passwordless ssh not working

Question

I've tried to setup a password-less ssh b/w A to B and B to A as well. Generated the public and private key using ssh-keygen -trsa on both the machines. Used the ssh-copy-id utility to copy the public-keys from A to B as well as B to A.

The passwordless ssh works from A to B but not from B to A. I've checked the permissions of the ~/ssh/ folder and seems to be normal.

A's .ssh folder permissions:

-rw-------  1 root root 13530 2011-07-26 23:00 known_hosts
-rw-------  1 root root   403 2011-07-27 00:35 id_rsa.pub
-rw-------  1 root root  1675 2011-07-27 00:35 id_rsa
-rw-------  1 root root   799 2011-07-27 00:37 authorized_keys
drwxrwx--- 70 root root  4096 2011-07-27 00:37 ..
drwx------  2 root root  4096 2011-07-27 00:38 .

B's .ssh folder permissions:

-rw------- 1 root root  884 2011-07-07 13:15 known_hosts
-rw-r--r-- 1 root root  396 2011-07-27 00:15 id_rsa.pub
-rw------- 1 root root 1675 2011-07-27 00:15 id_rsa
-rw------- 1 root root 2545 2011-07-27 00:36 authorized_keys
drwxr-xr-x 8 root root 4096 2011-07-06 19:44 ..
drwx------ 2 root root 4096 2011-07-27 00:15 .

A is an ubuntu 10.04 (OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009) B is a debian machine (OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007)

From A:

#ssh B

works fine.

From B:

#ssh -vvv A 
...
...
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x7f1581f23a50)
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1495
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@192.168.122.1's password:

Which essentially means it's not authenticating using the file /root/id_rsa. I ran the ssh-add command in both the machines as well.

The authentication part of /etc/ssh/sshd_config file is

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files

I'm running out of ideas. Any help would be appreciated.

score 49 · Answer 1 · edited Apr 13 '17 at 12:24

After setting up password-less ssh, I was still asked for my user password. Looking at /var/log/auth.log on the remote machine pointed out the issue:

sshd[4215]: Authentication refused: bad ownership or modes for directory /home/<user>

So, make sure to have it right:

chmod o-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

While forbidding other users to write over your .ssh folder is obvious, having the same requirement for your home folder was trickier.

Also, check /etc/ssh/ssd_config to ensure that RSAAuthentication and PubkeyAuthentication options aren't disabled. Default is yes so that shouldn't be a problem.

score 24 · Accepted Answer · edited Jul 27 '11 at 10:41

Just make sure that you have followed the following procedure:

On Machine A

open a terminal and enter the commands as follows:

root@aneesh-pc:~# id

Just to make sure that we are root.

If the above command output something like below we are root else switch to root using the su command

uid=0(root) gid=0(root) groups=0(root)

1) Create the keys.

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
49:7d:30:7d:67:db:58:51:42:75:78:9c:06:e1:0c:8d root@aneesh-pc
The key's randomart image is:
+--[ RSA 2048]----+
|          ooo+==B|
|         . E=.o+B|
|        . . .+.*o|
|       . . .  ...|
|        S        |
|                 |
|                 |
|                 |
|                 |
+-----------------+

I haven't used any passphrase. If you need one you can use it.

2) Copy the public key in to machine B's .ssh/authorized_keys file

root@aneesh-pc:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@mylap
root@mylap's password:

Now try logging into the machine, with ssh 'root@mylap', and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Replace mylap with the hostname or ip of the machine you want to login (i.e. machine B)

3) Login to B without password

root@aneesh-pc:~# ssh root@mylap
Warning: Permanently added 'mylap,192.168.1.200' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Wed Jul 27 15:23:58 2011 from streaming-desktop.local
aneesh@mylap:~$

On Machine B

4) Create the keys to login back to Machine A

root@mylap:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
35:9f:e7:81:ed:02:f9:fd:ad:ef:08:c6:4e:19:76:b1 root@streaming-desktop
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|          o   .  |
|         . + + o |
|        S o * E  |
|           = O . |
|            O +  |
|           + o o.|
|            . o+=|
+-----------------+

5) Copy the public key in to machine A's .ssh/authorized_keys file

root@mylap:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
root@aneesh-pc's password:

Now try logging into the machine, with ssh 'root@aneesh-pc', and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

6) Login to A without password

ssh root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)

 * Documentation:  https://help.ubuntu.com/


Last login: Tue Jul 26 18:52:55 2011 from 192.168.1.116

If you are able to complete these steps You are done. Now you have two machines with ssh-key (public-key) enabled login.

score 14 · Answer 3 · edited Oct 16 '12 at 09:03

Probably just a higher level permissions problem. You need to remove write permissions from group and other to your home directory and .ssh directory. To fix these permissions, run chmod 755 ~ ~/.ssh or chmod go-w ~ ~/.ssh.

If you're still having problems, issue the following grep on your log:

sudo egrep -i 'ssh.*LOCAL_USER_NAME' /var/log/secure

(replace LOCAL_USER_NAME with your local user name...)

That should hopefully tell you more about your problem, assuming sshd authentication information is being logged to the secure log, which is should be by default. If you see errors that look like this:

DATE HOSTNAME sshd[1317]: Authentication refused: bad ownership or modes for directory /path/to/some/directory

It's the problem described above and you need to find the directory in question and remove the write permissions from group and other.

As for the reason that you would need to restrict write permissions to your home directory (even though permissions are already restricted on your .ssh and subsequent directories) it will allow other users to rename your .ssh directory and make a new one - although that would be unusable as is (due to wrong permissions) the fix for most users would probably be to change the permissions rather than check the content of the directory...

TLDNR: Allowing write access for group and/or other to your home directory will make ssh force password login.

score 2 · Answer 4 · edited Mar 01 '17 at 13:04

are you using the root account on each machine? Usually on Ubuntu you would use a user account and give it sudo privileges as required.

If your using a non root user sudo chown $USER -R ~/.ssh may fix your problem

Other things to check:

double check that B's id_rsa.pub is in A's authorized_keys.

check A's /etc/ssh/sshd_config contains

PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes

score -3 · Answer 5 · answered May 31 '12 at 22:13

in /etc/ssh/sshd_config on the target change

PermitRootLogin no

to

PermitRootLogin yes

then kill -HUP your sshd PID:

root@dzone2 # ps -ef|grep ssh root 28075 27576 0 Nov 17 ? 6:11 /usr/lib/ssh/sshd

root 17708 20618   0 10:09:30 pts/37      0:00 grep ssh root@dzone2 # kill -HUP 28075 root@dzone2 # ps -ef|grep ssh
root 17861 20618   0 10:09:44 pts/37      0:00 grep ssh
root 17852 27576   0 10:09:42 ?           0:00 /usr/lib/ssh/sshd

passwordless ssh not working

5 Answers5

PermitRootLogin no

Linked