Environment
Reflection for Secure IT Server for Windows
Situation
An ssh, sftp or scp client fails to authenticate to the Reflection for Secure IT Server for Windows (RSSW) using public key authentication. The RSSW protocol details debug log reports:
"the public key could not be found among the public keys configured for this user or group in RSSHD settings (%D\.ssh2\authorization); public key refused."
RSSW version 8.2 protocol details debug log displays something similar to the following:
000000001348 2020-02-14 18:16:30.468 6408 DOMAIN\username:[Info][30304] WindowsServerAuthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1957) Logon attempt 1 for user name 'username' with logon method 'publickey' (algorithm: 'ssh-rsa', public key fingerprint: 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83, test only): the public key could not be found among the public keys configured for this user or group in RSSHD settings (%D\.ssh2\authorization); public key refused.
RSSW version 8.3 protocol details debug log displays something similar to the following:
Important Note: RSSW version 8.3 will print public key fingerprints in 3 Fingerprint display formats; Base64 (default format), BubbleBabble, and Hexadecimal. Set format to Hexadecimal.
000001328008 2020-02-14 18:31:46.292 4804 DOMAIN\username[Trace][40252] windowsserverauthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1944) Reading authorization file: "C:\Users\username\.ssh2\authorization". Found public keys from user's settings:
000001328009 2020-02-14 18:31:46.292 4804 DOMAIN\username:[Info][30304] windowsserverauthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1973) Logon attempt 7 for user name 'username' from '10.8.2.115' with logon method 'publickey' (algorithm: 'ssh-rsa', public key fingerprints: MD5:60:CB:C9:BD:73:95:1A:03:20:35:17:F9:FE:7C:C3:83 SHA1:0F:16:FE:83:11:89:24:82:2B:48:D7:DB:08:6F:79:E0:52:A5:13:88 SHA256:4E:4B:10:14:C4:39:2C:79:43:3B:37:24:EA:E9:16:85:E7:D4:67:BE:5A:CF:0D:BB:C8:7A:14:B3:BD:BD:B0:48, test only): the public key could not be found among the public keys configured for this user or group in RSSHD settings (%D\.ssh2\authorization); public key refused.
000001328009 2020-02-14 18:31:46.292 4804 DOMAIN\username:[Info][30304] windowsserverauthenticator.cpp:WindowsServerAuthenticator::IsSshKeyTrusted(1973) Logon attempt 7 for user name 'username' from '10.8.2.115' with logon method 'publickey' (algorithm: 'ssh-rsa', public key fingerprints: MD5:60:CB:C9:BD:73:95:1A:03:20:35:17:F9:FE:7C:C3:83 SHA1:0F:16:FE:83:11:89:24:82:2B:48:D7:DB:08:6F:79:E0:52:A5:13:88 SHA256:4E:4B:10:14:C4:39:2C:79:43:3B:37:24:EA:E9:16:85:E7:D4:67:BE:5A:CF:0D:BB:C8:7A:14:B3:BD:BD:B0:48, test only): the public key could not be found among the public keys configured for this user or group in RSSHD settings (%D\.ssh2\authorization); public key refused.
Resolution
1. Locate the key id_RSA_2048_HOSTNAME_a.pub on the client machine. Typically the keys will be in the user's .ssh directory.
2. Use ssh-keygen to confirm the key on the client is the same as the key on the server. Execute the following command to extract the fingerprint of the key file.
3. Compare the fingerprint of the public key on the client and also recorded in the server log to the public key fingerprint in C:\Users\username\.ssh2. This is the default location used by the RSSW to store public keys and the authorization file.
For example: C:\Users\username\Documents\Micro Focus\Reflection\.ssh
2. Use ssh-keygen to confirm the key on the client is the same as the key on the server. Execute the following command to extract the fingerprint of the key file.
C:\Users\username\Documents\Micro Focus\Reflection\.ssh>ssh-keygen -l -f id_RSA_2048_HOSTNAME_a.pub
2048 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83 Comment: "2048-bit RSA, username@HOSTNAME"
3. Compare the fingerprint of the public key on the client and also recorded in the server log to the public key fingerprint in C:\Users\username\.ssh2. This is the default location used by the RSSW to store public keys and the authorization file.
Public key fingerprints on client side and recorded by RSSW:
Client Fingerprint:2048 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83 Comment: "2048-bit RSA, username@HOSTNAME"Fingerprint recorded in RSSW Version 8.2 debug log:60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83
Fingerprint recorded in RSSW Version 8.3 debug log:MD5:60:CB:C9:BD:73:95:1A:03:20:35:17:F9:FE:7C:C3:83SHA1:0F:16:FE:83:11:89:24:82:2B:48:D7:DB:08:6F:79:E0:52:A5:13:88SHA256:4E:4B:10:14:C4:39:2C:79:43:3B:37:24:EA:E9:16:85:E7:D4:67:BE:5A:CF:0D:BB:C8:7A:14:B3:BD:BD:B0:48
Fingerprint in the user's .ssh2 folder on the server running the RSSW
c:\Users\username\.ssh2>ssh-keygen -l -f id_RSA_2048_HOSTNAME_a.pub2048 fa:50:4e:c4:a6:78:21:35:60:87:de:fa:0a:c3:50:a5 Comment: "2048-bit RSA, exported by sethk@SEASETHK5520"c:\Users\username\.ssh2>
RESULT: The fingerprints do not match.
4. Request a new copy of client's public key file. Add/replace the one currently on the server.
5. Display the public key fingerprint of the newly uploaded public key.
c:\Users\username\.ssh2>ssh-keygen -l -f id_RSA_2048_SEASETHK5520_a.pub6. Be sure that the authorization file includes an entry that points to the new public key file.
2048 60:cb:c9:bd:73:95:1a:03:20:35:17:f9:fe:7c:c3:83 Comment: "2048-bit RSA, exported by username@HOSTNAME"
c:\Users\username\.ssh2>
RESULT: Now the fingerprint of the public key in c:\Users\username\.ssh2 matches the fingerprint of the key used by the client for public key authentication.
Example entry inside of an "authorization" file located in c:\Users\username\.ssh2.
key id_RSA_2048_HOSTNAME_a.pub
Cause
The public key not found failure message "public key refused" is caused by a failure to find a public key on the server that matches the public key presented by the client. This can happen when a client generates a new key with the same name as the old key but does not replace it on the server. This can also happen if the key on the server has been removed.