SSH public key authentication doesn't work
Solution 1
Anything in log files, particularly /var/log/auth.log
? You might also double-check permissions on the .ssh directory and files.
I haven't had to modify sshd_config for this kind of access, myself. I am wondering if your modification broke things, especially the AuthorizedKeysFile line.
Typically, you would want to put the authorized_keys under $USER/.ssh
.
Here are the permission from a user on one of my servers:
:~/.ssh$ ls -ld .
drwx------ 2 rrd rrd 4096 May 28 17:57 .
:~/.ssh$ ll
total 280
-rw-r----- 1 rrd rrd 4351 May 22 16:20 authorized_keys
-rw------- 1 rrd rrd 1679 Apr 27 2012 id_rsa
-rw-r--r-- 1 rrd rrd 399 Apr 27 2012 id_rsa.pub
-rw-r--r-- 1 rrd rrd 266138 Jun 13 00:18 known_hosts
Make sure the individual files are at least this restricted.
As guntbert points out, also check that the directory and files are owned by you. The permissions won't make sense (or work) otherwise.
Who owns the keys in authorized_keys on B? (The bit that says user@host after the key.) Is it root@A ?
That is, in looking at ~/.ssh/authorized_keys
, what is the equivalent of bert@etherbert
for your set-up:
ssh-rsa AAAA...ffsII8dSaDF33 bert@etherbet
I would just edit the remote .ssh/authorized keys manually for testing, putting in the id_rsa.pub contents of the user you are intiating the connection with.
Make sure you are coming from the user that has the key in the remote authorized_keys file.
Solution 2
The directory ~/.ssh
MUST be owned by the user, not root. So change that and it will work.
To avoid having to type the passphrase for your private key every time you use ssh-agent. ssh-add .ssh/id_rsa
will add the key to the agent, from then on the agent will provide the key to ssh.
Solution 3
Besides all the other guys had provided the solutions, my additional suggestion is you should first check the logging file: /var/log/secure
, which is where sshd puts logs in. If something goes wrong, checking what sshd has complained in /var/log/secure
will quickly narrow down the possible issues.
Solution 4
This is an old question and already answered, but if the user has the home directory encrypted (using ecryptfs
or some such), ssh daemon will not be able to see the ~/.ssh/authorized_keys file. If that is the case follow the solution listed here.
This solution recommends changing sshd configuration (/etc/ssh/sshd_config) and changing AuthorizedKeysFile
to /etc/ssh/%u/authorized_keys
and copying your authorized_keys file to /etc/ssh/username
/authorized_keys file (along with proper ownership for /etc/ssh/username
and proper permissions as required by sshd).
Related videos on Youtube
dessert
For my pronouns see here: http://my.pronoun.is/nobody/nobody/nobody%E2%80%99s/nobody%E2%80%99s/noself This page intentionally crammed with flair™.
Updated on September 18, 2022Comments
-
dessert over 1 year
I'm having trouble setting up public key authentication for an SSH server on Ubuntu Server 12.04 (A) for authentication from an Ubuntu Server 13.04 (B).
What I'm doing now (I'm trying to follow the instructions here):
- On B: Create a new key with
ssh-keygen -C ""
, using no passphrase, writing to/.ssh/id_rsa
- I don't get any errors - On B: Run
ssh-copy-id -i /.ssh/id_rsa user@host-a
- also, a success message - On B:
ssh -i /.ssh/id_rsa user@host-a
- I still have to enter my password foruser@host-a
On A, I checked if the
/.ssh/authorized_keys
is modified after runningssh-copy-id
, and this is the case. Also, on both devices I added this to/etc/ssh/sshd_config
:RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile /.ssh/authorized_keys
Does anyone know what might be the problem here?
