1

UPDATE: I've solved this strange problem by simply restart sshd. However, I'm still wondering why, because I didn't change any configs since the server started.

I have 2 servers, one installed CentOS 5 and the other is CentOS 6. ssh publickey works fine on the CentOS 5 one, but it doesn't work on the CentOS 6. I confirmed the permissions of .ssh directory, it's fine.

[root@localhost ~]# ls -Z .ssh/
drwxr-xr-x. root root unconfined_u:object_r:ssh_home_t:s0 .
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. root root unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-r--r--. root root unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub
-rw-r--r--. root root unconfined_u:object_r:ssh_home_t:s0 known_hosts

UPDATE: I've tried several permissions, including 600, 644 for authorized_keys, and 700, 755 for .ssh/, all of them don't work.

ssh -vvv gives these message

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/zuohaocheng/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/zuohaocheng/.ssh/id_dsa
debug3: no such identity: /Users/zuohaocheng/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

Everything in sshd_config is as default. Also, I copied publickey through ssh-copy-id.

Haocheng
  • 141
  • 1
  • 8
  • That `authorized_keys` file is dated 2012-03-31. When did you copy your public key up to the server? Also, what command are you using on the client to ssh to the server? – Ladadadada Jan 14 '13 at 13:41
  • is the format of the authorized_keys right ? – golja Jan 14 '13 at 13:46
  • @Ladadadada `ssh -vvv username@host`. The public key is generated on 2012, so the date should be fine. – Haocheng Jan 14 '13 at 13:56
  • 3
    Please show either the error log from the SSH server, or the output of `sshd -d`. Keep in mind that the daemon will only process a single connection when started in debug mode. – Andrew B Jan 14 '13 at 14:56
  • @AndrewB I can only access the server through ssh, so I'm afraid that if I use `sshd -d`, some small mistakes may cause a much more serious problem. – Haocheng Jan 15 '13 at 01:07

6 Answers6

1

You have wrong permission for authorized_keys. You should unset read permission for group and other.

dchirikov
  • 640
  • 4
  • 6
1

The Directory/ file permissions should look as the following:

chmod 700 ~/.ssh 
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

ls -l ~/.ssh should show you the chmod permissions. Check if PermitRootLogin Yes is enabled since you are copying the pub key generated in root's .ssh directory. This could generate the problem.

Valentin Bajrami
  • 4,045
  • 1
  • 18
  • 26
1

What are the permissions on ~/ (your home directory)? You cannot allow permissions at any level that would allow others to overwrite your ~/.ssh directory. If your home directory is anything more permissive than 755, you will be prompted for a password.

Alex
  • 6,603
  • 1
  • 24
  • 32
1

If you are running selinux, that could be the issue. The type of the .ssh dir and files underneath should be ssh_home_t. You can verify with ls -Z, and restore with restorecon -Rv .ssh.

/var/log/secure might have more detailed error messages also.

lsd
  • 1,673
  • 10
  • 10
  • Thank you for your advices, I've fixed them, but it still doesn't work. Also, that log doesn't give any information. – Haocheng Jan 14 '13 at 14:40
0

Permission on authorized_keys must be 600 to make public key authentication work.

Cloudmeteor
  • 449
  • 2
  • 7
0

I'm running into the same issue and it turns out it's related to the fact that I moved my home directory to another disk (for space reasons) and the default security settings don't like this new place, so thus cannot or will not find my .ssh directory. Trying to figure out out to update the ssh_home_t settings.

George Baxter
  • 101