Skip to Content

Error: User modify failed. Cannot modify user on other node: Authentication by SSH key failed!

Error: User modify failed. Cannot modify user on other node: Authentication by SSH key failed!

Check the following on the slave/secondary node

1. The error ’User modify failed Cannot modify user on other node: Authentication by ssh key failed’ would occur when the Ezeelogin installed node has its public key missing in /root/.ssh/authorized_keys. To add the key, execute the following command 

[email protected] ~]# cat /usr/local/etc/ezlogin/ >> /root/.ssh/authorized_keys

      Check if the key is back in the file.

[email protected] ~]# cat /root/.ssh/authorized_keys

Run the following command to check if you have enabled the recommended sshd settings in /etc/ssh/sshd_config

[email protected]:/home# sshd -T | grep -i 'AllowTcpForwarding\|PermitRootLogin\|PubkeyAuthentication\|PasswordAuthentication\|pubkeyacceptedalgorithms\|Port'

port 22
permitrootlogin yes
pubkeyauthentication yes
passwordauthentication yes
gatewayports no
allowtcpforwarding yes
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sh


2. Also, make sure that the port sshd is listening on the servers is given as the gateway port in Settings->General->Miscellaneous->Gateway SSH port

3. Also, make sure PubkeyAuthentication is set to ’YES’ in your sshd_config (sshd configuration) file. In Centos/RHEL/Fedora it would be

[email protected] ~]# vi /etc/ssh/sshd_config

#set PubkeyAuthentication to yes

PubkeyAuthentication yes

[email protected] ~]# service sshd restart

4. Also, make sure root login is permitted on the gateway server.

     You can check this by doing

and it should log you in else edit /etc/ssh/sshd_config and set  PermitRootLogin yes 

[email protected] ~]# vi /etc/ssh/sshd_config

#Add the following lines to the end of  /etc/ssh/sshd_config to allow root login from localhost only

Match Address

PermitRootLogin yes

[email protected] ~]# service sshd restart

     and make sure you are able to authenticate with the command 

     Make sure you are able to login after entering the password.

If you have enabled Allow Or Deny SSH Access To A Particular User Or Group in sshd.conf, make sure that the user root is allowed

4. Also, make sure that the web user(apache, nobody, etc) that the webserver(apache/nginx) runs as is able to read the keys in the dir /usr/local/etc/ezlogin.

  Make sure to grant the read privileges to

chmod o r /usr/local/etc/ezlogin/id_clkey
chmod o r /usr/local/etc/ezlogin/
usermod -G <current_groupname_of_id_clkey_files> <webserver_user>

5. Find out which key type is used by the server by running the below command.

[email protected] ~]# ssh-keygen -l -f /usr/local/etc/ezlogin/

4096 SHA256:n4lmX53/gwkKB4+nSQ30hZXxXK+DRG1LPc7N1KN/1Ag ezlogin (RSA)

     Open /etc/ssh/sshd_config file and append below line to enable RSA key type.

[email protected] ~]# vim /etc/ssh/sshd_config

PubkeyAcceptedKeyTypes +ssh-rsa

[email protected] ~]# systemctl restart sshd

6. Check the log file /var/log/secure

[email protected] ~]# tail -f /var/log/secure

Refer below article if you get "userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms"

6. Reset Ezeelogin cluster keys


Related Articles