SSH is allowing remote connections only after a local login to the server

Question

I have installed Ubuntu Server 16.04 32-bit on my old notebook wirelly connected to internet (external IP). Since the beginning I've added ufw and Fail2ban. But then I discovered after a reboot I was not able to ssh into the server remotely.

After lots of attempts I could finally understand that it was not because I set up exceptions on Fail2ban or because I disable ufw the ssh server accepts remote connections again (temporarily, until next reboot).

What is hapenning in my case is that ssh starts to answer only after a local login to the server.

Any suggestion? Something related to the encryption of my user directory, perhaps?

SERVER AUTH.LOG

Feb 11 14:18:16 servername systemd-logind[1274]: System is rebooting.
Feb 11 14:19:14 servername CRON[1311]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 11 14:19:14 servername su[1374]: Successful su for noip by root
Feb 11 14:19:14 servername su[1374]: + ??? root:noip
Feb 11 14:19:14 servername su[1374]: pam_unix(su:session): session opened for user noip by (uid=0)
Feb 11 14:19:15 servername systemd-logind[1331]: New seat seat0.
Feb 11 14:19:15 servername systemd-logind[1331]: Watching system buttons on /dev/input/event3 (Power Button)
Feb 11 14:19:15 servername systemd-logind[1331]: Watching system buttons on /dev/input/event5 (Video Bus)
Feb 11 14:19:15 servername systemd-logind[1331]: Watching system buttons on /dev/input/event0 (Power Button)
Feb 11 14:19:15 servername systemd-logind[1331]: Watching system buttons on /dev/input/event1 (Lid Switch)
Feb 11 14:19:15 servername systemd-logind[1331]: Watching system buttons on /dev/input/event2 (Sleep Button)
Feb 11 14:19:15 servername systemd-logind[1331]: Watching system buttons on /dev/input/event9 (HP WMI hotkeys)
Feb 11 14:19:15 servername systemd: pam_unix(systemd-user:session): session opened for user noip by (uid=0)
Feb 11 14:19:15 servername systemd-logind[1331]: New session 1 of user noip.
Feb 11 14:19:15 servername su[1374]: pam_unix(su:session): session closed for user noip
Feb 11 14:19:16 servername sshd[1287]: Server listening on 0.0.0.0 port 22.
Feb 11 14:19:16 servername CRON[1311]: pam_unix(cron:session): session closed for user root
Feb 11 14:19:16 servername systemd-logind[1331]: Removed session 1.
Feb 11 14:19:16 servername systemd: pam_unix(systemd-user:session): session closed for user noip
Feb 11 14:19:44 servername sshd[1860]: Connection closed by x.x.x.x port 49743 [preauth]
Feb 11 14:20:01 servername login[1863]: pam_ecryptfs: Passphrase file wrapped
Feb 11 14:20:03 servername login[1410]: pam_unix(login:session): session opened for user noliva by LOGIN(uid=0)
Feb 11 14:20:03 servername systemd: pam_unix(systemd-user:session): session opened for user noliva by (uid=0)
Feb 11 14:20:03 servername systemd-logind[1331]: New session 2 of user noliva.
Feb 11 14:20:12 servername sshd[1942]: Accepted publickey for noliva from x.x.x.x port 49744 ssh2: RSA SHA256:yyyy
Feb 11 14:20:12 servername sshd[1942]: pam_unix(sshd:session): session opened for user noliva by (uid=0)
Feb 11 14:20:12 servername systemd-logind[1331]: New session 3 of user noliva.
Feb 11 14:20:25 servername sudo:   noliva : TTY=pts/0 ; PWD=/home/noliva ; USER=root ; COMMAND=/usr/bin/vi /var/log/auth.log

CLIENT, BEFORE LOCAL LOGIN TO THE SERVER:

iMac-de-noliva:log noliva$ ssh -v -v -v noliva@x.x.x.x
OpenSSH_7.3p1, LibreSSL 2.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: resolving "x.x.x.x" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /Users/noliva/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to x.x.x.x:22 as 'noliva'
debug3: hostkeys_foreach: reading file "/Users/noliva/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/noliva/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from x.x.x.x
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:5KVog8lQVx18HDJnyjAqJTIyjfkbomRD75l817SPDXs
debug3: hostkeys_foreach: reading file "/Users/noliva/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/noliva/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from x.x.x.x
debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in /Users/noliva/.ssh/known_hosts:6
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /Users/noliva/.ssh/id_rsa (0x7f94cf7000a0)
debug2: key: /Users/noliva/.ssh/id_dsa (0x0)
debug2: key: /Users/noliva/.ssh/id_ecdsa (0x0)
debug2: key: /Users/noliva/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/noliva/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/noliva/.ssh/id_dsa
debug3: no such identity: /Users/noliva/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/noliva/.ssh/id_ecdsa
debug3: no such identity: /Users/noliva/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/noliva/.ssh/id_ed25519
debug3: no such identity: /Users/noliva/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

