"Could not authenticate on target machine where only Public Key Authentication was configured." trying to SSH to Linux server via ZTNA
Article ID: 280355
Updated On:
Products
Issue/Introduction
ZTNA setup with SSH Application.
SSH policy enabled with temporary tokens to be used, with all ZTNA users mapped to a single SSH account.
User connects to ZTNA Portal, accesses the SSH application and copies the username and temporary token to use.
Using the SSH client to login to the remote application, the user would see the following SSH failure error after entering credentials:
'[email protected]' failed accessing ssh application 'Example_SSH_Application'. Could not authenticate on target machine where only Public Key Authentication was configured.'
Environment
ZTNA.
SSH Application.
Cause
Network issue running curl command to generate shared keys on SSHD server.
Resolution
Make sure that the curl command to copy the public keys to SSH server completes correctly.
In our specific case, we needed to address a DNS issue generating the certificate keys.
Additional Information
Based on the message, the auth issue appears to be with the SSH server and not the ZTNA service.
Running SSHD in debug mode, we clearly see authentication failures on SSHD server.
type=USER_AUTH msg=audit(1709824923.632:5532): pid=13141 uid=0 auid=XXXX ses=YYYYYYY subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=#.#.#.# terminal=ssh res=failed'UID="root" AUID="unset"
Looking at the SSHD config, it pointed to an authorized_host file that did not exist. This file should include the certs generated as part of the documented curl operation to install keys.
Running the curl command again in debug mode (-vvv) showed the reason for the failure - DNS resolution for the remote host failed as shown below.
Re-ran the curl command as sudo with the IP address and not DNS name solved the issue.
Feedback
