When attempting to SSH to a Linux server in the ASA project, the login may fail with the following error reported by the client:
test_user@P4XF7TX3PY ~ % sft ssh testserver01
error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
This is a relatively generic client error that can occur for various reasons. For this specific issue, the following types of error messages on the server itself might be seen via the SSHD logs.
Mar 22 03:11:10 testserver02 sshd[22509]: error: key_cert_check_authority: invalid certificate
Mar 22 03:11:10 testserver02 sshd[22509]: error: Certificate invalid: expired
Mar 22 03:11:10 testserver02 sshd[22509]: Connection closed by 10.63.77.202 port 57689 [preauth]
OR
Mar 23 09:37:12 testserver01 sshd[1634]: error: Certificate invalid: not yet valid
Mar 23 09:37:12 testserver01 sshd[1634]: Connection closed by authenticating user test_user 10.63.77.201 port 50937 [preauth]
-
Advanced Server Access (ASA)
- Okta Privileged Access (OPA)
- SSH
This error in the server's SSHD logs is usually a sign that the server's clock has drifted.
ASA dynamically issues short-lived certificates for client authentication with a limited window of validity. So if the server's clock is incorrect, it may see the certificate from ASA as being already expired or too far in the future, and SSHD will, therefore, reject the access attempt.
-
Correct the time on the server. The details of this may vary between servers, so please consult with the server administrator.
-
Once time has been corrected and the issue resolved, going forward, consider setting up NTP on the server to avoid clock drift in the future.
