topic AWS keypair failing authentication to PA-VM in VM-Series in the Public Cloud https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-keypair-failing-authentication-to-pa-vm/m-p/516934#M1684 <P>AWS ssh publickey failing while connecting to PA-VM, falls back to password authentication which obviously fails. I suspect some of this behavior is due to macos and openssh deprecating ssh-rsa, PAN-OS 9.1.14 offers ssh-rsa which is rejected by default, -oHostKeyAlgorthms=+ssh-rsa will avoid this issue. Also tried -oPubkeyAcceptedKeyTypes=+ssh-rsa, no difference. Currently using ED25519 keypair instead to see if that makes a difference, it doesn't. Receiving packet type 51 (SSH_MSG_USERAUTH_FAILURE) in response to publickey authentication.</P> <P>&nbsp;</P> <P>permissions on AWSKey.pem 400</P> <P>&nbsp;</P> <P>So what gives? Why can't I connect via ssh publickey to AWS PA-VM?</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">debug1: get_agent_identities: bound agent to hostkey </FONT><BR /><FONT face="courier new,courier">debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities </FONT><BR /><FONT face="courier new,courier">debug1: Will attempt key: AWSKey.pem ED25519 SHA256:Fb+eyKkBDlwHGAOd4/rw9SRAbkgHk explicit </FONT><BR /><FONT face="courier new,courier">debug2: pubkey_prepare: done </FONT><BR /><FONT face="courier new,courier">debug3: send packet: type 5 </FONT><BR /><FONT face="courier new,courier">debug3: receive packet: type 6 </FONT><BR /><FONT face="courier new,courier">debug2: service_accept: ssh-userauth </FONT><BR /><FONT face="courier new,courier">debug1: SSH2_MSG_SERVICE_ACCEPT received </FONT><BR /><FONT face="courier new,courier">debug3: send packet: type 50 </FONT><BR /><FONT face="courier new,courier">debug3: <STRONG>receive packet: type 51 </STRONG></FONT><BR /><FONT face="courier new,courier">debug1: Authentications that can continue: publickey,password,keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug3: start over, passed a different list publickey,password,keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password </FONT><BR /><FONT face="courier new,courier">debug3: authmethod_lookup publickey </FONT><BR /><FONT face="courier new,courier">debug3: remaining preferred: keyboard-interactive,password </FONT><BR /><FONT face="courier new,courier">debug3: authmethod_is_enabled publickey </FONT><BR /><FONT face="courier new,courier">debug1: Next authentication method: publickey </FONT><BR /><FONT face="courier new,courier">debug1: Offering public key: AWSKey.pem ED25519 SHA256:Fb+eyKkBDlwHGAOd4/rw9SRAbcHk explicit </FONT><BR /><FONT face="courier new,courier">debug3: send packet: type 50 </FONT><BR /><FONT face="courier new,courier">debug2: we sent a publickey packet, wait for reply </FONT><BR /><FONT face="courier new,courier">debug3: <STRONG>receive packet: type 51 </STRONG></FONT><BR /><FONT face="courier new,courier">debug1: Authentications that can continue: publickey,password,keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug2: we did not send a packet, disable method </FONT><BR /><FONT face="courier new,courier">debug3: authmethod_lookup keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug3: remaining preferred: password</FONT></P> Thu, 06 Oct 2022 00:06:16 GMT SteveBrown808 2022-10-06T00:06:16Z AWS keypair failing authentication to PA-VM https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-keypair-failing-authentication-to-pa-vm/m-p/516934#M1684 <P>AWS ssh publickey failing while connecting to PA-VM, falls back to password authentication which obviously fails. I suspect some of this behavior is due to macos and openssh deprecating ssh-rsa, PAN-OS 9.1.14 offers ssh-rsa which is rejected by default, -oHostKeyAlgorthms=+ssh-rsa will avoid this issue. Also tried -oPubkeyAcceptedKeyTypes=+ssh-rsa, no difference. Currently using ED25519 keypair instead to see if that makes a difference, it doesn't. Receiving packet type 51 (SSH_MSG_USERAUTH_FAILURE) in response to publickey authentication.</P> <P>&nbsp;</P> <P>permissions on AWSKey.pem 400</P> <P>&nbsp;</P> <P>So what gives? Why can't I connect via ssh publickey to AWS PA-VM?</P> <P>&nbsp;</P> <P><FONT face="courier new,courier">debug1: get_agent_identities: bound agent to hostkey </FONT><BR /><FONT face="courier new,courier">debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities </FONT><BR /><FONT face="courier new,courier">debug1: Will attempt key: AWSKey.pem ED25519 SHA256:Fb+eyKkBDlwHGAOd4/rw9SRAbkgHk explicit </FONT><BR /><FONT face="courier new,courier">debug2: pubkey_prepare: done </FONT><BR /><FONT face="courier new,courier">debug3: send packet: type 5 </FONT><BR /><FONT face="courier new,courier">debug3: receive packet: type 6 </FONT><BR /><FONT face="courier new,courier">debug2: service_accept: ssh-userauth </FONT><BR /><FONT face="courier new,courier">debug1: SSH2_MSG_SERVICE_ACCEPT received </FONT><BR /><FONT face="courier new,courier">debug3: send packet: type 50 </FONT><BR /><FONT face="courier new,courier">debug3: <STRONG>receive packet: type 51 </STRONG></FONT><BR /><FONT face="courier new,courier">debug1: Authentications that can continue: publickey,password,keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug3: start over, passed a different list publickey,password,keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password </FONT><BR /><FONT face="courier new,courier">debug3: authmethod_lookup publickey </FONT><BR /><FONT face="courier new,courier">debug3: remaining preferred: keyboard-interactive,password </FONT><BR /><FONT face="courier new,courier">debug3: authmethod_is_enabled publickey </FONT><BR /><FONT face="courier new,courier">debug1: Next authentication method: publickey </FONT><BR /><FONT face="courier new,courier">debug1: Offering public key: AWSKey.pem ED25519 SHA256:Fb+eyKkBDlwHGAOd4/rw9SRAbcHk explicit </FONT><BR /><FONT face="courier new,courier">debug3: send packet: type 50 </FONT><BR /><FONT face="courier new,courier">debug2: we sent a publickey packet, wait for reply </FONT><BR /><FONT face="courier new,courier">debug3: <STRONG>receive packet: type 51 </STRONG></FONT><BR /><FONT face="courier new,courier">debug1: Authentications that can continue: publickey,password,keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug2: we did not send a packet, disable method </FONT><BR /><FONT face="courier new,courier">debug3: authmethod_lookup keyboard-interactive </FONT><BR /><FONT face="courier new,courier">debug3: remaining preferred: password</FONT></P> Thu, 06 Oct 2022 00:06:16 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-keypair-failing-authentication-to-pa-vm/m-p/516934#M1684 SteveBrown808 2022-10-06T00:06:16Z