Here's the tail of my
/var/log/auth.log
on machine A:Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on 0.0.0.0 port 22. Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on :: port 22. Jun 13 22:18:27 laptop-camil sshd[12345]: Authentication refused: bad ownership or modes for directory /.ssh Jun 13 22:18:30 laptop-camil sshd[12345]: Accepted password for camilstaps from 164.138.27.37 port 48407 ssh2 Jun 13 22:18:30 laptop-camil sshd[12345]: pam_unix(sshd:session): session opened for user camilstaps by (uid=0) Jun 13 22:18:35 laptop-camil sshd[12464]: Received disconnect from 164.138.27.37: 11: disconnected by user Jun 13 22:18:35 laptop-camil sshd[12345]: pam_unix(sshd:session): session closed for user camilstaps Jun 13 22:18:42 laptop-camil sshd[12516]: Authentication refused: bad ownership or modes for directory /.ssh Jun 13 22:18:44 laptop-camil sshd[12516]: Connection closed by <host-b> [preauth]
-
belacqua almost 11 yearsWhat is the user you are using, and are you editing ~user/.ssh ?
-
belacqua almost 11 yearsHmm. Are you trying to ssh into the box as camilstaps? You would need the permissions fixed to you, as guntbert says. This breaks the default set up for root, which you can't ssh with by default, anyway.
-
belacqua almost 11 yearsAny chance you could use a real user home dir? It would make life less complicated.
-
Admin almost 11 years@belacqua unfortunately not :( I don't quite get your other message - I'm running
sudo -s
on the local host B, and try to login tocamilstaps@laptop-camil
(remote host A). On B,root
owns/.ssh
. On A,camilstaps
owns/.ssh
. -
belacqua almost 11 yearsWho owns the keys in authorized_keys on B? (The bit that says user@host after the key.) Is it root@A ?
-
Admin almost 11 years@belacqua no, that's
camilstaps:camilstaps
, with permissions 640. -
belacqua almost 11 yearsOk, adding more to my answer.
-
Ciro Santilli OurBigBook.com over 6 years
- On B: Create a new key with
-
Carrie Kendall almost 11 yearsI'm a newbie - what logfiles should I check (on which machine)? The permissions are set - for testing - to 777. The home directory of both the user and the root is
/
. I'll try to comment the lines in and see if that changes anything -
belacqua almost 11 yearsYou need to make the permissions more restrictive, typically. I'll check my settings.
/var/log/auth.log
is good to check. -
Carrie Kendall almost 11 yearsHeh, I thought for once about permissions.. :) I tried commenting it on both machines, restarting the
ssh
service, but that didn't change anything, unfortunately. -
belacqua almost 11 yearsYeah, looks like it is complaining about permissions in .ssh .
-
guntbert almost 11 yearsplease show us the output of
ls -ld .ssh
-
Carrie Kendall almost 11 years@guntbert it's
drwx------ 2 root root 4096 Jun 13 21:22 /.ssh
on both machines now (I changed it), but it doesn't work.. yet :) ideas? -
mvt-HP-Pavillon-dv5-Ni almost 11 yearsThat shows progress! :) but now I have to input the passphrase and the password for the remote host every time I open an SSH connection..
-
mvt-HP-Pavillon-dv5-Ni almost 11 yearsUnfortunately, this doesn't help :( (Note: I had to do this as well)
-
Carrie Kendall almost 11 yearsHuh, okay, so now it suddenly works, but I don't remember what exact steps I did so I don't know who to give the accepted answer... (CC @guntbert) - also without accepted answer, thanks a lot both! This is great.
-
belacqua almost 11 yearsNo worries. Good to hear.
-
Anders almost 11 yearsIf you log in graphically you can add the key ring so the key for your ssh are automaticly added each time you log in. If you log in from that machine, you don't need to add password any more after that. Unless you log out, then you need to add that password once again. If you have problems connecting, try out ssh -v -v -v -v (yes, many -v) to get more loggings whan happens when you connect from the client. Read and look at strange messages. /var/log/auth.log are messages on the server side, you should always look there too.
-
Admin over 8 yearsSorry, but this file does not even exist on my installations.
-
marlar over 2 yearsI had already checked ~/.ssh but auth.log said: Authentication refused: bad ownership or modes for directory /home/<user>