Users are unable to connect via SSH to target server(s) when using a passphrase protected key based authentication.
The following error appears when using PuTTY as a client:
"Server refused to start a shell/command"
In this scenario:
RESOLUTION:
To use encrypted key-based authentication for SSH via SPS to target server, Here are few options:
1. Using an SSH Agent to hold the private keys for user authentications on the initiating machine:
- Enable agent forwarding in SPS from the Authentication Policy: Expand SSH Control -> Authentication policies -> [policy name] -> Relayed authentication methods -> Public key -> Agent.
- Enable SSH Agent forwarding for inbound connections: (AllowAgentForwarding option in sshd_config) on the destination server side and other target servers.
- Verify SSH Agent forwarding is not blocked for the client (ForwardAgent option in ~/.ssh/config or /etc/ssh/ssh_config)
- Run an SSH agent on the client side and add the private keys to it:
For Windows using PuTTy as a client: Please download Pageant.exe which can be used as the SSH Agent to hold the private keys, see this link for an example.
For *nix machines: You can run the commands ssh-agent and ssh-add, see this link for an example.
- This would allow the user to login with his own private key via SPS using Agent Forwarding to target machines which has the public key added to ~/.ssh/authorized_keys file.
Note: you would need to use the -A switch when connecting from a *nix machine using command line, for example: ssh -A user@ip.address -p
2. Use a fixed static private key for the server side authentication:
- Storing a single private key in SPS under the following:
- Expand SSH Control -> Authentication policies -> [policy name] -> Relayed authentication methods -> Public key -> Fix
3. You may use a Credential Store: Local credential stores can be created at Policies -> Credential stores
- This requires gateway authentication to SPS first and then it would be an auto login using credential store.
- The Connection Policy will ignore the settings for server-side authentication (set under Relayed authentication methods) if a Credential Store is used in the Connection Policy.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center