SSH Passwordless Authentication

Hi All,

I have installed ansible and created new users for controller and remote hosts. Have set up the below steps, but getting error, can anyone suggest ??

1. Entered user using visudo, for both controller and client.

kt-ansible ALL=(ALL) NOPASSWD: ALL

2. Changed permit root login to yes and password auth to yes in sshd_config on remote host & restart sshd service.

Getting an error like below while trying to connect the host using ssh,

ssh kt-ansible@

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Any other change required on sshd_config file on remote host ? Additionally, I tried to setup permitrootlogin to yes and PasswordAuthentication to yes but still no luck.
All “gss” options in the remote sshd_config files have been commented out.

Please suggest, many thanks.

Hi,

If you’d like to use a password to authenticate on your remote hosts, then you have to tell Ansible to use it, either by being prompted for, or through a variable, for instance: ansible -i <myInventory> <targetRemoteHost> -m ping -e 'myPass=XXXX'. myPass being a var defined wherever you want.

That being said, authenticate with keypair is the preferred way in most cases, in which case Ansible could simply use your existing control node (the node you’re running your ansible tasks from) ssh client configuration, or you can pass it to Ansible in many other ways, for instance: Ansible Configuration Settings — Ansible Documentation.

More info here: Connection methods and details — Ansible Community Documentation.

On a side note, sudo doesn’t have anything to do with ssh; what you did in your sudoers config is allow kt-ansible user to run any command as any user (default to root) on this machine, without having to be prompted for a password. You still have to open a shell to run commands.

Hope it helps.

Thanks for your response, even if I modified the sshd_config file on the remote host still I am unable to connect to the server by using password. Atleast, the EC2 instance should show the option to enter password when I SSH the IP address on screen using kt-ansible user. What I am trying to understand here is if something has to be changed at the EC2 Instance ?

Using keypair is a good idea but how will I move the public & private keys from control node to the host unless I get a password prompt for the first time ? It shows below error.

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Right. Could you run this command on your EC2 instance: grep -Eiv '^(\s+)?#' /etc/ssh/sshd_config | awk NF ?

That is, if you still have access. I’m wondering how you are editing /etc/ssh/sshd_config on your EC2 instance as of now; Or are you locked outside ?

And these ones on your ssh client / Ansible control node:

• ssh -vvv kt-ansible@<yourEC2InstanceHostNameOrIPAddr>
• ssh -G kt-ansible@<yourEC2InstanceHostNameOrIPAddr>

And then paste outputs here ?

Using keypair is a good idea but how will I move the public & private keys from control node to the host unless I get a password prompt for the first time ?

Well, there are a few options, though not all practical. I wouldn’t advise to solve your issue this way, but it might help:

• IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud
• Troubleshoot connecting to your instance - Amazon Elastic Compute Cloud
• Regain access to EC2 instance after editing sshd_config | AWS re:Post
• Reinstall the instance by uploading your public key during the install process

Also I haven’t asked, but are you trying to connect through a bastion / jumpbox ?

[kt-ansible@sandbox ~]$ ssh -G kt-ansible@13.233.60.92
user kt-ansible
hostname 13.233.60.92
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
checkhostip no
compression no
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 no
forwardx11trusted yes
gatewayports no
gssapiauthentication yes
gssapikeyexchange no
gssapidelegatecredentials no
gssapitrustdns no
gssapirenewalforcesrekey no
gssapikexalgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
hashknownhosts no
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication yes
requesttty auto
sessiontype default
stdinnull no
forkafterauthentication no
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys true
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
requiredrsasize 2048
ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
casignaturealgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
loglevel INFO
macs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
securitykeyprovider internal
pubkeyacceptedalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/id_rsa
identityfile ~/.ssh/id_dsa
identityfile ~/.ssh/id_ecdsa
identityfile ~/.ssh/id_ecdsa_sk
identityfile ~/.ssh/id_ed25519
identityfile ~/.ssh/id_ed25519_sk
identityfile ~/.ssh/id_xmss
canonicaldomains none
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile /home/kt-ansible/.ssh/known_hosts /home/kt-ansible/.ssh/known_hosts2
logverbose none
permitremoteopen any
addkeystoagent false
forwardagent no
connecttimeout none
tunneldevice any:any
controlpersist no
escapechar ~
ipqos af21 cs1
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER

[root@client-1 ~]# grep -Eiv '^(\s+)?#' /etc/ssh/sshd_config | awk NF ?
awk: fatal: cannot open file `?' for reading: No such file or directory
[root@client-1 ~]# grep -Eiv '^(\s+)?#' /etc/ssh/sshd_config | awk NF
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin yes
PasswordAuthentication yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
PasswordAuthentication yes

[kt-ansible@sandbox ~]$ ssh -vvv kt-ansible@13.233.60.92
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 13.233.60.92 originally 13.233.60.92
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 13.233.60.92 is address
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host 13.233.60.92 originally 13.233.60.92
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/kt-ansible/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/kt-ansible/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 13.233.60.92 [13.233.60.92] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /home/kt-ansible/.ssh/id_rsa type -1
debug1: identity file /home/kt-ansible/.ssh/id_rsa-cert type -1
debug1: identity file /home/kt-ansible/.ssh/id_dsa type -1
debug1: identity file /home/kt-ansible/.ssh/id_dsa-cert type -1
debug1: identity file /home/kt-ansible/.ssh/id_ecdsa type -1
debug1: identity file /home/kt-ansible/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/kt-ansible/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/kt-ansible/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/kt-ansible/.ssh/id_ed25519 type -1
debug1: identity file /home/kt-ansible/.ssh/id_ed25519-cert type -1
debug1: identity file /home/kt-ansible/.ssh/id_ed25519_sk type -1
debug1: identity file /home/kt-ansible/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/kt-ansible/.ssh/id_xmss type -1
debug1: identity file /home/kt-ansible/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: compat_banner: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 13.233.60.92:22 as 'kt-ansible'
debug1: load_hostkeys: fopen /home/kt-ansible/.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /home/kt-ansible/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:kyvFPtVnkSiD1XRnRHfkPZXFfDkK/opRXKJ58JXbIlg
debug1: load_hostkeys: fopen /home/kt-ansible/.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /home/kt-ansible/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: hostkeys_find_by_key_hostfile: trying user hostfile "/home/kt-ansible/.ssh/known_hosts"
debug1: hostkeys_find_by_key_hostfile: hostkeys file /home/kt-ansible/.ssh/known_hosts does not exist
debug3: hostkeys_find_by_key_hostfile: trying user hostfile "/home/kt-ansible/.ssh/known_hosts2"
debug1: hostkeys_find_by_key_hostfile: hostkeys file /home/kt-ansible/.ssh/known_hosts2 does not exist
debug3: hostkeys_find_by_key_hostfile: trying system hostfile "/etc/ssh/ssh_known_hosts"
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts does not exist
debug3: hostkeys_find_by_key_hostfile: trying system hostfile "/etc/ssh/ssh_known_hosts2"
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts2 does not exist
The authenticity of host '13.233.60.92 (13.233.60.92)' can't be established.
ED25519 key fingerprint is SHA256:kyvFPtVnkSiD1XRnRHfkPZXFfDkK/opRXKJ58JXbIlg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
debug1: SELinux support enabled
Warning: Permanently added '13.233.60.92' (ED25519) to the list of known hosts.
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/kt-ansible/.ssh/id_rsa
debug1: Will attempt key: /home/kt-ansible/.ssh/id_dsa
debug1: Will attempt key: /home/kt-ansible/.ssh/id_ecdsa
debug1: Will attempt key: /home/kt-ansible/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/kt-ansible/.ssh/id_ed25519
debug1: Will attempt key: /home/kt-ansible/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/kt-ansible/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)


debug1: No credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available (default cache: KCM:)


debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/kt-ansible/.ssh/id_rsa
debug3: no such identity: /home/kt-ansible/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/kt-ansible/.ssh/id_dsa
debug3: no such identity: /home/kt-ansible/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/kt-ansible/.ssh/id_ecdsa
debug3: no such identity: /home/kt-ansible/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/kt-ansible/.ssh/id_ecdsa_sk
debug3: no such identity: /home/kt-ansible/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/kt-ansible/.ssh/id_ed25519
debug3: no such identity: /home/kt-ansible/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/kt-ansible/.ssh/id_ed25519_sk
debug3: no such identity: /home/kt-ansible/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/kt-ansible/.ssh/id_xmss
debug3: no such identity: /home/kt-ansible/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
kt-ansible@13.233.60.92: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

I am editing the sshd_config file with root user. I am connecting the sandbox to the client-1 instances through ssh, no jump box or bastion involved here.

FYI you can print the existing config using sshd -T and if you have a recent version of jc installed convert this into YAML:

sshd -T | jc --sshd-conf -py

Perhaps this might help track down the config that needs changing?

Also do you have any files in this directory?

What is jc ?? At least in RHEL it shows it’s not available to install.

[root@sandbox ~]# yum install -y jc
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Red Hat Enterprise Linux 9 for x86_64 - AppStream from RHUI (RPMs)                          54 kB/s | 4.5 kB     00:00
Red Hat Enterprise Linux 9 for x86_64 - BaseOS from RHUI (RPMs)                             70 kB/s | 4.1 kB     00:00
Red Hat Enterprise Linux 9 Client Configuration                                             29 kB/s | 1.5 kB     00:00
No match for argument: jc
Error: Unable to find a match: jc

[root@client-1 ~]# ls -l /etc/ssh/sshd_config.d/*.conf
-rw-------. 1 root root  26 May 10 14:07 /etc/ssh/sshd_config.d/50-cloud-init.conf
-rw-------. 1 root root 719 Jul 20  2023 /etc/ssh/sshd_config.d/50-redhat.conf

Perhaps the config in the /etc/ssh/sshd_config.d/*.conf files is the cause of the problem?

There are jc rpm’s available from GitHub or you can install it using pip or pipx.

Server supports password authentication:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password

And your client as well:

passwordauthentication yes

I’m thinking there might be a specific config somewhere that would disable password auth during connection, like a match block for this host specifically, or else.

I suggest you look for this directive recursively in /etc/ssh/ on your client: PasswordAuthentication no. I see from ssh -vvv output there is a “/etc/ssh/ssh_config.d/50-redhat.conf” config file there; you might find something weird in there. For instance: grep --color=none -rEi 'PasswordAuthentication(\s+)no' /etc/ssh/ 2>/dev/null | grep -Ev ':(\s+)?#'

Other things to try; force password auth use on ssh command: ssh kt-ansible@<yourEC2InstanceHostNameOrIPAddr> -o PreferredAuthentications=password, see if you’re then prompted for a password.

Also check sshd logs on your remote host, though I doubt you’ll find something useful: journalctl -u ssh (or sshd, depending on your distro flavor).

I have resolved this my manually copying the public key in the remote hosts.

Many Thanks,
Piyush N