SSH still asks for password even after adding key to authorized_keys

ssh authentication ssh-keys

5,728

Solution 1

~/.ssh must be chmod 700 and ~/.ssh/authorized_keys must be chmod 600. Both must be owned by you.

SSH will silently fall back on password login if those files/directories are more permissive although, from memory, it does log something about a "bad mode".

Also, check that ~/.ssh/authorized_keys actually contains something. I have a feeling that command may have created an empty file. The one I think you want is:

cat ~/.ssh/id_rsa.pub | ssh [email protected] -p 1234 "cat - > ~/.ssh/authorized_keys"

Solution 2

As Ladadadada noted, you have:

cat ~/.ssh/id_rsa | ssh [email protected] -p 1234 "cat > ~/.ssh/authorized_keys"

This is copying out your private/public key pair to the authorized_keys file. Your authorized_keys file on the server should not have the private key. I would suggest the following:

Delete the authorized_keys file on the remote system entirely.
Temporarily change the permissions to .ssh to make it writeable if it hasn't already been done.
On your local system, navigate to the .ssh directory and ensure you have an id_rsa and id_rsa.pub file. the ssh-keygen command should have created both files for you
Execute the command Ladadadada provided:

cat ~/.ssh/id_rsa.pub | ssh [email protected] -p 1234 "cat - > ~/.ssh/authorized_keys"

Note: this should write your public key to the authorized_keys file. Double check to make sure your local copy of id_rsa.pub matches the key in the authorized_keys file.

The content of your id_rsa.pub key will look similar to (clipped a portion for brevity):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLrS9t0lEdxk52v8Jt/EJMNm9::::clipped:::::wu1WzNCvrkUDnqS/aQZJ4rR4J+GoMLxP2NT you@somehostname

This key, id_rsa.pub, should match the ssh key in the known_hosts file.

edited: fixed an error in a filename. I upvoted Ladadadada's answer because he caught the issue but I don't think it was picked up on by the OP

Solution 3

TL;DR

On Client side:

open configuration file /etc/ssh/ssh_config;
here look for PreferredAuthentications;
make sure password comes after publickey and not viceversa

In my case password was written before publickey, so ssh would prompt me for password even though I had copied my pub_key onto server.

This problem can be found out easily using verbose:

ssh -v compute@compute1 ... ... debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password

As you can see password is chosen before trying to use publickey.

Edit /etc/ssh/ssh_config by moving password after publickey

PreferredAuthentications keyboard-interactive,publickey,password,hostbased,gssapi-with-mi

Now you can login without being prompt for pwd.

5,728

Jürgen Paul

Updated on September 18, 2022

Comments

Jürgen Paul over 1 year

Here are the steps I did on my local computer:

ssh-keygen -t rsa
cat ~/.ssh/id_rsa | ssh [email protected] -p 1234 "cat > ~/.ssh/authorized_keys"

When I do a ssh [email protected] -p 1234 it still asks for the password :o

[email protected]'s password:

Why is it so? I already added it to the authorized keys but it still asks for the password. sshd_config:

Port 1234
Protocol 2
SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Here's the result with -vvv:

$ ssh [email protected] -p 1234 -vvv
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug2: ssh_connect: needpriv 0
debug1: Connecting to remotehost.com [12.123.123.123] port 1234.
debug1: Connection established.
debug1: identity file /c/Documents and Settings/user/.ssh/identity type -1
debug3: Not a RSA1 key file /c/Documents and Settings/user/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /c/Documents and Settings/user/.ssh/id_rsa type 1
debug1: identity file /c/Documents and Settings/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 519/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: put_host_port: [12.123.123.123]:1234
debug3: put_host_port: [remotehost.com]:1234
debug3: check_host_in_hostfile: filename /c/Documents and Settings/user/.ss
h/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /c/Documents and Settings/user/.ss
h/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '[remotehost.com]:1234' is known and matches the RSA host key.
debug1: Found key in /c/Documents and Settings/user/.ssh/known_hosts:1
debug2: bits set: 515/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /c/Documents and Settings/user/.ssh/identity (0x0)
debug2: key: /c/Documents and Settings/user/.ssh/id_rsa (0xa01a418)
debug2: key: /c/Documents and Settings/user/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi
c,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-m
ic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Documents and Settings/user/.ssh/identity
debug3: no such identity: /c/Documents and Settings/user/.ssh/identity
debug1: Offering public key: /c/Documents and Settings/user/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi
c,password
debug1: Trying private key: /c/Documents and Settings/user/.ssh/id_dsa
debug3: no such identity: /c/Documents and Settings/user/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

APR almost 12 years

could you try again with -vvv and post the results back? This would make the command to connect: 'ssh [email protected] -p 1234 -vvv'
Thor almost 12 years

Did you remember to do ssh-add ~/.ssh/id_rsa on the local computer?
Jürgen Paul almost 12 years

@Thor Could not open a connection to your authentication agent.
Thor almost 12 years

Run ssh-agent > ~/.ssh/agent.vars and source ~/.ssh/agent-vars, (alternatively use keychain) then ssh-add will work.
Jürgen Paul almost 12 years

file agent-vars doesn't exist. I'm using Windows xp and msysgit bash as the command line.

Jürgen Paul almost 12 years

I tried to do these commands, but it still asks for the password. I also did turn UsePAM yes to no.
user9517 almost 12 years

600 is for the paranoid, ssh is happy with 644
Jürgen Paul almost 12 years

I just included the -vvv result as well, I hope it helps resolve the problem.
Bron Gondwana almost 12 years

The permissions things are all true, but the root cause is uploading the private rather than public key. All the multiple incorrect lines will need to be stripped out of authorized_keys
Ladadadada almost 12 years

That's a good spot. Even after the changes I suggested, uploading the private key instead of the public key still won't work.
Jürgen Paul almost 12 years

@Ladadadada It's been a while and I still can't get it to work, I chmodded the files and chown -R root:root ~/.sssh. Here's the debug output: pastebin.com/GnZZDY1e
Jürgen Paul almost 12 years

I also can assure that the content of ~/.ssh/id_rsa.pub == ~/.ssh/authorized_keys