Why won't automatic login through ssh with authorized_keys work?
Solution 1
Although your problem may have already been solved by other answeres, I've locked myself out of enough machines from not validating sshd_config changes before signing off so have come up with the below process that might be useful for future debugging of sshd config changes:
DO NOT DISCONNECT an active ssh connection until AFTER testing has verified behaviour is as you expect.
a. verify what you think sshd is supposed to be doing
b. verify the configuration is valid using "-t"
c. start a verbose 'test' version of the server you can live monitor
d. start a verbose 'test' client connection you can live monitor
a. verify what you think sshd is supposed to be doing
Review the sshd configuration file without all the commentary with something like the below (assuming sshd_config is the correct file and in /etc/ssh)
$ grep -v "^#" /etc/ssh/sshd_config | grep -v "^$"
This just clears things out so we verify what we think we're changing (not necessarily whether it is correct or not.)
b. verify the configuration is valid using "-t"
From the man page of the sshd's I'm using,
-t Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change.
Other changes can have more subtle circumstances. For example, do not disable password authentication until you are sure that the public key authentication is working correctly.
c. start a verbose 'test' version of the server you can live monitor
$ sudo /usr/sbin/sshd -ddd -p 9999
This keeps your existing, working session active, but gives you another instance of sshd to verify your new configuration changes. SSHD is now running in the foreground to a user-defined port (9999 in our example.) and pushing a lot of noisy debug information you can track in /var/log/authlog (or possibly /var/log/auth.log depending on your OS.)
d. start a verbose 'test' client connection you can live monitor
Run the ssh client connection in verbose mode to display on your screen more information that might lead you to better debugging your error.
$ ssh -vvv -p 9999 server-name
You should now have enough information in either the server's log files, or the client's connection screen to isolate your problem.
The solution generally comes down to file permissions (as shown by Magnar and setatakahashi)
Best of luck
Solution 2
The server will ignore your authorized_keys file if the owner properties are wrong. Changing it to this fixes it:
chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/authorized_keys
Solution 3
$ chmod 700 ~
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
Check for these attributes in /etc/ssh/sshd_config
$ sudo grep PubkeyAuthentication /etc/ssh/sshd_config
$ sudo grep Protocol /etc/ssh/sshd_config
Solution 4
Another important pitfall..
If your home directory is encrypted sshd will not have access to ~/.ssh/authorized_keys..
See this answer
Related videos on Youtube
15 : 46
08 : 26
03 : 53
02 : 27
14 : 19
Magnar
Updated on September 17, 2022Comments
-
Magnar over 1 year
I have created a private/public dsa-keypair. I've put the public key on the server in
~/.ssh/authorized_keysEverything is set up like my other server, but it seems like the server is just ignoring my efforts.
-
Kristopher Johnson about 15 yearsCheck
/etc/ssh/ssh_configand/etc/ssh/sshd_configto verify that nothing you want is disabled. -
Vagnerr about 15 yearsYou will want to check sshd_config too.
-
Kristopher Johnson about 15 yearsThanks. I updated the answer (which originally mentioned only ssh_config).
-
chris almost 15 yearsAll of the above discussions are perfect for if you're using an openssh style of ssh. If you're system is using ssh2 then it has a totally wacky different way to manage keys. This article discusses the hows and whats. burnz.wordpress.com/2007/12/14/…
-
JaakL almost 12 yearsIn case you already logged out from server and cannot log in due to invalid server configuration then following forces client to use password: ssh <user>@<server> -p <port> -o 'PasswordAuthentication yes' -o 'ChallengeResponseAuthentication no' -o 'PreferredAuthentications password' -
Giovanni Toraldo about 11 yearsUsually checking
/var/log/auth.logon Debian systems or/var/log/secureon RedHat ones should give you a clear advice of what is misconfidured (usually permissions problems) -
ADTC over 8 yearsAll else being equal, runningrestorecon -R -v /root/.sshon the server side (not the connecting client) made a difference. Try this, if you fixed the permissions and it still wouldn't connect.
-
-
Dave Cheney about 15 yearsssh -vvv -l username server.domain will tell you if your sending a valid key
-
Olaf about 15 yearsSometimes I've seen sshd complain about bad permissions on the home directory - so I'd add "chmod o-rwx ~" (or at least "chmod o-w ~") to the list as setatakahashi did. This usually becomes obvious when the logfile is monitored - the error messages I've seen there always pointed in the correct direction. -
dwc about 15 yearsThis answer seems the most likely, but Dave Cheney's comment is the only way to see what's really going on. Also check server logs.
-
Memb about 15 yearsI guess you should also check the ssh_config file on the client end to make sure it is doing what you expect. Use something like the below to grep out comments: > grep -v "^#" /etc/ssh/ssh_config | grep -v "^$"
-
Dave Cheney almost 15 yearsExcellent point about ~, you must make sure that nobody other than yourself can write to your home directory, otherwise they could rename your ~/.ssh directory
-
SooDesuNe over 12 yearsthat last chmod should be:
$ chmod 600 ~/.ssh/authorized_keysnot$ chmod 600 ~/.sHh/authorized_keys -
Soviero over 12 yearsWell, the client ssh configuration can be fixed at anytime, it's the server you get locked out of if you configured it wrong. -
balolo almost 12 yearsThis did the trick, but my previous permissions were
0775and0644respectively. Why did reducing the permissions help? Is this a security precaution that's configured somewhere? -
Michael about 9 yearswhat should the attribute values be?
-
johndodo about 9 yearsTwo important things: 1) make sure the owner of
~/.ssh/authorized_keysis correct; 2) check for failure reason in log:tail -f /var/log/auth.log
