Can ping, but not SSH into RP3

Question

I've read dozens of posts on this on these forums, but none of them seemed to help. I can ping the RP3 but not SSH in.

I have a mac (latest OSX) and am trying to SSH into a Pi 3. The Pi is running Raspbian, and is set to a static IP address. It has SSH enabled.

There is a USB to ethernet adaptor on both the mac side, and the Pi end (the Pi's built-in ethernet port is used for something else, so I can't use that for SSH). There is an ethernet cable connecting the two ethernet adaptors: so it runs between the mac and Pi.

The Pi is connected to a monitor, keyboard, mouse, and the USB to ethernet adaptor.
The Pi network is set to static IP: 192.168.111.20/24, the rest of the settings are default. The mac has no custom network settings, and I'm using the built-in shell to ssh. The mac is also connected to the net via wifi for general internet access.

Update: Also, as way to try and rule out mac issues, I just tried SSH to the IP address with a stock windows 7 PC via Putty, and that yielded a "Connection timed out" error.

Per Jdonald's request: which ssh yields /usr/local/bin/ssh

Per Jdonald's request: ssh_config contents include theses lines: (The entire file isn't included, since that includes work-specific information)

ssh_config.erb#22 $
CanonicalizeMaxDots 1
CanonicalizeFallbackLocal yes
# Workaround for kerberos asking for a localhost ticket
Host localhost
  GSSAPIAuthentication no
  GSSAPIKeyExchange no
  UserKnownHostsFile /dev/null
Host *.*
  ForwardX11 no
  ForwardX11Trusted no
  StrictHostKeyChecking ask
Host *
  Port 22
  Protocol 2
  AddressFamily any
  CanonicalizeHostname always

  ForwardX11 no
  ForwardX11Trusted no
  StrictHostKeyChecking ask
  BatchMode no
  CheckHostIP yes
  ConnectionAttempts 1
  NumberOfPasswordPrompts 1
  EscapeChar ~
  Compression no
  PasswordAuthentication yes

  IdentityFile ~/.ssh/id_rsa
  IdentityFile ~/.ssh/localhost/id_rsa
  IdentityFile ~/.ssh/clusterhost/id_rsa
  IdentityFile ~/.ssh/id_ed25519
  IdentityFile ~/.ssh/id_ecdsa

  HostbasedAuthentication yes
  PubkeyAuthentication yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPIKeyExchange yes
  GSSAPITrustDns yes
  PreferredAuthentications gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password

1) I can ping via the OSX terminal, but not SSH in. It is a long ping time.

ping 192.168.111.20

And the reply is:

64 bytes from 192.168.111.20: icmp_seq=0 ttl=56 time=162.976 ms

64 bytes from 192.168.111.20: icmp_seq=1 ttl=56 time=161.413 ms

However I can not SSH in. The username is pi, the device name is rasppi.

$ ssh pi@192.168.111.20

Permission denied (publickey).

Verbose output is at the end. I've replaced my actual username name with "name".

2) I've tried variants like

ssh-keygen -R 192.168.111.20

ssh -X pi@192.168.111.20

and

ssh pi:@192.168.111.20

Any help or thoughts on what's going on?

P.S. Verbose ssh connection attempt output:

OpenSSH_7.2p2, OpenSSL 1.0.2l 25 May 2017

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 74: Applying options for *.*

debug1: /etc/ssh_config line 84: Applying options for *

debug1: Re-reading configuration after hostname canonicalisation

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 74: Applying options for *.*

debug1: /etc/ssh_config line 84: Applying options for *

debug1: Connecting to 192.168.111.20 [192.168.111.20] port 22.

debug1: using TCP window size of 65536 / 65536

debug1: Connection established.

debug1: key_load_private_cert: No such file or directory

debug1: key_load_private_cert: No such file or directory

debug1: key_load_private_cert: No such file or directory

debug1: key_load_private_cert: No such file or directory

debug1: key_load_private_type: No such file or directory

debug1: key_load_private_type: No such file or directory

debug1: key_load_private_type: No such file or directory

debug1: key_load_private_type: No such file or directory

debug1: key_load_cert: No such file or directory

debug1: key_load_cert: No such file or directory

debug1: key_load_cert: No such file or directory

debug1: key_load_cert: No such file or directory

debug1: key_load_public: No such file or directory

debug1: key_load_public: No such file or directory

debug1: key_load_public: No such file or directory

debug1: key_load_public: No such file or directory

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/id_rsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/localhost/id_rsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/localhost/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/clusterhost/id_rsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/clusterhost/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/id_ed25519-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/<name>/.ssh/id_ecdsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2

debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

debug1: Authenticating to 192.168.111.20:22 as 'pi'

debug1: Miscellaneous failure (see text)

