Ubuntu Version:

Desktop Environment (if applicable):

Problem Description:

I have installed Ubuntu 24.04 on Raspberry Pi 4 Model b with the file ubuntu-24.04.2-preinstalled-server-arm64+raspi.img.xz

I used preinstalled version because with normal version I had no ethernet network. Now with the preinstalled version I have network but unable to login remotely with SSH.

Relevant System Information:

The board is a Raspberry Pi 4 Model B. 4 GB RAM. 64 GB SD Card, Class 10.

Screenshots or Error Messages:

The verbose output of ssh -v is given below.

gaurab@PiNCPSVPN:~/.ssh$ ssh -v gaurab@192.168.1.170
OpenSSH_8.9p1 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/gaurab/.ssh/config
debug1: /home/gaurab/.ssh/config line 1: Applying options for 192.168.1.170
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 192.168.1.170 [192.168.1.170] port 22.
debug1: Connection established.
debug1: identity file /home/gaurab/.ssh/id_rsa type 0
debug1: identity file /home/gaurab/.ssh/id_rsa-cert type -1
debug1: identity file /home/gaurab/.ssh/id_ecdsa type -1
debug1: identity file /home/gaurab/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/gaurab/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/gaurab/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/gaurab/.ssh/id_ed25519 type -1
debug1: identity file /home/gaurab/.ssh/id_ed25519-cert type -1
debug1: identity file /home/gaurab/.ssh/id_ed25519_sk type -1
debug1: identity file /home/gaurab/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/gaurab/.ssh/id_xmss type -1
debug1: identity file /home/gaurab/.ssh/id_xmss-cert type -1
debug1: identity file /home/gaurab/.ssh/id_dsa type -1
debug1: identity file /home/gaurab/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.13 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.1.170:22 as 'gaurab'
debug1: load_hostkeys: fopen /home/gaurab/.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /home/gaurab/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:nhHwSdkEdeoJF0UY6Vx1xNvY/ppkCRodlROPPEX052U
debug1: load_hostkeys: fopen /home/gaurab/.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /home/gaurab/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: hostkeys_find_by_key_hostfile: hostkeys file /home/gaurab/.ssh/known_hosts does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /home/gaurab/.ssh/known_hosts2 does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts2 does not exist
The authenticity of host '192.168.1.170 (192.168.1.170)' can't be established.
ED25519 key fingerprint is SHA256:nhHwSdkEdeoJF0UY6Vx1xNvY/ppkCRodlROPPEX052U.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.170' (ED25519) to the list of known hosts.
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: /home/gaurab/.ssh/id_rsa RSA SHA256:rIc2rkD4ZJvVCfJ8K7trJBTtndfMAEQZs7j1uU3magM agent
debug1: Will attempt key: /home/gaurab/.ssh/id_ecdsa 
debug1: Will attempt key: /home/gaurab/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/gaurab/.ssh/id_ed25519 
debug1: Will attempt key: /home/gaurab/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/gaurab/.ssh/id_xmss 
debug1: Will attempt key: /home/gaurab/.ssh/id_dsa 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/gaurab/.ssh/id_rsa RSA SHA256:rIc2rkD4ZJvVCfJ8K7trJBTtndfMAEQZs7j1uU3magM agent
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/gaurab/.ssh/id_ecdsa
debug1: Trying private key: /home/gaurab/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/gaurab/.ssh/id_ed25519
debug1: Trying private key: /home/gaurab/.ssh/id_ed25519_sk
debug1: Trying private key: /home/gaurab/.ssh/id_xmss
debug1: Trying private key: /home/gaurab/.ssh/id_dsa
debug1: No more authentication methods to try.
gaurab@192.168.1.170: Permission denied (publickey).

What I’ve Tried:

I have manually created the ~/.ssh folder and generated the id_rsa and id_rsa.pub files and copied the content of the public key file to authorized_file and have set appropriate permissions, but I’m unable to login. I suspect some configuration files are missing. I have deleted all files I have created because none of them worked.

Now I am looking for advise on possible solution.

Have you seen https://documentation.ubuntu.com/server/how-to/security/openssh-server/index.html

It is not clear whether you were ready to ssh into the pi. There are some preparations you need to make before trying to ssh.

With ssh, there is always a client / server relationship between 2 hosts. The server is the machine you are trying to ssh into, & the client is the host that is requesting that access. It sounds like your Xubuntu is the client & the pi is the server here…

If you are using key based authentication, you need to create a key pair on the client machine always. Then you need to send the public key to the server. The guide above gives you the commands how to create the key pair on the client and also the command to send the public key to the server. If you use those commands, it will also ensure that the correct files and directories are created and with the correct permissions. You should not need to hack the known_hosts or authorized_keys files.

On the server side, there is /etc/ssh/sshd_config
Here you can configure how you want that server to authenticate with other hosts. I like key based auth only. You can turn on or off password based auth. You can enable or disable ssh root login. My preference is no password auth, key auth only, & no root login.

I’ll stop here for now…

Oh by the way, if you do customize sshd_config on the pi server, you will then need to restart the ssh service.

sudo systemctl restart ssh

Hello,

I am not sure what I am doing. I know so little that I am ashamed. The following is what I did.

On the Ubuntu Server installed on Raspberry Pi 4 I generated 2 pair of keys. RSA and ED25519 under ~/.ssh folder.

ssh-keygen -lf ~/.ssh/id_ed25519
256 SHA256:ANHJJME2lndB183FuhOSW/tpNmuHFc2fb2xeXopBy7c gaurab@PiNCPSVPN (ED25519)

ssh-keygen -lf ~/.ssh/id_rsa
4096 SHA256:qGRJiie2JAIgiFXwi4K5Y6WN0OehCIeW0a6XYzz/e0w gaurab@192.168.1.170 (RSA)

While attempting to copy public RSA key to authorized_keys file I get the following error.

ssh-copy-id -i ~/.ssh/id_rsa.pub gaurab@PiNCPSVPN
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/gaurab/.ssh/id_rsa.pub”
The authenticity of host ‘pincpsvpn (192.168.1.170)’ can’t be established.
ED25519 key fingerprint is SHA256:cOyunXUWTWr28du8C2gXrsx2d+hpml9cRKvbm46UAQo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
gaurab@pincpsvpn: Permission denied (publickey).

One Known_hosts file is created under ~./ssh

cat known_hosts
|1|PkKKRpABeFhp3yoxS28opOOWzRI=|LL1HCZJk/SvqvuRKBBy9Nvf+ki0= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBl11Grn1u7uJfE9n6qrUKNH0l2yrhYe1ig4oLedIaCo

On Windows 11 client computer when I try to SSH to gaurab@192.168.1.170 the following happens. PiNCPSVPN=192.168.1.170

ssh gaurab@PiNCPSVPN
The authenticity of host ‘pincpsvpn (fe80::da3a:ddff:fec0:73df%13)’ can’t be established.
ED25519 key fingerprint is SHA256:cOyunXUWTWr28du8C2gXrsx2d+hpml9cRKvbm46UAQo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘pincpsvpn’ (ED25519) to the list of known hosts.
gaurab@pincpsvpn: Permission denied (publickey).

Here too a known_hosts file is created. The content of the file is as below.
pincpsvpn ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBl11Grn1u7uJfE9n6qrUKNH0l2yrhYe1ig4oLedIaCo

I can give more informartion if required. Please let me know what should I do to fix the issue?

Thank you.

I can write you more tonight when I am not looking at a 3” x 6” screen.

In the meantime, answer a few questions:

• Describe your clients in more detail, including OS & hardware. Are your clients on a single computer. If a single computer, do you have a dual boot for Xubuntu & Windows, or are you using running one of them in a virtual machine?

• Do you have any other SSH configurations set up here that do work with other hosts?

• Have you edited any ssh configuration files on any of the hosts?

• Do you have a “config” file that you created & added inside the ~/.ssh directory on any of the linux hosts?

• Do you have access to all 3 hosts command line without SSH

This information anticipates that you wish to ssh into your pi4 server using ssh keys.

Let’s focus on getting your Xubuntu desktop (client) able to ssh into your pi4 server. Forget Windows for now, Windows is not my specialty. I hear there is Putty that can be used on Windows for this, or you can ssh from the Windows command line, or from the Windows subsystem for Linux. Again, let’s forget Windows for a minute…

These steps will establish key-based authentication between Xubuntu (client), and pi4 (server).

CAUTION - Read this paragraph but don’t do yet until you have fully read through this post and understand:

If you have absolutely no successful ssh connections established right now between your Xubuntu & pi, or between either of these hosts and any other host on your network, and if there are no custom “config” file(s) that you created and placed in the ~/.ssh folder, you can easily start over by removing your broken known_hosts & authorized_keys files on both hosts, they will be recreated, and with correct permissions in our steps below.

