SSH Logs
When troubleshooting SSH issues, reviewing both the client-side and server-side logs is crucial. Logs provide valuable information that can help diagnose problems such as authentication failures or connection issues.
Using Verbose Mode
SSH provides a built-in verbose mode (-v
) that gives detailed information about what happens during the connection process. Increasing verbosity levels (-vv
and -vvv
) provides even more detail, making it easier to pinpoint issues.
Verbose Mode Example
ssh -vvv user@hostname
Verbose mode shows each step of the connection process, including key exchanges, authentication methods tried, and any failures that occur. This output can be especially helpful for understanding why an authentication attempt failed or what might be causing a delay in establishing the connection.
- Single
-v
: Displays general connection information, such as the SSH version and whether key-based or password authentication is attempted. - Double
-vv
: Adds details about the key exchange and which specific keys or authentication methods are tried. - Triple
-vvv
: Provides the most granular details, including cryptographic operations, and is typically used for the most complex troubleshooting.
Troubleshooting Authentication Failures
Authentication failures are a common issue in SSH, and the logs often hold the key to resolving them. Client-side logs, especially when combined with verbose mode, can reveal:
- Which authentication method is being tried (password, key-based, etc.).
- Why an authentication method failed (e.g., missing key, wrong permissions, or invalid credentials).
- Any fallback attempts made by SSH, such as trying a different key or switching from public key to password authentication.
Server-Side Logs
In addition to the client-side verbose mode, reviewing the server-side logs is essential for a full understanding of the issue. Server logs typically contain more detailed error messages about why a connection attempt failed.
On most Unix-based systems, SSH logs are stored in /var/log/auth.log
or /var/log/secure
depending on the distribution.
To view the logs on a server:
sudo tail -f /var/log/auth.log
Look for entries related to SSHD (the SSH daemon). Common log entries include:
- Authentication Failures: Indicate why the server rejected a login attempt (e.g., wrong password, public key not authorized, etc.).
- Connection Attempts: Provide details about the client’s IP address, the port used, and any connection errors that occurred before authentication was attempted.
Example log output:
sshd[12345]: Failed publickey for user from 192.168.1.100 port 22 ssh2
In this example, the public key authentication failed for the user. Cross-referencing this with the client-side verbose output can help you determine whether it’s a permission issue, a key mismatch, or another configuration problem.
Key Authentication Logs
For key-based authentication, logs will indicate whether the correct public key is being offered by the client and accepted by the server. If the server refuses the key, check both the key's format and the permissions on the client and server.
Look for messages like:
sshd[12345]: Accepted publickey for user from 192.168.1.100 port 22 ssh2: RSA SHA256:abc123...
This indicates that key-based authentication was successful.