# SSH Termius Mobile Troubleshooting

## Common Failure Pattern: "Not using one of the authentication methods offered by the server"

**Symptoms:**
- Connection establishes, TLS handshake completes
- Auth fails with "Not using one of the authentication methods offered by the server" (or client disconnects pre-auth)
- Server logs show "Normal Shutdown [preauth]" / "Disconnected from authenticating user"

**Root Cause:** Termius is not sending the SSH private key to the server.

**Server-side verification (run on target):**
```bash
# Confirm sshd config
grep -E '^(PasswordAuthentication|PubkeyAuthentication|AuthorizedKeysFile)' /etc/ssh/sshd_config
# Expected: PasswordAuthentication no, PubkeyAuthentication yes (default)

# Confirm user's public key exists
cat ~/.ssh/authorized_keys

# Confirm permissions (CRITICAL — wrong perms = silent auth fail)
stat -c '%a %n' ~/.ssh ~/.ssh/authorized_keys
# Must be: 700 ~/.ssh, 600 ~/.ssh/authorized_keys

# Check recent auth failures
sudo journalctl -u ssh -n 20 --no-pager | grep -i -e failed -e refused -e auth
# Preauth disconnects = client not sending key
```

**Termius Fix — Key Import & Selection:**

1. **Termius → Keys → + → Import**  
   Select the **private key file** (`id_ed25519`, `id_rsa`, etc.)  
   ⚠️ Must be PEM/OpenSSH format — *not* PuTTY PPK

2. **Termius → Hosts → [your host] → Edit → Identity**  
   Select the imported key (not "Password")  
   Save → reconnect

**If key was generated on server (not local machine):**
- Private key never left server → can't import into Termius
- Tooling blocks private key output for security
- **Workaround:** Generate new key pair locally → add public key to server:
  ```bash
  # On local machine / phone
  ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_termius
  
  # From a working SSH connection, or via server console:
  ssh-copy-id -i ~/.ssh/id_ed25519_termius.pub user@server
  
  # Then import the NEW private key into Termius
  ```

**Quick test from server (proves key works):**
```bash
ssh -i ~/.ssh/id_ed25519 user@192.168.1.50
```
If this works → purely a Termius config issue.

---

## Termius-Specific Gotchas

| Issue | Fix |
|-------|-----|
| Key format | Termius accepts OpenSSH/PEM only. Convert PPK: `puttygen key.ppk -O private-openssh -o key` |
| Multiple keys | Termius tries keys in order. Put the correct one first or specify in host Identity |
| Known hosts mismatch | Server rebuilt → delete host in Termius → reconnect (accept new fingerprint) |
| Non-standard port | Host config → Port field (default 22) |
| IPv6 vs IPv4 | Use explicit IPv4 `192.168.1.50` not hostname if IPv6 fails |

---

## Server-Side SSH Hardening Checklist (from system-administration)

```bash
# Password auth disabled
PasswordAuthentication no
# Key auth enabled (default, but verify)
PubkeyAuthentication yes
# Root login disabled
PermitRootLogin no
# Limit auth attempts
MaxAuthTries 3
# Use ed25519 host keys (modern)
HostKey /etc/ssh/ssh_host_ed25519_key
```

Apply: `sudo systemctl reload sshd`

---

## Quick Debugging Commands

```bash
# Server: test key locally
ssh -i ~/.ssh/id_ed25519 -v user@localhost 2>&1 | grep -E "Offering|Server accepts|Authentication succeeded"

# Client (Termius): enable debug in Settings → Advanced → Debug logging
# Then check Termius log for "Offering public key" line
```