Knowledge

Understand what is stored in the typical ~/.ssh directory on any given host (computer or VM). Be aware that you may not see all of these in the ~/.ssh directory on every machine so don’t panic. The following are what is stored in this directory.

~/.ssh/authorized_keys (found on ssh servers - contains the public keys sent to it from clients)
~/.ssh/config (some users create this - you likely don’t need for now - primarily for simplifying ssh commands - can teach you this later)
~/.ssh/id_rsa (this is the private key of your keypair - don’t share, ever)
~/.ssh/id_rsa.pub (this is the public key of your keypair - we need to send this to our server)
~/.ssh/known_hosts (system creates - contains fingerprints of hosts you have ever connected to - don’t worry about it)

Example:

My client (Ubuntu 24.04), that I am typing on now, has this in my ~/.ssh directory

total 24
drwx------   2 aljms aljms 4096 Feb 22 15:22 .
drwxr-x---+ 20 aljms aljms 4096 May 16 20:47 ..
-rw-------   1 aljms aljms  418 Feb 21 22:23 config
-rw-------   1 aljms aljms  426 Feb 22 15:22 known_hosts
-rw-------   1 aljms aljms  444 Feb 21 23:05 kvmhst_ed25519
-rw-r--r--   1 aljms aljms   88 Feb 20 18:48 kvmhst_ed25519.pub

(Notice, I gave my keypair a custom name, I’ll show you how to do that in a minute)

Now, on my server (Ubuntu 22.04), my wireguard virtual machine here only has this in the ~/.ssh directory:

total 12
drwx------ 2 aljms aljms 4096 Feb 22 15:22 .
drwxr-x--- 5 aljms aljms 4096 May 17 20:21 ..
-rw------- 1 aljms aljms   88 Feb 22 15:22 authorized_keys

Now, what do you think lives in that authorized_keys file. This is where the public key is stored. My client computer sent that public key here to my server.

Don’t hack your authorized_keys files. You can manually copy your public keys in here if you must, but really no need to do that with what we will do next.

For you to try:

1. Delete your old broken known_hosts & authorized_keys files on both machines (pi4 & Xubuntu - see Caution above). Also, delete your keypair you created on the pi4 server, because you created the keypair on the wrong computer. Keypairs are always created on the client side, not the server. If you see a known_hosts.old file, you can ignore that.

2. From your Xubuntu (client), as your normal user (not as root), do the following:

ssh-keygen -t ed25519

3. Type a custom name for your keypair, i.e.: myXubuntu_ed25519 (custom naming keypairs is helpful if you will have several keypairs over time)

4. Enter passphrase (empty for no passphrase): (optional but recommended if your client goes remote)
   NOTE: SSH key passphrases encrypts the ssh keys. The keys become usable only when the passphrase is entered.

5. Now, copy the public key to the pi4 server by running this command from your Xubuntu client:

ssh-copy-id -i myXubuntu_ed25519.pub user@192.168.??.??  (this is the pi4 username & IP address)

You should be prompted to enter the regular password of the user account you are ssh’ing into on the server. If you are denied this, then we will need to look at your sshd_config file on the pi4 server.

You should receive a message that 1 key was copied.

6. Test your SSH. From Xubuntu client:

ssh user@192.168.??.??  (your pi4 server)

If any errors along the way, let us know.

Ubuntu Server is installed on a Raspberry Pi 4 having IP 192.168.1.170 and client is a Windows 11 Desktop computer having IP 192.168.1.102. The server and client are 2 separate computers.

No other SSH configuration done except the default.

No, I have not edited any configuration file on server or client.

The ~/.ssh folder has one empty authorized_keys file.

Yes, I have command line access on both server and client.

I have one server on Raspberry Pi 4 and one client on Windows 11 desktop.

I installed the server fresh. Checked if it has network or not. Then went to the client and tried to ssh to the server and all I get is permission denied (public key).

Then I created the rsa keys in ~/.ssh folder but the error remains and I unable to ssh into the server.

Thank you.

Dear aljames,

Thank you for taking so much time to explain everything so beautifully. I understand better now.

With your advice I tried your recommended steps and I was able to ssh into the pi server.

Thank you so much. More knowledge and power to you so that you can educate less knowledgeable like me, far and wide.

Thank you, again.
Gaurab

Please mark the relevant post as the solution.

It gives credit to the person who helped you and also makes it easier for others to find if facing the same or similar issues.

Thanks.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.