No credentials cache file found

debug1: An invalid name was supplied

unknown mech-code 0 for mech 1 2 752 43 14 2

debug1: Miscellaneous failure (see text)

unknown mech-code 0 for mech 1 3 6 1 5 5 14

debug1: Miscellaneous failure (see text)

unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10

debug1: An unsupported mechanism was requested

unknown mech-code 0 for mech 1 3 5 1 5 2 7

debug1: Miscellaneous failure (see text)

unknown mech-code 0 for mech 1 3 6 1 5 2 5

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: algorithm: curve25519-sha256@libssh.org

debug1: kex: host key algorithm: rsa-sha2-512

debug1: kex: server->client cipher: aes128-gcm@openssh.com MAC: 
<implicit> compression: none

debug1: kex: client->server cipher: aes128-gcm@openssh.com MAC: 
<implicit> compression: none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-rsa 
SHA256:Y+qLMT92FSBY4m3x2bkWofdK/H9W8ovhDUXA1IEYygQ

debug1: Host '192.168.111.20' is known and matches the RSA host key.

debug1: Found key in /Users/<name>/.ssh/known_hosts:2

debug1: rekey after 4294967296 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: rekey after 4294967296 blocks

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey

debug1: Next authentication method: publickey

debug1: Trying private key: /Users/<name>/.ssh/id_rsa

debug1: Trying private key: /Users/<name>/.ssh/localhost/id_rsa

debug1: Trying private key: /Users/<name>/.ssh/clusterhost/id_rsa

debug1: Trying private key: /Users/<name>/.ssh/id_ed25519

debug1: Trying private key: /Users/<name>/.ssh/id_ecdsa

debug1: No more authentication methods to try.

Permission denied (publickey).

There is so much detail missing from your question. I would guess that you are using some kind of Ethernet connection (RJ45 is a phone standard), but you have not specified HOW, or why. You have not described what else the Pi is connected to, and what the network setting are. — Milliways, Nov 09 '17 at 04:39
You have to provide ALL network detail; post the output of `if a` **WHY** don't you just connect the Pi to your WiFi? **HOW** did you set static? What is the Pi's built-in Ethernet port used for and how is it configured? You obviously have some kind of complex network setup, but unless you describe it in detail it is difficult to comment. Running 3 adapters in series seems a kludge to say the least. Why not use a hub or switch? — Milliways, Nov 09 '17 at 05:24
Okay, I will edit the post with those details tomorrow. To clarify, what 3 adaptors in series are you referring to? There are 2 USB to ethernet adaptors for the Pi to Mac link, because neither has an available ethernet port; that's two in series. I cannot use wifi for this application, unfortunately (it has to be hard-wired). — P B, Nov 09 '17 at 05:31
What stands out from your log compared to a working run: 1) You're running OpenSSH_7.2p2 but at the time of writing High Sierra uses v7.5p1. Maybe you're not actually running the latest macOS, or Homebrew substituted your ssh? Run `which ssh` to ensure it's /usr/bin/ssh. 2) Your ssh config file is not called `/etc/ssh/ssh_config` (possibly related to item 1) and is larger than normal. Can you post your `/etc/ssh_config` content? 3) `unknown mech-code 0` and `No credentials cache file found` errors are specific to Kerberos. Possible a sysadmin installed Kerberos on your Mac; can you remove it? — jdonald, Nov 09 '17 at 15:48
Good thoughts. 1) {which ssh} yields /usr/local/bin/ssh. 2) I edited to the post to show some of the contents of the ssh_config file; I can't show the whole thing since it's a work machine that may include private information. 2) Kerberos doesn't seem to be installed; at least, there's not result for 'which Kerberos' — P B, Nov 09 '17 at 19:59
If it's relevant to perhaps point to the RPi, I just tried SSH to the IP address with a stock windows 7 PC via Putty, and that yielded a "Connection timed out" error. — P B, Nov 09 '17 at 20:23
That's Homebrew ssh! You can upgrade it with `brew upgrade openssh`. If you need to compare against the macOS stock ssh run `/usr/bin/ssh` explicitly, and if needed to remove Homebrew ssh altogether just in case, run `brew uninstall openssh`. Because your Windows error is different from Mac it may open up more questions than answers. Can you still ping the Pi from Windows? You can also install Git for Windows that comes with openssh to compare. Should have asked earlier: you have keyboard/monitor access to the Pi, so how does `ssh pi@localhost` look from there? — jdonald, Nov 13 '17 at 17:25
Your `ssh_config` looks very different from what's available in Raspbian stretch (or Jessie) (and even from the default of Mac High Sierra), what's os you are running on RPi? Two things to check, 1) on your RPi, run `cat ~/.ssh/authorized_keys`, and then on your Mac, run `cat ~/.ssh//id_rsa.pub`, and compare it to the result from RPi to see if they match? 2) on your RPi, check `/etc/sshd_config`, and what do you see on the settings of `PasswordAuthentication` and `PubkeyAuthentication`? — hcheung, Jan 14 '18 at 07:34

bobstro · Answer 1 · 2017-11-09T07:05:47.177

You can ping the RPi, so I wouldn't worry too much about connectivity. You can port scan it on TCP port 22 (or whatever port you configured ssh to listen on) to be sure if you like.

