11

I'm having trouble setting up public key authentication for an SSH server on Ubuntu Server 12.04 (A) for authentication from an Ubuntu Server 13.04 (B).

What I'm doing now (I'm trying to follow the instructions here):

  • On B: Create a new key with ssh-keygen -C "", using no passphrase, writing to /.ssh/id_rsa - I don't get any errors
  • On B: Run ssh-copy-id -i /.ssh/id_rsa user@host-a - also, a success message
  • On B: ssh -i /.ssh/id_rsa user@host-a - I still have to enter my password for user@host-a

On A, I checked if the /.ssh/authorized_keys is modified after running ssh-copy-id, and this is the case. Also, on both devices I added this to /etc/ssh/sshd_config:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /.ssh/authorized_keys

Does anyone know what might be the problem here?

Here's the tail of my /var/log/auth.log on machine A:

Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on 0.0.0.0 port 22.
Jun 13 22:17:56 laptop-camil sshd[12344]: Server listening on :: port 22.
Jun 13 22:18:27 laptop-camil sshd[12345]: Authentication refused: bad ownership or modes for directory /.ssh
Jun 13 22:18:30 laptop-camil sshd[12345]: Accepted password for camilstaps from 164.138.27.37 port 48407 ssh2
Jun 13 22:18:30 laptop-camil sshd[12345]: pam_unix(sshd:session): session opened for user camilstaps by (uid=0)
Jun 13 22:18:35 laptop-camil sshd[12464]: Received disconnect from 164.138.27.37: 11: disconnected by user
Jun 13 22:18:35 laptop-camil sshd[12345]: pam_unix(sshd:session): session closed for user camilstaps
Jun 13 22:18:42 laptop-camil sshd[12516]: Authentication refused: bad ownership or modes for directory /.ssh
Jun 13 22:18:44 laptop-camil sshd[12516]: Connection closed by <host-b> [preauth]
dessert
  • 39,982
  • 1
    What is the user you are using, and are you editing ~user/.ssh ? – belacqua Jun 13 '13 at 20:48
  • @belacqua On B, I'm using sudo -s. I'm editing /.ssh, but both the root and the camilstaps user have homedir /, so that would be the same as ~user/.ssh if I'm not mistaken. –  Jun 13 '13 at 20:48
  • Hmm. Are you trying to ssh into the box as camilstaps? You would need the permissions fixed to you, as guntbert says. This breaks the default set up for root, which you can't ssh with by default, anyway. – belacqua Jun 13 '13 at 20:50
  • Any chance you could use a real user home dir? It would make life less complicated. – belacqua Jun 13 '13 at 20:53
  • @belacqua unfortunately not :( I don't quite get your other message - I'm running sudo -s on the local host B, and try to login to camilstaps@laptop-camil (remote host A). On B, root owns /.ssh. On A, camilstaps owns /.ssh. –  Jun 13 '13 at 20:57
  • Who owns the keys in authorized_keys on B? (The bit that says user@host after the key.) Is it root@A ? – belacqua Jun 13 '13 at 21:04
  • @belacqua no, that's camilstaps:camilstaps, with permissions 640. –  Jun 13 '13 at 21:04
  • Ok, adding more to my answer. – belacqua Jun 13 '13 at 21:06
  • https://stackoverflow.com/questions/6377009/adding-public-key-to-ssh-authorized-keys-does-not-log-me-in-automatically – Ciro Santilli OurBigBook.com Sep 13 '17 at 12:42

5 Answers5

8

Anything in log files, particularly /var/log/auth.log? You might also double-check permissions on the .ssh directory and files.

I haven't had to modify sshd_config for this kind of access, myself. I am wondering if your modification broke things, especially the AuthorizedKeysFile line. Typically, you would want to put the authorized_keys under $USER/.ssh .

Here are the permission from a user on one of my servers:

:~/.ssh$ ls -ld .
drwx------ 2 rrd rrd 4096 May 28 17:57 .

:~/.ssh$ ll
total 280
-rw-r----- 1 rrd rrd   4351 May 22 16:20 authorized_keys
-rw------- 1 rrd rrd   1679 Apr 27  2012 id_rsa
-rw-r--r-- 1 rrd rrd    399 Apr 27  2012 id_rsa.pub
-rw-r--r-- 1 rrd rrd 266138 Jun 13 00:18 known_hosts

Make sure the individual files are at least this restricted.

As guntbert points out, also check that the directory and files are owned by you. The permissions won't make sense (or work) otherwise.

Who owns the keys in authorized_keys on B? (The bit that says user@host after the key.) Is it root@A ?

