ssh postponed publickey error in /var/log/secure: "Accepted publickey for <user>"

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 4, 5, 6
  • openssh-server

Issue

Error messages in /var/log/secure:

Oct 11 04:02:44 hostname sshd[28283]: Accepted publickey for <user> from ::ffff:192.168.0.1 port 22545 ssh2  
Oct 11 04:02:44 hostname sshd[28309]: Postponed publickey for <user> from ::ffff:192.168.0.1 port 22546 ssh2

This issue occurs often with Oracle.

Resolution

The messages postponed public key can be eliminated by identifying the unwanted auth type(s) being tried before publickey and disable them, either from the client side or the server side. In this case the unwanted method is GSSAPIAuthentication, therefore we should disable the parameter on the client side.

Change the configuration in /etc/ssh/ssh_config from:

Host *  
    GSSAPIAuthentication yes

to:

Host *  
    GSSAPIAuthentication no

By disabling the GSSAPIAuthentication method the publickey method will not be postponed.

Root Cause

  • User alice is accessing the server via SSH, but before the public key is accepted it tries with other methods of authentication (publickey,gssapi-with-mic,password), first tries with gssapi-with-mic, then will try publickey, and eventually keyboard-interactive, and password, but gssapi-with-mic fails creating a delay on using the public key, therefore the message appears in the logs. Finally the right method is allowed (publickey) and the session starts.

Diagnostic Steps

In order to debug SSH, to see what is causing the slow key exchange, and therefore the postponed public key error message, the following can be done:

On the client:

1. Execute the command script in the shell in order to capture some output:

$ script /tmp/SSHclient

2. Start the connection to the remote server with verbose mode on:

$ ssh -vvv userx@hostname

3. Once the connection is established, the connection can be closed and exit script (control + d to close the connection, enter exit on the client to stop logging with script).

4. /tmp/SSHclient can be found on the client.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments