SSH Login partial 2x weight measured

SSH partial. scoring-engine users' public keys missing or wrong permissions

The following users failed to authenticate with their public key: vetomo, todd_k

Events

13

Pts per check

2.8

Pts missed

36.1

Teams hit

1/13

Authority mappings

Which work roles, knowledge units, and EWU courses this error pattern touches. Hover for context, click to drill in.

DCWF roles: CE-463 Host Analyst CS-462 Control Systems Security Specialist CS-521 Cyber Defense Infrastructure Support Specialist CS-531 Cyber Defense Incident Responder EN-211 Forensics Analyst IT-411 Technical Support Specialist IT-451 System Administrator

Knowledge Units: CD-BCY Basic Cryptography CD-NDF Network Defense CD-OSA Operating Systems Administration CD-OSC Operating Systems Concepts CD-OSH Operating Systems Hardening

EWU courses: CSCD240-S26 CSCD212 CSCD240 CSCD379 CSCD380 CSCD381 CSCD434 CSCD470 MATH380

What the message means

The scoring engine connected to sshd but could not authenticate some of its seeded users (e.g. `simone_weil`, `nills`, `todd_k`). Either their public keys are missing from `~/.ssh/authorized_keys`, or the key/perms got altered during hardening. This is a 'partial' status. some users still work, so the service isn't fully down.

Why the service is down

Someone wiped `authorized_keys` during SSH hardening (classic mistake).
The user's home or `.ssh` dir has wrong ownership/permissions and sshd refuses to trust it.
The key file itself has wrong permissions (must be 600).
`AllowUsers` / `AllowGroups` in sshd_config excludes these users.
PubkeyAuthentication is disabled.

Commands in order

1. 1. Does sshd allow pubkey auth?

grep -E 'PubkeyAuthentication|PasswordAuthentication' /etc/ssh/sshd_config

Expect

PubkeyAuthentication yes

Interpret and next

If no/missing: set `PubkeyAuthentication yes`, restart sshd.
2. 2. Does the user exist?

id simone_weil

Expect

uid=NNNN(simone_weil) gid=.

Interpret and next

`id: no such user` = user was deleted. Recreate from packet info.
3. 3. Do they have an authorized_keys file?

ls -la /home/simone_weil/.ssh/authorized_keys

Expect

-rw------- 1 simone_weil simone_weil . authorized_keys

Interpret and next

Missing = key was wiped; restore from `/root/ssh-keys-backup/`. Wrong perms = see step 4.
4. 4. Fix the permission triad (common silent failure)

chown -R simone_weil:simone_weil /home/simone_weil/.ssh chmod 700 /home/simone_weil/.ssh chmod 600 /home/simone_weil/.ssh/authorized_keys

Expect

No errors

Interpret and next

sshd refuses to use pubkey if these are loose. This is often the actual bug.
5. 5. Confirm from sshd's perspective

sshd -T | grep -iE 'pubkeyauthentication|authorizedkeys'

Expect

pubkeyauthentication yes; authorizedkeysfile .ssh/authorized_keys

Interpret and next

If authorizedkeysfile is non-default, check that path.
6. 6. Try a manual SSH attempt and read the auth log

tail -20 /var/log/auth.log

Expect

Line naming the accepted publickey for simone_weil

Interpret and next

`Authentication refused: bad ownership or modes` = redo step 4 for that user.

Decision tree

Answer each question to route to the right fix.

Q: Does the user exist in /etc/passwd?

Yes:

Q: Does authorized_keys exist with perms 600?

Yes:

Q: Is ~/.ssh 700 and owned by the user?

Yes: Check sshd_config for PubkeyAuthentication + AllowUsers.

No: Fix ownership and mode.

No: Restore from backup; chmod 600; chown user:user.

No: Recreate the user from packet info.

External references

NCAE Cyber Games. official rules and scoring
OpenBSD sshd_config(5) man page
OpenSSH authorized_keys(5)
NCAE video 19. Persistence: SSH Public Key
Red-team's view of the same mechanism. useful context for blue team.