Troubleshooting
SSH pubkey authentication with locked accounts does not work
Locked accounts cannot SSH pubkey auth. SSH now distinguishes between ! and * password locking.
*: Lock password - allow SSH pubkey auth.
!: Lock password - deny SSH pubkey auth.
Any other means to lock the password will result in SSH pubkey failures.
Danger
Do NOT set UsePam=yes as this leads to security vulnerabilities.
Debian ssh group no longer works
ssh group now _ssh
ssh group migrated to _ssh in Trixie.
ssh group must be manually managed if used with existing users and groups, or migrate users to _ssh.
Enable Debug Mode
Print verbose messages to /var/log/syslog to help in debugging issues.
/etc/default/ssh
0644 root:root
SSHD_OPTS=-dddsystemctl daemon-reload
service ssh restartNote
After a login attempt, the service may need to be restarted to test again.
Check `/var/log/syslog for debug information.
Could not open authorized keys: Permission denied
The keyfile could not be accessed. This generally happens when SSHD drops privileges to the user when logging in and the user cannot access the keyfile.
- Directory containing keyfile is readable and executable by the user.
- Keyfile is 0600.
GPG pinentry not redirecting to correct terminal
GPG connect agent must be informed when on a new terminal.
Manually
gpg-connect-agent updatestartuptty /bye~/.ssh/config
0640 {USER}:{USER}
Match host * exec "gpg-connect-agent updatestartuptty /bye"