This error occurs when SSH authentication succeeds but the session is immediately terminated by the server after the user authenticates. It typically indicates file permission issues, configuration problems, or incompatible authentication settings between client and server.
The "Connection closed by authenticating user" error appears after successful authentication (your credentials were accepted) but before a shell session is established. This happens when the SSH server receives valid credentials, verifies them successfully, but then abruptly closes the connection. This is different from authentication failures—the server verified you are who you claim to be, but something prevents the session from continuing. Common causes include incorrect file permissions on .ssh directories, PAM configuration issues, shell configuration problems, or incompatible cipher/MAC algorithms.
Connect to the server and verify your .ssh directory and authorized_keys file have correct permissions:
# Check directory permissions (should be 700)
ls -ld ~/.ssh
# Should show: drwx------
# Check authorized_keys file permissions (should be 600)
ls -l ~/.ssh/authorized_keys
# Should show: -rw-------Fix if needed:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysEven if permissions appear correct visually, verify there are no unusual flags:
stat ~/.ssh
stat ~/.ssh/authorized_keysThe owner must be the user themselves, not root or another user.
The home directory itself must not have group or world write permissions. SSH strictly enforces this:
# Check home directory
ls -ld ~
# Should show: drwxr-xr-x (755) or drwx------ (700)
# NOT drwxrwxr-x or drwxr-xrwxIf group or world write bit is set, fix it:
chmod go-w ~
# This removes write permissions for group and othersVerify:
ls -ld ~
# Now should show drwxr-xr-x (755) or more restrictiveCheck that your login shell exists and is executable:
# Show your shell
echo $SHELL
# Or check /etc/passwd directly
grep "^$(whoami):" /etc/passwd | cut -d: -f7The shell path must exist and be executable. Common valid shells:
- /bin/bash
- /bin/sh
- /bin/zsh
- /bin/ksh
If it points to /bin/false, /usr/sbin/nologin, or a non-existent path, update it:
# As root or with sudo:
usermod -s /bin/bash usernameVerify the shell exists:
ls -l /bin/bash # Should exist and be executableStop the SSH service and run sshd in verbose debug mode to see exactly why the connection closes:
# As root, stop the running sshd
sudo systemctl stop ssh
# or: sudo systemctl stop sshd
# Run sshd in debug mode (shows output, doesn't daemonize)
sudo /usr/sbin/sshd -dddIn another terminal, try to connect:
ssh -v username@localhostThe debug output from sshd will show the exact point where authentication closes. Look for messages like:
- "Authentication refused: bad ownership or modes for directory"
- "Authentication refused: bad ownership or modes for .ssh directory"
- "error: PAM: Authentication failure"
- "Connection closed by authenticating user"
Common patterns in debug output reveal the root cause. After debugging, restart SSH:
sudo systemctl start ssh
# or: sudo systemctl start sshdIf debug output shows PAM-related errors, check sshd's PAM configuration:
# View sshd PAM setup (typically /etc/pam.d/sshd)
cat /etc/pam.d/sshdAfter system updates (especially major version upgrades), PAM files can become inconsistent. One quick fix is to restore default PAM configuration for SSH:
On Debian/Ubuntu:
# Reinstall openssh-server to reset PAM config
sudo apt-get install --reinstall openssh-serverOn RHEL/CentOS/Fedora:
sudo yum reinstall openssh-server
# or with newer systems:
sudo dnf reinstall openssh-serverThis resets /etc/pam.d/sshd to defaults without overwriting your sshd_config settings.
Newer SSH servers (OpenSSH 8.2+) deprecated SHA1-based algorithms. If you're using older keys, they may fail:
# On the server, check which key types are accepted
sudo sshd -T | grep -i pubkey
# Look for: PubkeyAcceptedKeyTypes
# Output shows which key algorithms are allowedIf ssh-rsa is not listed and you're using RSA keys, you have two options:
Option 1: Re-enable ssh-rsa on the server (less secure but more compatible)
Edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_configAdd or uncomment:
PubkeyAcceptedKeyTypes=ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519Then restart sshd:
sudo systemctl restart sshOption 2: Generate a modern ED25519 key on the client (recommended)
# On your client machine:
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519Then add the new public key to the server's authorized_keys.
Check if your public key is actually in authorized_keys and that there are no corrupted entries:
# View your authorized_keys
cat ~/.ssh/authorized_keysEach line should be a single long string starting with 'ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256', etc.
Look for:
- Incomplete or truncated keys (lines that don't start with a valid key type)
- Extra whitespace or line breaks within a key
- Comments that accidentally got included in the key data
If you find corrupted lines, remove them:
# Backup first
cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys.backup
# Edit with nano or vi
nano ~/.ssh/authorized_keys
# Remove any corrupted or incomplete lines
# Verify permissions after editing
chmod 600 ~/.ssh/authorized_keysIf you're unsure of your public key content, regenerate it from your private key:
# On your client machine
ssh-keygen -y -f ~/.ssh/id_rsa # or id_ed25519, id_ecdsa
# This prints the public key without changing anythingThen carefully add it to server's authorized_keys.
If .bashrc or similar startup scripts have issues, they can cause SSH to disconnect:
# Test if bashrc has syntax errors
bash -n ~/.bashrc # -n checks syntax without executingIf errors are reported, fix them. Common issues:
- Unclosed quotes or braces
- Commands that require a terminal (like clear, tput) in non-interactive sections
- Code that calls exit unconditionally
You can also test a minimal shell:
# Start a shell without reading any rc files
bash --noprofile --norc
# Or set empty rc
bash --rc /dev/nullIf this works, your shell startup files are the issue. Temporarily rename them to test:
# Backup and disable
mv ~/.bashrc ~/.bashrc.bak
mv ~/.bash_profile ~/.bash_profile.bak
# Try SSH again - if it works, re-enable files and debug themAdvanced debugging and edge cases:
Using SSH Verbose Output: On your client machine, connect with verbose flags to see the negotiation process:
ssh -vvv username@host
# -v: verbose
# -vv: very verbose
# -vvv: maximum verbosityLook for where the output stops—this indicates where the disconnect happens.
Encrypted Filesystems: If your home directory or ~/.ssh is on an encrypted filesystem (encfs, eCryptfs), the SSH server may not be able to access the keys even if permissions look correct. Consider moving .ssh to an unencrypted partition or disabling filesystem-level encryption for that directory.
Firewall/iptables Rules: Some systems have iptables rules that reset SSH connections after authentication. Check for stateful firewall rules that might be interfering:
sudo iptables -L -n | grep ssh
# Or with nftables:
sudo nft list rulesetSELinux Policies: On RHEL/CentOS systems with SELinux enabled, SSH connection issues can be caused by restrictive SELinux policies. Check if SSH is generating policy violations:
sudo grep sshd /var/log/audit/audit.log | grep deniedIf you see denials, you may need to adjust SELinux policies or use restorecon to reset file contexts.
Duo Security and MFA: If Duo Security or other MFA systems are configured, they can cause unexpected disconnections. Check /etc/pam.d/sshd for MFA configuration and temporarily disable it to test if that's the cause.
Connection Limits: Some SSH configurations have per-user connection limits. If you've exceeded the limit, connections are closed after authentication:
# In /etc/ssh/sshd_config, look for:
MaxAuthTries
MaxSessionsLoad key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH