SSH still asks for password even after adding key to authorized_keys
Solution 1
~/.ssh
must be chmod 700
and ~/.ssh/authorized_keys
must be chmod 600
. Both must be owned by you.
SSH will silently fall back on password login if those files/directories are more permissive although, from memory, it does log something about a "bad mode".
Also, check that ~/.ssh/authorized_keys
actually contains something. I have a feeling that command may have created an empty file. The one I think you want is:
cat ~/.ssh/id_rsa.pub | ssh [email protected] -p 1234 "cat - > ~/.ssh/authorized_keys"
Solution 2
As Ladadadada noted, you have:
cat ~/.ssh/id_rsa | ssh [email protected] -p 1234 "cat > ~/.ssh/authorized_keys"
This is copying out your private/public key pair to the authorized_keys file. Your authorized_keys file on the server should not have the private key. I would suggest the following:
- Delete the authorized_keys file on the remote system entirely.
- Temporarily change the permissions to .ssh to make it writeable if it hasn't already been done.
- On your local system, navigate to the .ssh directory and ensure you have an id_rsa and id_rsa.pub file. the ssh-keygen command should have created both files for you
- Execute the command Ladadadada provided:
cat ~/.ssh/id_rsa.pub | ssh [email protected] -p 1234 "cat - > ~/.ssh/authorized_keys"
Note: this should write your public key to the authorized_keys file. Double check to make sure your local copy of id_rsa.pub matches the key in the authorized_keys file.
The content of your id_rsa.pub key will look similar to (clipped a portion for brevity):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLrS9t0lEdxk52v8Jt/EJMNm9::::clipped:::::wu1WzNCvrkUDnqS/aQZJ4rR4J+GoMLxP2NT you@somehostname
This key, id_rsa.pub, should match the ssh key in the known_hosts file.
edited: fixed an error in a filename. I upvoted Ladadadada's answer because he caught the issue but I don't think it was picked up on by the OP
Solution 3
TL;DR
On Client side:
- open configuration file
/etc/ssh/ssh_config
; - here look for
PreferredAuthentications
; - make sure
password
comes afterpublickey
and not viceversa
In my case password
was written before publickey
, so ssh would prompt me for password even though I had copied my pub_key onto server.
This problem can be found out easily using verbose:
ssh -v compute@compute1
...
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
As you can see password
is chosen before trying to use publickey.
Edit /etc/ssh/ssh_config
by moving password
after publickey
PreferredAuthentications keyboard-interactive,publickey,password
,hostbased,gssapi-with-mi
Now you can login without being prompt for pwd.
Related videos on Youtube
Jürgen Paul
Updated on September 18, 2022Comments
-
Jürgen Paul over 1 year
Here are the steps I did on my local computer:
ssh-keygen -t rsa cat ~/.ssh/id_rsa | ssh [email protected] -p 1234 "cat > ~/.ssh/authorized_keys"
When I do a
ssh [email protected] -p 1234
it still asks for the password :o[email protected]'s password:
Why is it so? I already added it to the authorized keys but it still asks for the password. sshd_config:
Port 1234 Protocol 2 SyslogFacility AUTHPRIV PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server
Here's the result with
-vvv
:$ ssh [email protected] -p 1234 -vvv OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007 debug2: ssh_connect: needpriv 0 debug1: Connecting to remotehost.com [12.123.123.123] port 1234. debug1: Connection established. debug1: identity file /c/Documents and Settings/user/.ssh/identity type -1 debug3: Not a RSA1 key file /c/Documents and Settings/user/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /c/Documents and Settings/user/.ssh/id_rsa type 1 debug1: identity file /c/Documents and Settings/user/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.6 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-c tr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-c tr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12 8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij [email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12 8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij [email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 ,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 ,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 135/256 debug2: bits set: 519/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: put_host_port: [12.123.123.123]:1234 debug3: put_host_port: [remotehost.com]:1234 debug3: check_host_in_hostfile: filename /c/Documents and Settings/user/.ss h/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /c/Documents and Settings/user/.ss h/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '[remotehost.com]:1234' is known and matches the RSA host key. debug1: Found key in /c/Documents and Settings/user/.ssh/known_hosts:1 debug2: bits set: 515/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /c/Documents and Settings/user/.ssh/identity (0x0) debug2: key: /c/Documents and Settings/user/.ssh/id_rsa (0xa01a418) debug2: key: /c/Documents and Settings/user/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi c,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-m ic,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /c/Documents and Settings/user/.ssh/identity debug3: no such identity: /c/Documents and Settings/user/.ssh/identity debug1: Offering public key: /c/Documents and Settings/user/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mi c,password debug1: Trying private key: /c/Documents and Settings/user/.ssh/id_dsa debug3: no such identity: /c/Documents and Settings/user/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password [email protected]'s password:
-
APR almost 12 yearscould you try again with
-vvv
and post the results back? This would make the command to connect: 'ssh [email protected] -p 1234 -vvv' -
Thor almost 12 yearsDid you remember to do
ssh-add ~/.ssh/id_rsa
on the local computer? -
Jürgen Paul almost 12 years@Thor
Could not open a connection to your authentication agent.
-
Thor almost 12 yearsRun
ssh-agent > ~/.ssh/agent.vars
andsource ~/.ssh/agent-vars
, (alternatively usekeychain
) thenssh-add
will work. -
Jürgen Paul almost 12 yearsfile
agent-vars
doesn't exist. I'm using Windows xp and msysgit bash as the command line.
-
-
Jürgen Paul almost 12 yearsI tried to do these commands, but it still asks for the password. I also did turn
UsePAM yes
to no. -
user9517 almost 12 years600 is for the paranoid, ssh is happy with 644
-
Jürgen Paul almost 12 yearsI just included the
-vvv
result as well, I hope it helps resolve the problem. -
Bron Gondwana almost 12 yearsThe permissions things are all true, but the root cause is uploading the private rather than public key. All the multiple incorrect lines will need to be stripped out of authorized_keys
-
Ladadadada almost 12 yearsThat's a good spot. Even after the changes I suggested, uploading the private key instead of the public key still won't work.
-
Jürgen Paul almost 12 years@Ladadadada It's been a while and I still can't get it to work, I chmodded the files and
chown -R root:root ~/.sssh
. Here's the debug output: pastebin.com/GnZZDY1e -
Jürgen Paul almost 12 yearsI also can assure that the content of
~/.ssh/id_rsa.pub
==~/.ssh/authorized_keys