SSH public key authentication doesn't work

12.04 server ssh security sshd

64,343

Solution 1

Anything in log files, particularly /var/log/auth.log? You might also double-check permissions on the .ssh directory and files.

I haven't had to modify sshd_config for this kind of access, myself. I am wondering if your modification broke things, especially the AuthorizedKeysFile line. Typically, you would want to put the authorized_keys under $USER/.ssh .

Here are the permission from a user on one of my servers:

:~/.ssh$ ls -ld .
drwx------ 2 rrd rrd 4096 May 28 17:57 .

:~/.ssh$ ll
total 280
-rw-r----- 1 rrd rrd   4351 May 22 16:20 authorized_keys
-rw------- 1 rrd rrd   1679 Apr 27  2012 id_rsa
-rw-r--r-- 1 rrd rrd    399 Apr 27  2012 id_rsa.pub
-rw-r--r-- 1 rrd rrd 266138 Jun 13 00:18 known_hosts

Make sure the individual files are at least this restricted.

As guntbert points out, also check that the directory and files are owned by you. The permissions won't make sense (or work) otherwise.

Who owns the keys in authorized_keys on B? (The bit that says user@host after the key.) Is it root@A ?

That is, in looking at ~/.ssh/authorized_keys, what is the equivalent of bert@etherbert for your set-up:

ssh-rsa AAAA...ffsII8dSaDF33 bert@etherbet

I would just edit the remote .ssh/authorized keys manually for testing, putting in the id_rsa.pub contents of the user you are intiating the connection with.

Make sure you are coming from the user that has the key in the remote authorized_keys file.

Solution 2

The directory ~/.ssh MUST be owned by the user, not root. So change that and it will work.

To avoid having to type the passphrase for your private key every time you use ssh-agent. ssh-add .ssh/id_rsa will add the key to the agent, from then on the agent will provide the key to ssh.

Solution 3

Besides all the other guys had provided the solutions, my additional suggestion is you should first check the logging file: /var/log/secure, which is where sshd puts logs in. If something goes wrong, checking what sshd has complained in /var/log/secure will quickly narrow down the possible issues.

Solution 4

This is an old question and already answered, but if the user has the home directory encrypted (using ecryptfs or some such), ssh daemon will not be able to see the ~/.ssh/authorized_keys file. If that is the case follow the solution listed here.

This solution recommends changing sshd configuration (/etc/ssh/sshd_config) and changing AuthorizedKeysFile to /etc/ssh/%u/authorized_keys and copying your authorized_keys file to /etc/ssh/username/authorized_keys file (along with proper ownership for /etc/ssh/username and proper permissions as required by sshd).

View more solutions

64,343

dessert

For my pronouns see here: http://my.pronoun.is/nobody/nobody/nobody%E2%80%99s/nobody%E2%80%99s/noself This page intentionally crammed with flair™.

Updated on September 18, 2022

Comments

dessert over 1 year
I'm having trouble setting up public key authentication for an SSH server on Ubuntu Server 12.04 (A) for authentication from an Ubuntu Server 13.04 (B).

What I'm doing now (I'm trying to follow the instructions here):
- On B: Create a new key with ssh-keygen -C "", using no passphrase, writing to /.ssh/id_rsa - I don't get any errors
- On B: Run ssh-copy-id -i /.ssh/id_rsa user@host-a - also, a success message
- On B: ssh -i /.ssh/id_rsa user@host-a - I still have to enter my password for user@host-a
On A, I checked if the /.ssh/authorized_keys is modified after running ssh-copy-id, and this is the case. Also, on both devices I added this to /etc/ssh/sshd_config:
```
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /.ssh/authorized_keys
```
Does anyone know what might be the problem here?

