SSH connection fails when GSSAPI authentication methods are attempted but credentials cannot be verified. This occurs when public key or GSSAPI-based authentication is misconfigured on either the client or server side.
This error indicates that the SSH server rejected the client's attempt to authenticate using any of the available methods: public key authentication, GSSAPI key exchange, or GSSAPI with mutual authentication (gssapi-with-mic). The error message lists the authentication methods the server supports, but the client either doesn't have the correct credentials or those credentials are not properly configured. This is a common issue in enterprise environments using Kerberos/GSSAPI for single sign-on, as well as in standard public key authentication setups. The error is not specific about which method failed—it just means all attempted methods were rejected.
Check that your private key exists and has correct permissions on the client machine:
ls -la ~/.ssh/id_rsa
ls -la ~/.ssh/id_rsa.pubIf the key doesn't exist, generate one:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""Then fix permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pubAdd your public key to the server's authorized_keys file. Use ssh-copy-id (easiest):
ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote-hostOr manually:
cat ~/.ssh/id_rsa.pub | ssh user@remote-host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Then verify the authorized_keys file has correct permissions (must be exactly 600):
ssh user@remote-host "chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh"Log in to the server (you may need to use password authentication temporarily) and check /etc/ssh/sshd_config:
sudo grep -E "^(PubkeyAuthentication|AuthorizedKeysFile|GSSAPIAuthentication)" /etc/ssh/sshd_configEnsure these settings are present and uncommented:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2If GSSAPI is not needed, you can disable it to simplify troubleshooting:
GSSAPIAuthentication noAfter making changes, restart SSH:
sudo systemctl restart sshd
# or on older systems:
sudo service ssh restartRun SSH with maximum verbosity to see exactly where authentication is failing:
ssh -vvv user@remote-hostThe output will show:
- Whether the client is sending the correct key
- Whether the server is receiving it
- Which authentication method is being attempted
- Specific error messages from GSSAPI or key exchange
Common debug indicators:
- "Offering public key" → client is offering the key
- "Server host key verification failed" → known_hosts issue
- "gssapi-with-mic: Unspecified GSS failure" → Kerberos/GSSAPI problem
On the server, ensure the user's home directory has correct permissions:
chmod 755 ~This allows the SSH daemon to access the home directory while preventing other users from reading its contents.
If you're on RHEL/CentOS with SELinux, also restore the context:
sudo restorecon -R -v ~/.sshIf you're still having issues and GSSAPI is involved, try disabling GSSAPI on the client to isolate the problem:
ssh -o GSSAPIAuthentication=no user@remote-hostIf this works, the issue is with your GSSAPI/Kerberos setup. If it still fails, the issue is with public key authentication.
To make this permanent in your SSH config:
# ~/.ssh/config
Host remote-host
User user
HostName remote-host
IdentityFile ~/.ssh/id_rsa
GSSAPIAuthentication noGSSAPI/Kerberos-Specific Issues:
If you're using GSSAPI (common in enterprise environments with Active Directory or Kerberos), the server needs:
1. A valid Kerberos host principal (check with klist -k on the server)
2. Correct /etc/krb5.conf configuration
3. Valid Kerberos tickets on the client (check with klist)
Common GSSAPI-specific errors:
- "Wrong principal in request" → Hostname mismatch between SSH config and Kerberos realm
- "Key table entry not found" → Missing or invalid /etc/krb5.keytab on server
- "Unspecified GSS failure" → Kerberos ticket expired or configuration mismatch
On RHEL 8 with SSSD + Active Directory, authselect may not include the necessary Kerberos configuration. Ensure /etc/krb5.conf has the correct include directive for SSSD.
OpenSSH Version Differences:
Very old OpenSSH versions may have different default authentication method orderings. If you're managing old servers, check ssh -V and consider upgrading if possible.
Windows to Linux SSH (PuTTY/WinSCP):
Windows SSH clients may not support GSSAPI or may have different key format requirements. Ensure private keys are in OpenSSH format, not PuTTY format. Use puttygen to convert if needed.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH