SSH public key authentication doesn't work

Question

I'm having trouble setting up public key authentication for an SSH server on Ubuntu Server 12.04 (A) for authentication from an Ubuntu Server 13.04 (B).

What I'm doing now (I'm trying to follow the instructions here):

On B: Create a new key with ssh-keygen -C "", using no passphrase, writing to /.ssh/id_rsa - I don't get any errors
On B: Run ssh-copy-id -i /.ssh/id_rsa user@host-a - also, a success message
On B: ssh -i /.ssh/id_rsa user@host-a - I still have to enter my password for user@host-a

On A, I checked if the /.ssh/authorized_keys is modified after running ssh-copy-id, and this is the case. Also, on both devices I added this to /etc/ssh/sshd_config:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /.ssh/authorized_keys

Does anyone know what might be the problem here?

Here's the tail of my /var/log/auth.log on machine A:

Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on 0.0.0.0 port 22.
Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on :: port 22.
Jun 13 22:18:27 laptop-camil sshd[12345]: Authentication refused: bad ownership or modes for directory /.ssh
Jun 13 22:18:30 laptop-camil sshd[12345]: Accepted password for camilstaps from 164.138.27.37 port 48407 ssh2
Jun 13 22:18:30 laptop-camil sshd[12345]: pam_unix(sshd:session): session opened for user camilstaps by (uid=0)
Jun 13 22:18:35 laptop-camil sshd[12464]: Received disconnect from 164.138.27.37: 11: disconnected by user
Jun 13 22:18:35 laptop-camil sshd[12345]: pam_unix(sshd:session): session closed for user camilstaps
Jun 13 22:18:42 laptop-camil sshd[12516]: Authentication refused: bad ownership or modes for directory /.ssh
Jun 13 22:18:44 laptop-camil sshd[12516]: Connection closed by <host-b> [preauth]

belacqua · Accepted Answer · 2013-06-13T21:19:08.183

Anything in log files, particularly /var/log/auth.log? You might also double-check permissions on the .ssh directory and files.

I haven't had to modify sshd_config for this kind of access, myself. I am wondering if your modification broke things, especially the AuthorizedKeysFile line. Typically, you would want to put the authorized_keys under $USER/.ssh .

Here are the permission from a user on one of my servers:

:~/.ssh$ ls -ld .
drwx------ 2 rrd rrd 4096 May 28 17:57 .

:~/.ssh$ ll
total 280
-rw-r----- 1 rrd rrd   4351 May 22 16:20 authorized_keys
-rw------- 1 rrd rrd   1679 Apr 27  2012 id_rsa
-rw-r--r-- 1 rrd rrd    399 Apr 27  2012 id_rsa.pub
-rw-r--r-- 1 rrd rrd 266138 Jun 13 00:18 known_hosts

Make sure the individual files are at least this restricted.

As guntbert points out, also check that the directory and files are owned by you. The permissions won't make sense (or work) otherwise.

Who owns the keys in authorized_keys on B? (The bit that says user@host after the key.) Is it root@A ?

That is, in looking at ~/.ssh/authorized_keys, what is the equivalent of bert@etherbert for your set-up:

ssh-rsa AAAA...ffsII8dSaDF33 bert@etherbet

I would just edit the remote .ssh/authorized keys manually for testing, putting in the id_rsa.pub contents of the user you are intiating the connection with.

Make sure you are coming from the user that has the key in the remote authorized_keys file.

guntbert · Answer 2 · 2013-06-13T20:50:44.483

4

The directory ~/.ssh MUST be owned by the user, not root. So change that and it will work.

To avoid having to type the passphrase for your private key every time you use ssh-agent. ssh-add .ssh/id_rsa will add the key to the agent, from then on the agent will provide the key to ssh.

edited Jun 13 '13 at 20:50

answered Jun 13 '13 at 20:44

guntbert

13,475

score 3 · Answer 3 · answered Jan 22 '16 at 13:12

Besides all the other guys had provided the solutions, my additional suggestion is you should first check the logging file: /var/log/secure, which is where sshd puts logs in. If something goes wrong, checking what sshd has complained in /var/log/secure will quickly narrow down the possible issues.

score 2 · Answer 4 · answered Apr 15 '16 at 05:12

This is an old question and already answered, but if the user has the home directory encrypted (using ecryptfs or some such), ssh daemon will not be able to see the ~/.ssh/authorized_keys file. If that is the case follow the solution listed here.

This solution recommends changing sshd configuration (/etc/ssh/sshd_config) and changing AuthorizedKeysFile to /etc/ssh/%u/authorized_keys and copying your authorized_keys file to /etc/ssh/username/authorized_keys file (along with proper ownership for /etc/ssh/username and proper permissions as required by sshd).

score 0 · Answer 5 · answered Nov 11 '16 at 11:53

Nothing worked for me. I don't know why ? I tried each solution.

First

ssh-copy-id : did not copy id_rsa & id_rsa.pub

Second

ssh-agent $SHELL

ssh-add -L

ssh-add

ssh-copy-id -i remote-host

Both did not work. I guess I am unlucky. Someone was saying to change the permission of .ssh folder from root. I thought that'd be not a better option. What I was doing when my above case failed. I created a new key on server and save this key on github / gitlab. That's also not a cool way. Here I tried an alternate, I hope it may help someone.

First I create a folder on remote server with that user permission who can write into it. Then I follow below steps on my local machine

cd ~/.ssh

scp -r * remote_user@192.168.100.**:path_to_writable_folder_on_remote_server

And then I logged in on remote server and then

cd path_to_that_folder_where_I_copied_keys

& Then

mv * ~/.ssh

(whew) Finally, it worked.

SSH public key authentication doesn't work

5 Answers5

Linked