CLIENT, AFTER LOCAL LOGIN TO THE SERVER:

iMac-de-noliva:log noliva$ ssh -v -v -v noliva@x.x.x.x
OpenSSH_7.3p1, LibreSSL 2.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: resolving "x.x.x.x" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /Users/noliva/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/noliva/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to x.x.x.x:22 as 'noliva'
debug3: hostkeys_foreach: reading file "/Users/noliva/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/noliva/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from x.x.x.x
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:5KVog8lQVx18HDJnyjAqJTIyjfkbomRD75l817SPDXs
debug3: hostkeys_foreach: reading file "/Users/noliva/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/noliva/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from x.x.x.x
debug1: Host 'x.x.x.x' is known and matches the ECDSA host key.
debug1: Found key in /Users/noliva/.ssh/known_hosts:6
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /Users/noliva/.ssh/id_rsa (0x7fbebf420020)
debug2: key: /Users/noliva/.ssh/id_dsa (0x0)
debug2: key: /Users/noliva/.ssh/id_ecdsa (0x0)
debug2: key: /Users/noliva/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/noliva/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:yyyyy
debug3: sign_and_send_pubkey: RSA SHA256:xxxxx
Enter passphrase for key '/Users/noliva/.ssh/id_rsa':

Have you tried to move the ssh authentication data out of your encrypted home folder? Something like this article or this comment. — pa4080, Feb 11 '17 at 16:49
Which approach did you use? I think the second one is more simple. I searched a bit in AskUbuntu and I can't find similar answer here. So I intend to post an answer later this evening. — pa4080, Feb 11 '17 at 17:00
I followed the article (first one)! And that's a good idea! I will try the second one and keep you informed. — noliva, Feb 11 '17 at 17:02
Yeah! I will keep it according to the second approach. Thank you again! — noliva, Feb 11 '17 at 17:17

score 13 · Accepted Answer · edited Sep 18 '22 at 12:23

The problem is that, while you are not logged in the system, your home folder is encrypted and the file ~/.ssh/authorized_keys is inaccessible.

A simple solution is described in the section Troubleshooting of the article SSH/OpenSSH/Keys from help.ubuntu.com.

To solve this, create a folder outside your home named /etc/ssh/<username> (replace <username> with your actual username). This directory should have 755 permissions and be owned by the user. Move the authorized_keys file into it. The authorized_keys file should have 644 permissions and be owned by the user.

Then edit your /etc/ssh/sshd_config and add:
AuthorizedKeysFile    /etc/ssh/%u/authorized_keys

If you want to do that for the current user (and the user is in the sudoers group) the command line would look like:

sudo mkdir /etc/ssh/$USER
sudo mv $HOME/.ssh/authorized_keys /etc/ssh/$USER/
sudo chown -R $USER:$USER /etc/ssh/$USER
sudo chmod 755 /etc/ssh/$USER
sudo chmod 644 /etc/ssh/$USER/authorized_keys

^{*Where $USER and $HOME are envvars that contain the username and home directory of the current user.}

Then edit your /etc/ssh/sshd_config and change the directive AuthorizedKeysFile in this way:

#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile /etc/ssh/%u/authorized_keys

Restart the SSH server:

sudo systemctl restart ssh.service

That's it.

References and other approaches:

Hi, @alper, yes %u is a variable that represents the username. — pa4080, Sep 23 '19 at 09:36
I have changed %u variable with the original username value and also tried by keeping %u as it is. It seems like working but after around 10 minutes it stops working. I will have to login again to be able to ssh. — alper, Sep 23 '19 at 10:27
The main error was caused by Ubuntu 18.04's ethernet disconnected after suspend. I disabled the suspension and error is solved. — alper, Sep 24 '19 at 05:31
Please fix the core bug in your answer. Change the line AuthorizedKeysFile /etc/ssh/%u/authorized_keys to AuthorizedKeysFile /etc/ssh/%u/authorized_keys .ssh/authorized_keys .ssh/authorized_keys2 as you are missing .ssh/authorized_keys .ssh/authorized_keys2 from it.
You might also suggest this one liner: echo "AuthorizedKeysFile /etc/ssh/%u/authorized_keys .ssh/authorized_keys .ssh/authorized_keys2" | sudo tee -a /etc/ssh/sshd_config — , Apr 28 '20 at 10:10

score 1 · Answer 2 · edited Feb 24 '22 at 11:20

1

For anyone else who came here looking to solve ssh starts to answer only after a local login to the server and the above solution (moving the authorized keys file) doesn't work, then maybe the server isn't connecting to the network. This worked for me: https://askubuntu.com/a/16378/333711 .

I found out how to do it. Simply go into Network Manager -> Edit Connections. Select your connection, click Edit and check Available to all users.

You may also need to add a line for each interface that you want to automatically come up at boot time in /etc/network/interfaces:
auto eth0
auto wifi0

edited Feb 24 '22 at 11:20

karel

114,770

answered Feb 22 '22 at 01:44

Stew-au

119
3

Raising the interfaces in auto mode wasn't necessary. Sharing the necessary connections did the trick. And it's absolutely logic. My system is connected via WIFI only. So it won't connect to the network without any connection configuration. – codekandis Jan 25 '23 at 21:46

SSH is allowing remote connections only after a local login to the server

2 Answers2

Linked

Related