passwordless ssh not working

ssh openssh ssh-agent

188,129

Solution 1

Just make sure that you have followed the following procedure:

On Machine A

open a terminal and enter the commands as follows:

root@aneesh-pc:~# id

Just to make sure that we are root.

If the above command output something like below we are root else switch to root using the su command

uid=0(root) gid=0(root) groups=0(root)

1) Create the keys.

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
49:7d:30:7d:67:db:58:51:42:75:78:9c:06:e1:0c:8d root@aneesh-pc
The key's randomart image is:
+--[ RSA 2048]----+
|          ooo+==B|
|         . E=.o+B|
|        . . .+.*o|
|       . . .  ...|
|        S        |
|                 |
|                 |
|                 |
|                 |
+-----------------+

I haven't used any passphrase. If you need one you can use it.

2) Copy the public key in to machine B's .ssh/authorized_keys file

root@aneesh-pc:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@mylap
root@mylap's password:

Now try logging into the machine, with ssh 'root@mylap', and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Replace mylap with the hostname or ip of the machine you want to login (i.e. machine B)

3) Login to B without password

root@aneesh-pc:~# ssh root@mylap
Warning: Permanently added 'mylap,192.168.1.200' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Wed Jul 27 15:23:58 2011 from streaming-desktop.local
aneesh@mylap:~$

On Machine B

4) Create the keys to login back to Machine A

root@mylap:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
35:9f:e7:81:ed:02:f9:fd:ad:ef:08:c6:4e:19:76:b1 root@streaming-desktop
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|          o   .  |
|         . + + o |
|        S o * E  |
|           = O . |
|            O +  |
|           + o o.|
|            . o+=|
+-----------------+

5) Copy the public key in to machine A's .ssh/authorized_keys file

root@mylap:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
root@aneesh-pc's password:

Now try logging into the machine, with ssh 'root@aneesh-pc', and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

6) Login to A without password

ssh root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)

 * Documentation:  https://help.ubuntu.com/


Last login: Tue Jul 26 18:52:55 2011 from 192.168.1.116

If you are able to complete these steps You are done. Now you have two machines with ssh-key (public-key) enabled login.

Solution 2

After setting up password-less ssh, I was still asked for my user password. Looking at /var/log/auth.log on the remote machine pointed out the issue:

sshd[4215]: Authentication refused: bad ownership or modes for directory /home/<user>

So, make sure to have it right:

chmod o-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

While forbidding other users to write over your .ssh folder is obvious, having the same requirement for your home folder was trickier.

Also, check /etc/ssh/ssd_config to ensure that RSAAuthentication and PubkeyAuthentication options aren't disabled. Default is yes so that shouldn't be a problem.

Solution 3

Probably just a higher level permissions problem. You need to remove write permissions from group and other to your home directory and .ssh directory. To fix these permissions, run chmod 755 ~ ~/.ssh or chmod go-w ~ ~/.ssh.

If you're still having problems, issue the following grep on your log:

sudo egrep -i 'ssh.*LOCAL_USER_NAME' /var/log/secure

(replace LOCAL_USER_NAME with your local user name...)

That should hopefully tell you more about your problem, assuming sshd authentication information is being logged to the secure log, which is should be by default. If you see errors that look like this:

DATE HOSTNAME sshd[1317]: Authentication refused: bad ownership or modes for directory /path/to/some/directory

It's the problem described above and you need to find the directory in question and remove the write permissions from group and other.

As for the reason that you would need to restrict write permissions to your home directory (even though permissions are already restricted on your .ssh and subsequent directories) it will allow other users to rename your .ssh directory and make a new one - although that would be unusable as is (due to wrong permissions) the fix for most users would probably be to change the permissions rather than check the content of the directory...

TLDNR: Allowing write access for group and/or other to your home directory will make ssh force password login.

Solution 4

are you using the root account on each machine? Usually on Ubuntu you would use a user account and give it sudo privileges as required.

If your using a non root user sudo chown $USER -R ~/.ssh may fix your problem

Other things to check:

double check that B's id_rsa.pub is in A's authorized_keys.

check A's /etc/ssh/sshd_config contains

PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes

View more solutions

188,129

Cuurious

will do it later......

Updated on September 18, 2022

Comments

Cuurious over 1 year

I've tried to setup a password-less ssh b/w A to B and B to A as well. Generated the public and private key using ssh-keygen -trsa on both the machines. Used the ssh-copy-id utility to copy the public-keys from A to B as well as B to A.

