SSH Keys Authentication keeps asking for password
Solution 1
I don't think your keys have been properly copied, if you have ssh-copy-id
available I would recommend you use that.
$ ssh-copy-id user@remote_server
Password:
Once you have entered the password, your SSH key will be copied over and you should be able to just ssh without providing the password again.
Also check your SSH configuration on ServerB and check a couple of things.
$ vi /etc/ssh/sshd_config
Another thing is to check these settings:
RSAAuthentication yes
PubKeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
The value of AuthorizedKeysFile is where you need to paste your public ssh key.
You can collect your SSH-Key information by using: ssh-add -L
Updated
When ssh-copy-id
doesn't exist you can do the old way:
$ cat ~/.ssh/id_rsa.pub | ssh user@remote_host 'cat >> /home/user/.ssh/authorized_keys'
Solution 2
You should check the permission of the files on the remote machine using ls -l ~/.ssh
and setup the permission:
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/<private_key>
Ex: chmod 600 ~/.ssh/id_rsa
chmod 700 ~/.ssh/<public_key>
Ex: chmod 700 ~/.ssh/id_rsa.pub
chmod 700 /home/vmirea/.ssh
Solution 3
Your debug log shows that the server did not accept any of your private RSA keys. You should either specify the specific correct keyfile or check that the server has the right public key file.
As @Fredrik said, permissions on files can also play a role. SSH will refuse to use public key entries that others can write to and private key entries that others can read.
Solution 4
These problems (which are usually permissions related) are much more easily debugged from the server side. I recommend that you start another sshd in debug mode with: /usr/sbin/sshd -d -p 2222
which will start another sshd on port 2222, then run ssh -p 2222 user@sshserver
on the client side. Watch what comes out of the sshd when your client tries to authenticate.
Permissions problems don't have to be just /home/$USER/.ssh
. it could also be a problem with /
, /home
, or /home/$USER
. If any of those are group writable it can be a problem.
Another common problem is that you mis-paste and put linebreaks in the middle of your key in the authorized_keys file
Solution 5
The easiest way to setup the keys is by running
ssh-copy-id <remotehost>
on the machine that will be connecting (your workstation for example)
It should ask for your password, and then copy your key and setup the permissions appropriately.
Related videos on Youtube
Rhyuk
Updated on September 18, 2022Comments
-
Rhyuk over 1 year
Im trying to set access from ServerA(SunOS) to ServerB(Some custom Linux with Keyboard Interactive login) with SSH Keys. As a proof of concept I was able to do it between 2 virtual machines. Now in my real life scenario it isnt working.
I created the keys in ServerA, copied them to ServerB, chmod'd .ssh folders to 700 on both ServerA,B.
Here is the log of what I get.
debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: Peer sent proposed langtags, ctos: debug1: Peer sent proposed langtags, stoc: debug1: We proposed langtags, ctos: en-US debug1: We proposed langtags, stoc: en-US debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 125/256 debug1: bits set: 1039/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'XXX.XXX.XXX.XXX' is known and matches the RSA host key. debug1: Found key in /XXX/.ssh/known_hosts:1 debug1: bits set: 1061/2048 debug1: ssh_rsa_verify: signature correct debug1: newkeys: mode 1 debug1: set_newkeys: setting new keys for 'out' mode debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: set_newkeys: setting new keys for 'in' mode debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /XXXX/.ssh/identity debug1: Trying public key: /xxx/.ssh/id_rsa debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /xxx/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: Password:
ServerB has pretty limited actions since its a custom propietary linux.
What could be happening?
EDIT WITH ANSWER:
Problem was that I didnt have those settings enabled in the sshd_config (Refer to accepted answer) AND that while pasting the key from ServerA to ServerB it would interpret the key as 3 separate lines.
What I did was, in case you cant use ssh-copy-id like I couldnt. Paste the first line of your key in your "ServerB" authorized_keys file WITHOUT the last 2 characters, then type yourself the missing characters from line 1 and the first one from line 2, this will prevent adding a "new line" between the first and second line of the key. Repeat with the 3d line.
-
miniBill almost 12 yearsWhat's the output of ls -lh ~/.ssh on serverB?
-
-
Rhyuk almost 12 yearsthing is Solaris doesnt have ssh-copy-id :/
-
Ash almost 12 yearsPlease see my revised answer - I hope this helps.
-
Rhyuk almost 12 yearssshd_config from ServerB doesnt have the following values: PubKeyAuthentication yes AuthorizedKeysFlle %h/.ssh/authorized_keys Since I cant write in that file, Ill check that out and get back to you.
-
Ash almost 12 yearsanother thing, you could ssh in to ServerB, and
tail -f /var/log/auth.log
then in another terminal attempt to ssh in via your ssh key. Paste the output of that here, permissions is usually the problem when you connect and immediately get disconnected. -
Rhyuk almost 12 yearsI was able to uncomment the lines that were missing in the sshd_config then stop-started sshd and nothing. Still having the same problem. ServerB doesnt have /var/log/auth.log not /var/log/service :/
-
Rhyuk almost 12 yearsFINALLY!!!!! Problem was that I didnt have those settings enabled in the sshd_config AND that while pasting the key from ServerA to ServerB it would interpret the key as 3 separate lines. What I did was, in case you cant use ssh-copy-id. Paste the first line of your key WITHOUT the last 2 characters, then type yourself the missing characters from line 1 and the first one from line 2, this will prevent adding a "new line" between the first and second line of the key. Repeat with the 3d line.
-
Stan Sieler over 9 yearsThanks, Stew ... you solved my problem on HP-UX 11.23, where /home/myname was 0x777 instead of 0x755. Changed to 755, and ssh no longer prompts for a password.
-
kasperd over 8 yearsBased on the output provided in the question it looks like it is only
~/.ssh/authorized_keys
that could possibly have incorrect permissions. If any of the other files had incorrect permissions, I would expect an explicit indication of that in the output. It is permitted for the files in~/.ssh
to be world-readable except of course from private keys, which must only be readable to the owner. Write permissions for anybody other than the owner is not permitted, that includes permissions on~
and~/.ssh
. -
Rıfat Erdem Sahin about 6 yearsssh-copy-id is a life saver
-
Karl Morrison over 5 yearsOmg thanks man. Best post regarding SSH debugging, I don't understand why noone else has mentioned this.
-
Tung about 2 yearswork like a charm! thanks!