Why is SSH not honoring my authorized keys?
Solution 1
First step: restart ssh with /etc/init.d/sshd restart
. Also, ensure that the permissions on the authorized_users file is correct. To verify, use chmod 600 ~/.ssh/authorized_keys
and ensure it's owned by the user you're logging in as.
Solution 2
For me, deleting id_rsa.pub helped (I was using ~/.ssh/id_rsa key). This was caused, because id_rsa.pub was not matching my id_rsa key.
Solution 3
What format is your public key in?
I find a lot of tools generate keys like this:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit RSA, converted from OpenSSH by [email protected]"
AAAAB3NzaC1yc2EAAAABIwAAAIEA1on8gxCGJJWSRT4uOrR13mUaUk0hRf4RzxSZ1zRb
YYFw8pfGesIFoEuVth4HKyF8k1y4mRUnYHP1XNMNMJl1JcEArC2asV8sHf6zSPVffozZ
5TT4SfsUu/iKy9lUcCfXzwre4WWZSXXcPff+EHtWshahu3WzBdnGxm5Xoi89zcE=
---- END SSH2 PUBLIC KEY ----
And my authorized_keys
file always contained the key like this:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1on8gxCGJJWSRT4uOrR13mUaUk0hRf4RzxSZ1zRbYYFw8pfGesIFoEuVth4HKyF8k1y4mRUnYHP1XNMNMJl1JcEArC2asV8sHf6zSPVffozZ5TT4SfsUu/iKy9lUcCfXzwre4WWZSXXcPff+EHtWshahu3WzBdnGxm5Xoi89zcE=
(The public key concatenated together all on one line)
Related videos on Youtube
pnongrata
Updated on September 18, 2022Comments
-
pnongrata over 1 year
I have 2 laptops at home, both running Ubuntu 12.04 (Desktop), and both using the same NetGear wifi router. I used a technique called "MAC binding" on one of the machines so that the router always assigns it the same 192.168.1.52 IP address every time it tries to connect to the Internet. (Unrelated: MAC binding just means configuring the router to always bind a specific MAC address to a specific IP.)
So now, I have 1 laptop that always gets assigned a random IP in the 192.168.1.1 to 192.168.1.50 range, and 1 laptop (my "build server") that always get assigned 192.168.1.52.
I am trying to write some bash script that I will run on the "client" laptop (the random IP machine) that will
ssh
into the build server (192.169.1.52 machine); hence the necessity for the build server to have a "dedicated" IP from inside my LAN. I don't want to have to explicitly feed these bash scripts a password, so I followed the instructions in this article here to generate SSH keys. Specifically, I:- Generate SSH keys on my client laptop (producing an
id_rsa.pub
file) - I
scp
'd theid_rsa.pub
file to my build server, andcat
'd it into the~/.ssh/authorized_keys
file. I verified that my client laptop's SSH key now exists inside theauthorized_keys
file on the build server. - I closed the terminal on my client laptop and then reopened a new one, just for good measure (in case Linux needs that in order to restart anything, etc.)
- I then tried to SSH into the build server, and am still being prompted for a password!
What's going on here? Why is SSH on my build server not honoring the authorized keys from my client laptop? Do I need to restart anything on the build server (
sshd
, etc.)? Have I missed any crucial steps here? How to start troubleshooting? Thanks in advance!Update: Apparently Ubuntu doesn't have a
/var/log/secure.log
, but does have a/var/log/auth.log
. When I tail this log on the build server, and then attempt to SSH into the build server from my client laptop, here's what happens:- I run
ssh myuser@buildserver
from the client laptop - I am prompted for a password.