The passwordless ssh works from A to B but not from B to A. I've checked the permissions of the ~/ssh/ folder and seems to be normal.

A's .ssh folder permissions:

-rw-------  1 root root 13530 2011-07-26 23:00 known_hosts
-rw-------  1 root root   403 2011-07-27 00:35 id_rsa.pub
-rw-------  1 root root  1675 2011-07-27 00:35 id_rsa
-rw-------  1 root root   799 2011-07-27 00:37 authorized_keys
drwxrwx--- 70 root root  4096 2011-07-27 00:37 ..
drwx------  2 root root  4096 2011-07-27 00:38 .

B's .ssh folder permissions:

-rw------- 1 root root  884 2011-07-07 13:15 known_hosts
-rw-r--r-- 1 root root  396 2011-07-27 00:15 id_rsa.pub
-rw------- 1 root root 1675 2011-07-27 00:15 id_rsa
-rw------- 1 root root 2545 2011-07-27 00:36 authorized_keys
drwxr-xr-x 8 root root 4096 2011-07-06 19:44 ..
drwx------ 2 root root 4096 2011-07-27 00:15 .

A is an ubuntu 10.04 (OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009) B is a debian machine (OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007)

From A:

#ssh B

works fine.

From B:

#ssh -vvv A 
...
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x7f1581f23a50)
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1495
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

Which essentially means it's not authenticating using the file /root/id_rsa. I ran the ssh-add command in both the machines as well.

The authentication part of /etc/ssh/sshd_config file is

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files

I'm running out of ideas. Any help would be appreciated.

Cuurious almost 13 years

Ya, I've enabled the root account in the Ubuntu machine, hence running as a root user in both the system
Smithamax almost 13 years

Yeah I figured, added a few other suggestions you may have overlooked. That output is really useless though isn't it, nothing about why rsa wasn't accepted.
Cuurious almost 13 years

you are true the reason why the rsa key wasn't accepted is the essential element here I guess :). the sshd_config contains the above said elements, I've edited the question to incorporate the contents of the /etc/ssh/sshd_config file contents
Cuurious almost 13 years

did all the 6 steps as specified, verified all the things related till step 5, but somehow step 6 is not working
aneeshep almost 13 years

Can you provide the output of this command : 'ssh -v root@aneesh-pc'. replace the username and hostname with yours.
Cuurious almost 13 years

found out the culprit the permissions of the /root (770) drwxrwx--- 70 root root 4096 2011-07-27 00:37 .. was too open. Changed the permissions to drwxr-xr-x and now it's working. Couldn't imagine the fact that parent directory's permission affect the ssh.
Eliah Kagan almost 12 years

This won't help. The problem is that passwordless SSH login (authenticating with an RSA key pair) is not working. The instructions you've provided are for making root SSH login work. That's completely unrelated to what this question is about. Furthermore, if the root account is enabled (it isn't by default in Ubuntu), enabling root SSH logins can be quite dangerous.
Paul McMillan over 10 years

I got into this situation by untarring a badly created realtek driver archive. It changed the owner on the directory I was untarring it into.
Kevin Panko over 10 years

Your home folder cannot be writable because if it was, then I could just rename your ~/.ssh to something else, and then create a new one with my own key in there.
user3099609 over 9 years

awesome! hadn't thought about looking in the logs on the host machine. Thanks!
complistic almost 9 years

@Cuurious Good catch, my home directory had 770 set also, changed to a 750 and all is right with the world :) I always seem to forget that linux prems can work in reverse like that.
Matt Clark almost 9 years

Failure at step 3. ssh-copy-id runs after i enter a password, however I am still unable to login without being prompted for a password, my authorized_keys file contains the text of my .pub, and I am offering the key on login. No avail. Permission on all directories are correct.
user391339 about 8 years

If machine B is a Mac then this doesn't seem to work by default (ssh-copy-id command not found). Unfortunately I don't have admin privileges (access to the Cellar) on machine B so I can't brew install ssh-copy-id. I was able to create an authorized_keys file on machine A with the copy/pasted data from id_rsa.pub file from machine B and .. it worked.
felwithe about 6 years

This guide immediately lost me when it required you to be root. Being root can't possibly be a requirement for using ssh keys, can it?