3

I have configured sshd to accept key-based ssh logins with LogLevel on DEBUG, and uploaded my public key to ~/.ssh.authorized_keys, where permissions are set as:

700 ~/.ssh 600 ~/.ssh/authorized_keys

From root, I can su - USERNAME. From the client I get Permission denied (publicly). From the server Here's how it is telling me that it "Could not open authorized keys '/home/USERNAME/.ssh/authorized_keys': Permission denied". 

    Client protocol version 2.0; client software version OpenSSH_5.2
    match: OpenSSH_5.2 pat OpenSSH*
    Enabling compatibility mode for protocol 2.0
    Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
    permanently_set_uid: 105/65534 [preauth]
    list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
    SSH2_MSG_KEXINIT sent [preauth]
    SSH2_MSG_KEXINIT received [preauth]
    kex: client->server aes128-ctr hmac-md5 none [preauth]
    kex: server->client aes128-ctr hmac-md5 none [preauth]
    SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
    SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
    expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
    SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
    SSH2_MSG_NEWKEYS sent [preauth]
    expecting SSH2_MSG_NEWKEYS [preauth]
    SSH2_MSG_NEWKEYS received [preauth]
    KEX done [preauth]
    userauth-request for user USERNAME service ssh-connection method none [preauth]
    attempt 0 failures 0 [preauth]
    PAM: initializing for "USERNAME"
    PAM: setting PAM_RHOST to "USERHOSTNAME"
    PAM: setting PAM_TTY to "ssh"
    userauth_send_banner: sent [preauth]
    userauth-request for user USERNAME service ssh-connection method publickey [preauth]
    attempt 1 failures 0 [preauth]
    test whether pkalg/pkblob are acceptable [preauth]
    Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
    Checking blacklist file /etc/ssh/blacklist.RSA-4096
    temporarily_use_uid: 1001/1002 (e=0/0)
    trying public key file /home/USERNAME/.ssh/authorized_keys
    Could not open authorized keys '/home/USERNAME/.ssh/authorized_keys': Permission denied
    restore_uid: 0/0
    temporarily_use_uid: 1001/1002 (e=0/0)
    trying public key file /home/USERNAME/.ssh/authorized_keys2
    Could not open authorized keys '/home/USERNAME/.ssh/authorized_keys2': Permission denied
    restore_uid: 0/0
    Failed publickey for USERNAME from IPADDRESS port 57523 ssh2
    Connection closed by IPADDRESS [preauth]
    do_cleanup [preauth]
    monitor_read_log: child log fd closed
    do_cleanup
    PAM: cleanup
user125176
  • 31
  • 1
  • 1
  • 2
  • 1
    What is the ownership of .ssh? Can you make sure by chown -R USERNAME .ssh? – johnshen64 Jun 19 '12 at 12:50
  • And what is the ownership of authorized_keys? – Dima Chubarov Jun 19 '12 at 13:03
  • I'm assuming you can SSH normally, providing the password. It's just a problem with your SSH keys. This may help you... http://serverfault.com/questions/396935/ssh-keys-authentication-keeps-asking-for-password/396942#396942 – Ash Jun 19 '12 at 13:36

4 Answers4

4
chown 1001:1002 /home/USERNAME/.ssh/authorized_keys
mgorven
  • 30,615
  • 7
  • 79
  • 122
Daniel Prata Almeida
  • 702
  • 4
  • 5
  • In further details, based on the logs, it looks like the user your are trying to SSH has isn't the owner of the .ssh directory and or files. You might also need to set the correct user:group on the `/home/USERNAME/.ssh` directory – Ryan Gibbons Jul 05 '12 at 01:28
1

For me /usr/NX/home/nx/.ssh/authorized_keys was wrongly named /usr/NX/home/nx/.ssh/authorized_keys2 even after reinstallation. Here is how I fixed it:

/usr/NX/home/nx/.ssh # cp authorized_keys2 authorized_keys
/usr/NX/home/nx/.ssh # chown nx authorized_keys

I blogged about it at http://www.linuxintro.org/wiki/Nx#The_NX_service_is_not_available

Thorsten Staerk
  • 387
  • 2
  • 11
-1

It is not your own user that accesses those files, so 600 and 700 is not going to work. Plus, there's no need to secure it like that; there's nothing secure in authorized_keys.

Halfgaar
  • 8,084
  • 6
  • 45
  • 86
  • 2
    it is actually in the context of the connecting user that sshd reads authorized_keys and if authentication successful proceeds to create a virtual terminal. With correct ownership 0600 should work. – Dima Chubarov Jun 19 '12 at 13:07
-4

Your permissions are wrong:

chmod 755 /home/USERNAME/.ssh
chmod 644 /home/USERNAME/.ssh/authorized_keys
Sirch
  • 5,785
  • 4
  • 20
  • 36
  • For security reasons, with default config, OpenSSH will ignore authorized_keys file with globally and group read permissions on .ssh or .ssh/authorized_keys – Ryan Gibbons Jul 04 '12 at 20:13
  • I have to disagree with you, I took those permissions from my home directory, it works fine. – Sirch Jul 04 '12 at 23:23
  • Feel free, here it is in their FAQ. http://www.openssh.org/faq.html#3.14 And here is the sshd_config man page. http://www.manpagez.com/man/5/sshd_config/ `Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is ``yes''. Note that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally.` – Ryan Gibbons Jul 05 '12 at 01:25
  • 1
    But 755 and 644 are not group/world writable. And indeed, I have these too and it works fine with StrictModes enabled. – b0fh Jul 05 '12 at 08:03
  • Thank you for the man page, 755 is rwxr-xr-x, 644 is rw-r--r--, neither of which is writeable by anyone other than yourself, and fine for sshd. – Sirch Jul 05 '12 at 13:04
  • Yes, I know what 755 and 744 are. No where in that quote does it say it only check's if they are world writable. It says it checks ownership and file modes. It says it does this /because/ novices will live their directory world writable. It doesn't say it only checks for that. The FAQ gives the example of setting the permission to 600 on the authorized_keys file (why would you set execute on it?). The last dozen or so servers I've configured in the last few months all required go-rwx ... – Ryan Gibbons Jul 06 '12 at 16:28