The message Permission denied (publickey) typically indicates you configured sshd on the RPi to require public key authentication, but have no private key on your client that has a match in ~/.ssh/authorized_keys on the server (your RPi). Notice the messages at the end of your log:

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/<name>/.ssh/id_rsa
debug1: Trying private key: /Users/<name>/.ssh/localhost/id_rsa
debug1: Trying private key: /Users/<name>/.ssh/clusterhost/id_rsa
debug1: Trying private key: /Users/<name>/.ssh/id_ed25519
debug1: Trying private key: /Users/<name>/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Did you edit your host sshd configuration to only allow public key authentication? And if so, did you copy your public key over from your client to ~/.ssh/authorized_keys on the RPi as required to use public keys before locking yourself out? Is it possible you used a different key than those listed in the log?

Another possibility is that the permissions for ~/.ssh or the files therein are incorrect. I'd expect to see messages to that effect in the log, but you might not have full verbosity turned up. You can try upping the verbosity using the ssh -vvv option if you haven't cranked it up already.

If this sounds like what happened, you can mount the microSD card on another Linux computer and mount the / partition, then copy over the file and fix permissions as needed to fix it.

If this sounds off, you'll need to post the configuration details on your RPi (/etc/ssh/sshd_config) ... if you can. Hopefully, you have physical access to the RPi's location.

Interesting thoughts, thanks. No, I didn't edit sshd at all. All the setups / tutorials on SSH to RPi that i've seen have been straight plug in and ssh seems like it just works -- no sshd config or key copy needed for those. I do have physical access to the RPi. What permissions should ~/.ssh have to be correct? — P B, Nov 09 '17 at 09:20
`~/.ssh` should be 0700 `drwx------`. `~/.ssh/authorized_keys` should be 0600 `-rw-------`. Try turning up verbosity. `ssh` is pretty good at letting you know what's not working, but may produce a lot of output to pore over. If you didn't configure `sshd` to use public key authentication, I'm not sure what's going on. By default, most installs allow password authentication out-of-the-box. — bobstro, Nov 09 '17 at 14:22

score 2 · Answer 2 · answered Jul 24 '18 at 11:03

2

I have experienced a similar issue when I could ping my Raspberry (with the Octoprint image for 3D Printer control), but could not connect via SSH.

What I tried was:

ping 192.168.1.3

(pinging raspberry worked)

ssh pi@192.168.1.3

(did not work)

On raspberry:

sudo raspi-config

(to enable ssh)

sudo systemctl enable ssh

(to enable ssh)

What fixed it in my case was:

My computer was connected to the network router via an Ethernet cable, and the Pi was connected via WiFi. I connected the computer via WiFi to the same router and it worked. Connected again via Ethernet, and it stopped working. Possibly, router or network setup issues.

I hope this helps someone to save time.

answered Jul 24 '18 at 11:03

J W

121
3

You could configure your wireless router to forward SSH requests to your Pi. That way, you only have to ssh to your wi-fi router. – CharlieHorse Jul 24 '18 at 17:40
`sudo systemctl enable ssh` worked on Raspbian Lite 2018-11-13 RPI2 after reboot and persists across reboots. Before rebooting, I could turn it on for a single session with: `sudo service sshd start`. To login without SSH or screen to run those commands, I used the UART as shown at: https://raspberrypi.stackexchange.com/questions/38/prepare-for-ssh-without-a-screen/54394#54394 – Ciro Santilli OurBigBook.com Dec 25 '18 at 20:28

score 0 · Answer 3 · answered Dec 25 '18 at 21:39

0

On Raspbian Lite 2018-11-13 RPI2, you can enable the SSH daemon by default by creating a magic file called ssh on the boot/ partition.

On an Ubuntu host, this can be done with:

sudo touch /media/$USER/boot/ssh

See also: SSH not working with fresh install

answered Dec 25 '18 at 21:39

Ciro Santilli OurBigBook.com

605
10
18

Can ping, but not SSH into RP3

3 Answers3