🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: Debian 9

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Users with valid keys or passwords cannot authenticate over SSH.

Environment & Reproduction

Common after tightening sshd_config or permissions.

ssh -vv user@host
sudo systemctl status ssh
sudo sshd -T | head -n 40

Root Cause Analysis

Authentication methods disabled, wrong ownership on key paths, or Match blocks misapplied.

Quick Triage

Collect auth logs and verify sshd syntax.

sudo sshd -t
sudo journalctl -u ssh -n 120 --no-pager
getent passwd user

Step-by-Step Diagnosis

Inspect effective auth options and file permissions.

sudo sshd -T | grep -E 'passwordauthentication|pubkeyauthentication|authorizedkeysfile'
namei -l /home/user/.ssh/authorized_keys
stat -c '%a %U:%G %n' /home/user /home/user/.ssh /home/user/.ssh/authorized_keys
Illustrative mockup for debian-9 β€” terminal_or_shell
Reviewing sshd effective configuration β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Correct auth settings and secure key-file permissions.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

sudoedit /etc/ssh/sshd_config
sudo chown -R user:user /home/user/.ssh
sudo chmod 700 /home/user/.ssh
sudo chmod 600 /home/user/.ssh/authorized_keys
sudo systemctl restart ssh
Illustrative mockup for debian-9 β€” log_or_config
Restoring secure and functional SSH auth settings β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Allow emergency break-glass account from trusted network only.

sudo adduser breakglass
sudo usermod -aG sudo breakglass
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp 2>/dev/null || true

Verification & Acceptance Criteria

Key-based login succeeds and sshd reports clean configuration.

sudo sshd -t
ssh -o PreferredAuthentications=publickey user@localhost true
systemctl is-active ssh

Rollback Plan

Restore prior sshd_config if new rules block legitimate access.

sudo cp -a /etc/ssh/sshd_config /var/tmp/sshd_config.bak.$(date +%s)
sudo systemctl restart ssh

Prevention & Hardening

Test changes with secondary session before applying broadly.

sudo sshd -t
sshd -T | grep -E 'permitrootlogin|passwordauthentication|pubkeyauthentication'

Can overlap with firewall lockouts and DNS reverse-lookup delays.

Related tutorial: View the step-by-step tutorial for Debian 9.

View all Debian 9 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Debian OpenSSH server configuration and hardening docs.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.