passwordless ssh not working
Solution 1
Just make sure that you have followed the following procedure:
On Machine A
open a terminal and enter the commands as follows:
root@aneesh-pc:~# id
Just to make sure that we are root.
If the above command output something like below we are root else switch to root using the su
command
uid=0(root) gid=0(root) groups=0(root)
1) Create the keys.
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
49:7d:30:7d:67:db:58:51:42:75:78:9c:06:e1:0c:8d root@aneesh-pc
The key's randomart image is:
+--[ RSA 2048]----+
| ooo+==B|
| . E=.o+B|
| . . .+.*o|
| . . . ...|
| S |
| |
| |
| |
| |
+-----------------+
I haven't used any passphrase. If you need one you can use it.
2) Copy the public key in to machine B's .ssh/authorized_keys
file
root@aneesh-pc:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@mylap
root@mylap's password:
Now try logging into the machine, with ssh 'root@mylap'
, and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Replace mylap with the hostname or ip of the machine you want to login (i.e. machine B)
3) Login to B without password
root@aneesh-pc:~# ssh root@mylap
Warning: Permanently added 'mylap,192.168.1.200' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Wed Jul 27 15:23:58 2011 from streaming-desktop.local
aneesh@mylap:~$
On Machine B
4) Create the keys to login back to Machine A
root@mylap:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
35:9f:e7:81:ed:02:f9:fd:ad:ef:08:c6:4e:19:76:b1 root@streaming-desktop
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| o . |
| . + + o |
| S o * E |
| = O . |
| O + |
| + o o.|
| . o+=|
+-----------------+
5) Copy the public key in to machine A's .ssh/authorized_keys
file
root@mylap:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
root@aneesh-pc's password:
Now try logging into the machine, with ssh 'root@aneesh-pc'
, and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
6) Login to A without password
ssh root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Tue Jul 26 18:52:55 2011 from 192.168.1.116
If you are able to complete these steps You are done. Now you have two machines with ssh-key (public-key) enabled login.
Solution 2
After setting up password-less ssh, I was still asked for my user password. Looking at /var/log/auth.log
on the remote machine pointed out the issue:
sshd[4215]: Authentication refused: bad ownership or modes for directory /home/<user>
So, make sure to have it right:
chmod o-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
While forbidding other users to write over your .ssh
folder is obvious, having the same requirement for your home folder was trickier.
Also, check /etc/ssh/ssd_config
to ensure that RSAAuthentication
and PubkeyAuthentication
options aren't disabled. Default is yes
so that shouldn't be a problem.
Solution 3
Probably just a higher level permissions problem. You need to remove write permissions from group and other to your home directory and .ssh directory. To fix these permissions, run chmod 755 ~ ~/.ssh
or chmod go-w ~ ~/.ssh
.
If you're still having problems, issue the following grep on your log:
sudo egrep -i 'ssh.*LOCAL_USER_NAME' /var/log/secure
(replace LOCAL_USER_NAME
with your local user name...)
That should hopefully tell you more about your problem, assuming sshd authentication information is being logged to the secure log, which is should be by default. If you see errors that look like this:
DATE HOSTNAME sshd[1317]: Authentication refused: bad ownership or modes for directory /path/to/some/directory
It's the problem described above and you need to find the directory in question and remove the write permissions from group and other.
As for the reason that you would need to restrict write permissions to your home directory (even though permissions are already restricted on your .ssh and subsequent directories) it will allow other users to rename your .ssh directory and make a new one - although that would be unusable as is (due to wrong permissions) the fix for most users would probably be to change the permissions rather than check the content of the directory...
TLDNR: Allowing write access for group and/or other to your home directory will make ssh force password login.
Solution 4
are you using the root account on each machine? Usually on Ubuntu you would use a user account and give it sudo privileges as required.
If your using a non root user sudo chown $USER -R ~/.ssh
may fix your problem
Other things to check:
double check that B's id_rsa.pub
is in A's authorized_keys
.
check A's /etc/ssh/sshd_config
contains
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
Related videos on Youtube
Comments
-
Cuurious over 1 year
I've tried to setup a password-less ssh b/w
A
toB
andB
toA
as well. Generated the public and private key usingssh-keygen -trsa
on both the machines. Used thessh-copy-id
utility to copy the public-keys fromA
toB
as well asB
toA
.The passwordless ssh works from
A
toB
butnot
fromB
toA
. I've checked the permissions of the ~/ssh/ folder and seems to be normal.A's .ssh
folder permissions:-rw------- 1 root root 13530 2011-07-26 23:00 known_hosts -rw------- 1 root root 403 2011-07-27 00:35 id_rsa.pub -rw------- 1 root root 1675 2011-07-27 00:35 id_rsa -rw------- 1 root root 799 2011-07-27 00:37 authorized_keys drwxrwx--- 70 root root 4096 2011-07-27 00:37 .. drwx------ 2 root root 4096 2011-07-27 00:38 .