Here's the tail of my /var/log/auth.log on machine A:
```
Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on 0.0.0.0 port 22.
Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on :: port 22.
Jun 13 22:18:27 laptop-camil sshd[12345]: Authentication refused: bad ownership or modes for directory /.ssh
Jun 13 22:18:30 laptop-camil sshd[12345]: Accepted password for camilstaps from 164.138.27.37 port 48407 ssh2
Jun 13 22:18:30 laptop-camil sshd[12345]: pam_unix(sshd:session): session opened for user camilstaps by (uid=0)
Jun 13 22:18:35 laptop-camil sshd[12464]: Received disconnect from 164.138.27.37: 11: disconnected by user
Jun 13 22:18:35 laptop-camil sshd[12345]: pam_unix(sshd:session): session closed for user camilstaps
Jun 13 22:18:42 laptop-camil sshd[12516]: Authentication refused: bad ownership or modes for directory /.ssh
Jun 13 22:18:44 laptop-camil sshd[12516]: Connection closed by <host-b> [preauth]
```
- belacqua almost 11 years
  
  What is the user you are using, and are you editing ~user/.ssh ?
- belacqua almost 11 years
  
  Hmm. Are you trying to ssh into the box as camilstaps? You would need the permissions fixed to you, as guntbert says. This breaks the default set up for root, which you can't ssh with by default, anyway.
- belacqua almost 11 years
  
  Any chance you could use a real user home dir? It would make life less complicated.
- Admin almost 11 years
  
  @belacqua unfortunately not :( I don't quite get your other message - I'm running sudo -s on the local host B, and try to login to camilstaps@laptop-camil (remote host A). On B, root owns /.ssh. On A, camilstaps owns /.ssh.
- belacqua almost 11 years
  
  Who owns the keys in authorized_keys on B? (The bit that says user@host after the key.) Is it root@A ?
- Admin almost 11 years
  
  @belacqua no, that's camilstaps:camilstaps, with permissions 640.
- belacqua almost 11 years
  
  Ok, adding more to my answer.
- Ciro Santilli OurBigBook.com over 6 years
  
  stackoverflow.com/questions/6377009/…
Carrie Kendall almost 11 years

I'm a newbie - what logfiles should I check (on which machine)? The permissions are set - for testing - to 777. The home directory of both the user and the root is /. I'll try to comment the lines in and see if that changes anything
belacqua almost 11 years

You need to make the permissions more restrictive, typically. I'll check my settings. /var/log/auth.log is good to check.
Carrie Kendall almost 11 years

Heh, I thought for once about permissions.. :) I tried commenting it on both machines, restarting the ssh service, but that didn't change anything, unfortunately.
belacqua almost 11 years

Yeah, looks like it is complaining about permissions in .ssh .
guntbert almost 11 years

please show us the output of ls -ld .ssh
Carrie Kendall almost 11 years

@guntbert it's drwx------ 2 root root 4096 Jun 13 21:22 /.ssh on both machines now (I changed it), but it doesn't work.. yet :) ideas?
mvt-HP-Pavillon-dv5-Ni almost 11 years

That shows progress! :) but now I have to input the passphrase and the password for the remote host every time I open an SSH connection..
mvt-HP-Pavillon-dv5-Ni almost 11 years

Unfortunately, this doesn't help :( (Note: I had to do this as well)
Carrie Kendall almost 11 years

Huh, okay, so now it suddenly works, but I don't remember what exact steps I did so I don't know who to give the accepted answer... (CC @guntbert) - also without accepted answer, thanks a lot both! This is great.
belacqua almost 11 years

No worries. Good to hear.
Anders almost 11 years

If you log in graphically you can add the key ring so the key for your ssh are automaticly added each time you log in. If you log in from that machine, you don't need to add password any more after that. Unless you log out, then you need to add that password once again. If you have problems connecting, try out ssh -v -v -v -v (yes, many -v) to get more loggings whan happens when you connect from the client. Read and look at strange messages. /var/log/auth.log are messages on the server side, you should always look there too.
Admin over 8 years

Sorry, but this file does not even exist on my installations.
marlar over 2 years

I had already checked ~/.ssh but auth.log said: Authentication refused: bad ownership or modes for directory /home/<user>