprints: MD5:60:CB:C9:BD:73:95:1A:03:20:35:17:F9:FE:7C:C3:83 SHA1:0F:16:FE:83:11:89:24:82:2B:48:D7:DB:08:6F:79:E0:52:A5:13:88 SHA256:4E:4B:10:14:C4:39:2C:79:43:3B:37:24:EA:E9:16:85:E7:D4:67:BE:5A:CF:0D:BB:C8:7A:14:B3:BD:BD:B0:48, test only): the public key could not be found among the public keys configured for this user or group in RSSHD settings (%D\.ssh2\authorization); public key refused.

Resolution

1. Locate the key id_RSA_2048_HOSTNAME_a.pub on the client machine. Typically the keys will be in the user's .ssh directory.

For example: C:\Users\username\Documents\Micro Focus\Reflection\.ssh

2. Use ssh-keygen to confirm the key on the client is the same as the key on the server.  Execute the following command to extract the fingerprint of the key file.

C:\Users\username\Documents\Micro Focus\Reflection\.ssh>ssh-keygen -l -f id_RSA_2048_HOSTNAME_a.pub

2048 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83 Comment: "2048-bit RSA, username@HOSTNAME"

3. Compare the fingerprint of the public key on the client and also recorded in the server log to the public key fingerprint in C:\Users\username\.ssh2.  This is the default location used by the RSSW to store public keys and the authorization file.  
Public key fingerprints on client side and recorded by RSSW:

Client Fingerprint:

2048 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83 Comment: "2048-bit RSA, username@HOSTNAME"

Fingerprint recorded in RSSW Version 8.2 debug log:

60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83

Fingerprint recorded in RSSW Version 8.3 debug log:

MD5:60:CB:C9:BD:73:95:1A:03:20:35:17:F9:FE:7C:C3:83
SHA1:0F:16:FE:83:11:89:24:82:2B:48:D7:DB:08:6F:79:E0:52:A5:13:88
SHA256:4E:4B:10:14:C4:39:2C:79:43:3B:37:24:EA:E9:16:85:E7:D4:67:BE:5A:CF:0D:BB:C8:7A:14:B3:BD:BD:B0:48
Fingerprint in the user's .ssh2 folder on the server running the RSSW
c:\Users\username\.ssh2>ssh-keygen -l -f id_RSA_2048_HOSTNAME_a.pub
2048 fa:50:4e:c4:a6:78:21:35:60:87:de:fa:0a:c3:50:a5 Comment: "2048-bit RSA, exported by sethk@SEASETHK5520"
c:\Users\username\.ssh2>
RESULT:  The fingerprints do not match.
4. Request a new copy of client's public key file. Add/replace the one currently on the server. 

5. Display the public key fingerprint of the newly uploaded public key.

c:\Users\username\.ssh2>ssh-keygen -l -f id_RSA_2048_SEASETHK5520_a.pub
2048 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83 Comment: "2048-bit RSA, exported by username@HOSTNAME"

c:\Users\username\.ssh2>

RESULT: Now the fingerprint of the public key in c:\Users\username\.ssh2 matches the fingerprint of the key used by the client for public key authentication.

6. Be sure that the authorization file includes an entry that points to the new public key file.
Example entry inside of an "authorization" file located in c:\Users\username\.ssh2.
key id_RSA_2048_HOSTNAME_a.pub

Cause

The public key not found failure message "public key refused" is caused by a failure to find a public key on the server that matches the public key presented by the client.  This can happen when a client generates a new key with the same name as the old key but does not replace it on the server.  This can also happen if the key on the server has been removed.