SSH Private Key Not Working in Some Directories

Question

I have a strange issue where SSH won't properly connect with a private-key if the key file is in certain directories. I've setup the keys on a set of servers and the following command

ssh -i /root/privatekey keyuser@host.com

works fine and I login to the given host without getting prompted by a password, but this command:

ssh -i /etc/keyfiles/privatekey keyuser@host.com

gives me a password prompt. I've narrowed it down that this behavior occurs in only some sub-directories of /etc/. For example /etc/httpd1/ gives me a password prompt but /etc/httpd/ does not.

What I've checked so far:

All private key files used are identical (copied from the original file).
The private key file and directories used have identical permissions.
No relevant error messages in the server/client logs.
No interesting debug messages from ssh -v (it just seems to skip the key file).
It happens with connecting to different hosts.

After more testing it is not the actual directory name. For example:

mkdir /etc/test
cp /root/privatekey /etc/test
ssh -i /etc/test/privatekey keyuser@host.com    # Results in password prompt
cp /root/privatekey /etc/httpd                  # Existing directory
ls -ald test httpd
  # drwxr-xr-x 4 root root 4096 Mar  5 18:25 httpd
  # drwxr-xr-x 2 root root 4096 Mar  5 18:43 test
ssh -i /etc/httpd/privatekey keyuser@host.com   # Results in *no* prompt
rm -r test
cp -R /etc/httpd /etc/test
ssh -i /etc/test/privatekey keyuser@host.com   # Results in *no* prompt`

I'm sure its just something simple I've overlooked but I'm at a loss.

The issue turned out to be a public key in the directory with the name `privatekey.pub` that was from another server. Deleting that public key file or replacing it with the correct one for the local server removed the password prompt. — uesp, Mar 06 '11 at 16:03

Bittrance · Answer 1 · 2011-03-06T00:09:19.477

2

The likely reason is the permissions and ownership of the directories. ssh is paranoid and refuses a key based on the permissions of the parent directory as well as permissions on the key and the directory containing it.

I do this in my environment install:

    ln -fs $(PWD)/ssh3 $(INSTALL_DIR)/.ssh
    # Make sure the permissions are OK; ssh is paranoid
    chmod 700 ssh3
    find ssh3/ -type f -exec chmod 600 {} \;

It is known to work on CentOS 4 and 5.

edited Mar 06 '11 at 00:09

answered Mar 06 '11 at 00:03

Bittrance

3,070
3
24
27

This sort of error should definitely be printed in your ssh server log, especially if you turn up the debug level... – Phil Hollenback Mar 06 '11 at 00:12
It is the openssh client who is doing the check for the client private key. – Mircea Vutcovici Mar 06 '11 at 00:40

score 0 · Accepted Answer · answered Mar 06 '11 at 00:01

I suggest looking at 'ssh -vvv' output when connecting. Also increase the loglevel to DEBUG in your /etc/ssh/sshd_config. That should give you some idea of what is going on.

Are some of your subdirectories links and some real directories? I assume this has got to be some sort of weird permission problem somewhere.

SSH Private Key Not Working in Some Directories

2 Answers2