Enabling publickey authentication for server's sshd

Question

I have two servers running RHEL 5. Both have nearly identical configurations. I have set up RSA Publickey authetication on both, and one works but the other does not:

[my_user@client] $ ssh my_user@server1

--- server1 MOTD Banner ---

[my_user@server1] $

and on the other server:

[my_user@client] $ ssh my_user@server2
my_user@server2's password:

--- server2 MOTD Banner ---

[my_user@server2] $

server2's /etc/ssh/sshd_config file snippet:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile        .ssh/authorized_keys

When I run ssh -vvv I get the following snippet:

debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug3: Next authentication method: publickey
debug1: Offering public key: /home/my_user/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentication that can continue: publickey,gssapi-with-mic,passowrd
debug1: Offering public key: /home/my_user/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentication that can continue: publickey,gssapi-with-mic,passowrd
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
my_user@server2's password:

EDIT: both the servers and the client's .ssh directories have 700 permissions, and all the files within have 644 or 600 permissions

What does `/var/log/auth.log` say? – Dan Andreatta Mar 15 '10 at 14:30 — Dan Andreatta, Mar 15 '10 at 14:30

score 3 · Answer 1 · answered Mar 15 '10 at 12:35

3

have you checked the filesystem permission on both machines? sshd is a bit picky about permission on folder .ssh and the files in this folder.

.ssh should have 700 and the files should have 644 or less.

answered Mar 15 '10 at 12:35

Christian

4,703
2
24
27

score 1 · Answer 2 · answered Mar 15 '10 at 13:31

This solution to this is going to be simple assuming you have not changed the sshd_config between the servers. You can run a diff against them to be sure.

As Christian said, permissions are usually the most likely cause.

If the permissions are accurate, there is going to be a mismatch between the private and public keypair on one of the servers.

score 1 · Answer 3 · answered Mar 16 '10 at 13:08

Since the obvious responses have been aptly given, some other debugging options:

perform a diff between .ssh/authorized_keys on server1 and server2

Run the sshd daemon in the foreground with logging and it should give you the rationale for why it's rejected the authentication key.

score 0 · Accepted Answer · answered Mar 22 '10 at 19:25

Christian and Warner were on the right track, it was a permissions error, but it was b/c of the home directory, not the .ssh directory:

$# tail --f=n /var/log/secure
Mar 22 10:52:57 my_server2 sshd[6278]: Authentication refused: bad ownership or modes for directory /home/my_user

$# ls -la /home/my_user
drwxrwx--- 21 my_user my_user    4096 Mar 22  10:37 .
...

After chmod'ing the directory to 755 the login worked correctly.

Enabling publickey authentication for server's sshd

4 Answers4