B's .ssh
folder permissions:-rw------- 1 root root 884 2011-07-07 13:15 known_hosts -rw-r--r-- 1 root root 396 2011-07-27 00:15 id_rsa.pub -rw------- 1 root root 1675 2011-07-27 00:15 id_rsa -rw------- 1 root root 2545 2011-07-27 00:36 authorized_keys drwxr-xr-x 8 root root 4096 2011-07-06 19:44 .. drwx------ 2 root root 4096 2011-07-27 00:15 .
A
is an ubuntu 10.04 (OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009)B
is a debian machine (OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007)From
A
:#ssh B
works fine.
From
B
:#ssh -vvv A ... ... debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/identity ((nil)) debug2: key: /root/.ssh/id_rsa (0x7f1581f23a50) debug2: key: /root/.ssh/id_dsa ((nil)) debug3: Wrote 64 bytes for a total of 1127 debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug3: no such identity: /root/.ssh/identity debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1495 debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password [email protected]'s password:
Which essentially means it's not authenticating using the file
/root/id_rsa
. I ran thessh-add
command in both the machines as well.The authentication part of
/etc/ssh/sshd_config
file is# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files
I'm running out of ideas. Any help would be appreciated.
-
Cuurious almost 13 yearsYa, I've enabled the root account in the Ubuntu machine, hence running as a root user in both the system
-
Smithamax almost 13 yearsYeah I figured, added a few other suggestions you may have overlooked. That output is really useless though isn't it, nothing about why rsa wasn't accepted.
-
Cuurious almost 13 yearsyou are true the reason why the rsa key wasn't accepted is the essential element here I guess :). the sshd_config contains the above said elements, I've edited the question to incorporate the contents of the
/etc/ssh/sshd_config
file contents -
Cuurious almost 13 yearsdid all the 6 steps as specified, verified all the things related till step 5, but somehow step 6 is not working
-
aneeshep almost 13 yearsCan you provide the output of this command : 'ssh -v root@aneesh-pc'. replace the username and hostname with yours.
-
Cuurious almost 13 yearsfound out the culprit the permissions of the
/root
(770)drwxrwx--- 70 root root 4096 2011-07-27 00:37 ..
was too open. Changed the permissions todrwxr-xr-x
and now it's working. Couldn't imagine the fact that parent directory's permission affect thessh
. -
Eliah Kagan almost 12 yearsThis won't help. The problem is that passwordless SSH login (authenticating with an RSA key pair) is not working. The instructions you've provided are for making
root
SSH login work. That's completely unrelated to what this question is about. Furthermore, if theroot
account is enabled (it isn't by default in Ubuntu), enablingroot
SSH logins can be quite dangerous. -
Paul McMillan over 10 yearsI got into this situation by untarring a badly created realtek driver archive. It changed the owner on the directory I was untarring it into.
-
Kevin Panko over 10 yearsYour home folder cannot be writable because if it was, then I could just rename your
~/.ssh
to something else, and then create a new one with my own key in there. -
user3099609 over 9 yearsawesome! hadn't thought about looking in the logs on the host machine. Thanks!
-
complistic almost 9 years@Cuurious Good catch, my home directory had
770
set also, changed to a750
and all is right with the world :) I always seem to forget that linux prems can work in reverse like that. -
Matt Clark almost 9 yearsFailure at step 3. ssh-copy-id runs after i enter a password, however I am still unable to login without being prompted for a password, my authorized_keys file contains the text of my .pub, and I am offering the key on login. No avail. Permission on all directories are correct.
-
user391339 about 8 yearsIf machine B is a Mac then this doesn't seem to work by default (ssh-copy-id command not found). Unfortunately I don't have admin privileges (access to the Cellar) on machine B so I can't brew install ssh-copy-id. I was able to create an authorized_keys file on machine A with the copy/pasted data from id_rsa.pub file from machine B and .. it worked.
-
felwithe about 6 yearsThis guide immediately lost me when it required you to be root. Being root can't possibly be a requirement for using ssh keys, can it?