🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Debian 9

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Remote administrative access fails, delaying incident response and routine operations.

Environment & Reproduction

Typically follows sshd_config changes, key permission drift, or PAM policy updates.

# Capture baseline
sshd -T | sed -n 1,80p
ls -ld ~/.ssh ~/.ssh/authorized_keys
journalctl -u ssh -n 120 --no-pager

Root Cause Analysis

Authentication method or policy no longer aligns with allowed users, keys, or PAM controls.

Quick Triage

Use console access to validate config syntax and key file ownership immediately.

# Quick triage
sudo sshd -t
getent passwd 
namei -l /home//.ssh/authorized_keys

Step-by-Step Diagnosis

Inspect server logs for exact reject reason and map to auth directives.

# Detailed diagnosis
journalctl -u ssh --since -2h --no-pager | tail -n 200
sshd -T | grep -E permitrootlogin|passwordauthentication|pubkeyauthentication
Illustrative mockup for debian-9 β€” terminal_or_console
Diagnosis commands for post 161 β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Restore safe sshd policy, fix key permissions, and restart ssh service.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

# Primary fix
sudo chmod 700 /home//.ssh
sudo chmod 600 /home//.ssh/authorized_keys
sudo systemctl restart ssh
Illustrative mockup for debian-9 β€” log_or_dashboard
Fix validation evidence for post 161 β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Apply temporary rollback profile for immediate access recovery via console.

# Alternatives
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo editor /etc/ssh/sshd_config
sudo systemctl restart ssh

Verification & Acceptance Criteria

Approved users can authenticate with intended methods and unauthorized methods remain blocked.

# Verify
ssh -o PreferredAuthentications=publickey @ true
sshd -T | sed -n 1,80p

Rollback Plan

Revert sshd configuration if hardening adjustments break production access.

# Rollback
sudo test -f /etc/ssh/sshd_config.bak && sudo cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
sudo systemctl restart ssh

Prevention & Hardening

Stage and test ssh policy changes and keep out-of-band console access available.

# Hardening
sshd -t
sshd -T | grep -E allowusers|allowgroups|passwordauthentication

Includes Permission denied publickey and user not allowed by AllowUsers patterns.

Related tutorial: View the step-by-step tutorial for Debian 9.

View all Debian 9 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

OpenSSH server configuration and Debian secure remote access guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.