That is, in looking at ~/.ssh/authorized_keys, what is the equivalent of bert@etherbert for your set-up: 

ssh-rsa AAAA...ffsII8dSaDF33 bert@etherbet

I would just edit the remote .ssh/authorized keys manually for testing, putting in the id_rsa.pub contents of the user you are intiating the connection with.

Make sure you are coming from the user that has the key in the remote authorized_keys file.

belacqua
  • 23,120
  • I'm a newbie - what logfiles should I check (on which machine)? The permissions are set - for testing - to 777. The home directory of both the user and the root is /. I'll try to comment the lines in and see if that changes anything –  Jun 13 '13 at 20:17
  • 1
    You need to make the permissions more restrictive, typically. I'll check my settings. /var/log/auth.log is good to check. – belacqua Jun 13 '13 at 20:18
  • Heh, I thought for once about permissions.. :) I tried commenting it on both machines, restarting the ssh service, but that didn't change anything, unfortunately. –  Jun 13 '13 at 20:20
  • 1
    Yeah, looks like it is complaining about permissions in .ssh . – belacqua Jun 13 '13 at 20:34
  • please show us the output of ls -ld .ssh – guntbert Jun 13 '13 at 20:38
  • @guntbert it's drwx------ 2 root root 4096 Jun 13 21:22 /.ssh on both machines now (I changed it), but it doesn't work.. yet :) ideas? –  Jun 13 '13 at 20:40
  • Huh, okay, so now it suddenly works, but I don't remember what exact steps I did so I don't know who to give the accepted answer... (CC @guntbert) - also without accepted answer, thanks a lot both! This is great. –  Jun 13 '13 at 21:03
  • No worries. Good to hear. – belacqua Jun 13 '13 at 21:14
  • I had already checked ~/.ssh but auth.log said: Authentication refused: bad ownership or modes for directory /home/ – marlar Sep 02 '21 at 11:31
4

The directory ~/.ssh MUST be owned by the user, not root. So change that and it will work.

To avoid having to type the passphrase for your private key every time you use ssh-agent. ssh-add .ssh/id_rsa will add the key to the agent, from then on the agent will provide the key to ssh.

guntbert
  • 13,134
  • That shows progress! :) but now I have to input the passphrase and the password for the remote host every time I open an SSH connection.. –  Jun 13 '13 at 20:47
  • Unfortunately, this doesn't help :( (Note: I had to do this as well) –  Jun 13 '13 at 20:58
  • If you log in graphically you can add the key ring so the key for your ssh are automaticly added each time you log in.

    If you log in from that machine, you don't need to add password any more after that. Unless you log out, then you need to add that password once again.

    If you have problems connecting, try out ssh -v -v -v -v (yes, many -v) to get more loggings whan happens when you connect from the client. Read and look at strange messages. /var/log/auth.log are messages on the server side, you should always look there too.

     – Anders Jun 14 '13 at 18:24
3

Besides all the other guys had provided the solutions, my additional suggestion is you should first check the logging file: /var/log/secure, which is where sshd puts logs in. If something goes wrong, checking what sshd has complained in /var/log/secure will quickly narrow down the possible issues.

Meow
  • 131
  • 3
2

This is an old question and already answered, but if the user has the home directory encrypted (using ecryptfs or some such), ssh daemon will not be able to see the ~/.ssh/authorized_keys file. If that is the case follow the solution listed here.

This solution recommends changing sshd configuration (/etc/ssh/sshd_config) and changing AuthorizedKeysFile to /etc/ssh/%u/authorized_keys and copying your authorized_keys file to /etc/ssh/username/authorized_keys file (along with proper ownership for /etc/ssh/username and proper permissions as required by sshd).

journeyer
  • 121
0

Nothing worked for me. I don't know why ? I tried each solution.

First

ssh-copy-id : did not copy id_rsa & id_rsa.pub

Second

ssh-agent $SHELL

ssh-add -L

ssh-add

ssh-copy-id -i remote-host

Both did not work. I guess I am unlucky. Someone was saying to change the permission of .ssh folder from root. I thought that'd be not a better option. What I was doing when my above case failed. I created a new key on server and save this key on github / gitlab. That's also not a cool way. Here I tried an alternate, I hope it may help someone.

First I create a folder on remote server with that user permission who can write into it. Then I follow below steps on my local machine

cd ~/.ssh

scp -r * remote_user@192.168.100.**:path_to_writable_folder_on_remote_server

And then I logged in on remote server and then

cd path_to_that_folder_where_I_copied_keys

& Then

mv * ~/.ssh

(whew) Finally, it worked.

Vineet
  • 101