- As soon as I enter the password, I see the following output in the build server's
auth.log
file:
May 21 12:02:07 buildserver sshd[28930]: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106) May 21 12:02:10 buildserver sshd[28930]: pam_sm_authenticate: Called May 21 12:02:10 buildserver sshd[28930]: pam_sm_authenticate: username = [myuser] May 21 12:02:10 buildserver sshd[28930]: pam_sm_authenticate: /home/myuser is already mounted May 21 12:02:10 buildserver sshd[28930]: Accepted password for myuser from 192.168.1.3 port 39821 ssh2 May 21 12:02:10 buildserver sshd[28930]: pam_unix(sshd:session): session opened for user myuser by (uid=0) May 21 12:02:10 buildserver sshd[29003]: Received disconnect from 192.168.1.3: 11: disconnected by user May 21 12:02:10 buildserver sshd[28930]: pam_unix(sshd:session): session closed for user myuser
Something that maybe I should have mentioned: on both machines (the client laptop and my build server, the username/account name is
myuser
) - could Linux be getting confused because of the same username on both machines?-
user1984103 almost 11 yearsThe generic term for "MAC Binding" is a persistent DHCP reservation.
-
user1984103 almost 11 yearsDoes your public key start with
ssh-rsa
or---- BEGIN SSH2 PUBLIC KEY ----
? -
pnongrata almost 11 yearsThe fiirst,
ssh-rsa
...is that my private key? -
user1984103 almost 11 yearsNo, that's just how my key entries are, but tools always seem to generate the latter kind, and I always convert them. See my answer.
-
user1984103 almost 11 yearsAre you using
ssh-agent
to manage your private key? Does it work if you useSSH_AUTH_SOCK=0 ssh buildserver
?
- Generate SSH keys on my client laptop (producing an
-
pnongrata almost 11 yearsThanks @Nathan C (+1) - I tried both suggstions: I restarted
ssh
(viasudo service ssh stop
thensudo service ssh start
), and then I changed the permissions onauthorized_keys
from 700 to 750. Please note that I restarted a service calledssh
, notsshd
like you suggested. There doesn't seem to be a service calledsshd
installed on my build server (remember its an Ubuntu desktop), so could that be my problem? If so, what's the fix? If not, anything else you can think of? Thanks again! -
Nathan C almost 11 yearsThe desktop portion doesn't matter (since it's just the GUI that makes it a "desktop"). Does the
/var/log/secure.log
have anything referencing the key? -
nerdwaller almost 11 years@TicketMonster - You also need to
cat id.pub >> authorized_keys2
. Depending on your ssh protocols enabled, you need bothauthorized_keys
andauthorized_keys2
. Restarting the service is unnecessary, unless you change ssh/sshd configurations. -
pnongrata almost 11 yearsThanks again @NathanC (+1) - please see my update at the bottom of my original question and let me know what you think.
-
pnongrata almost 11 yearsThanks @nerdwaller (+1) - I'll give it a try in the meantime. One thing though, if what you say is true, why do none of the "How to use SSH keys"-type tutorials mention
authorized_keys2
? I'm a little skeptical, because isn'tid.pub
my private key? Why would I want the build server to have my private key?!? Thanks again! -
pnongrata almost 11 yearsOkay I'm sorry guys I'm confusing myself here: when I used
ssh-keygen
it made 2 files:id_rsa
andid_rsa.pub
. Theid_rsa.pub
is what is installed on the build server (which got there by me scp'ing it and then cat'ing it). -
Nathan C almost 11 yearsLooks like the public key is corrupted. Try copying it over again. If needed, regenerate your keypair and start from scratch.
-
pnongrata almost 11 yearsThanks @Darth Android (+1) - my public key starts
ssh-rsa
, not the---- BEGIN...
style. What does this tell you? -
user1984103 almost 11 yearsJust that this isn't the answer. Sorry :(
-
user1984103 almost 11 years@TicketMonster For the record,
.ssh
should be700
, andauthorized_keys
should be600
. What happens if you use those permissions? -
Nathan C almost 11 years@DarthAndroid Ah, my permissions were incorrect. Updated my answer with it.
-
pnongrata almost 11 yearsI regenerated the keys like @NathanC suggested - and now it works! Thanks everyone!!