SSH connection with public RSA key

Question

I have next configuration in our corporative network:

Client: (artur@lothlorien.isd)

/etc/ssh/ssh_config:

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

File permissions:

artur@lothlorien:~$ ls -la ~/.ssh | grep "authorized_keys"
-rw-------  1 artur artur  407 чер  4 10:11 authorized_keys
artur@lothlorien:~$ ls -la ~ | grep ".ssh"
drwx------  2 artur artur   4096 чер  4 10:33 .ssh

More:

Server added to ~/.ssh/known_hosts Content of File
~/.ssh/id_rsa.pub appended to home directory of isd_programmer@server.isd user

/proc/version:

Linux version 3.5.0-32-generic (buildd@akateko) (gcc version 4.7.2 (Ubuntu/Linaro 4.7.2-2ubuntu1) ) #53-Ubuntu SMP Wed May 29 20:23:04 UTC 2013

Server: (isd_programmer@server.isd)

/etc/ssh/ssh_config same like on artur@lothlorien.isd
file permissions 600 for ~/.ssh/authorized_keys
directory permissions 700 for ~/.ssh
isd_programmer@server> cat ~/.ssh/authorized_keys have public key of artur@lothlorien.isd

/proc/version:

Linux version 2.6.38-16-server (buildd@batsu) (gcc version 4.5.2 (Ubuntu/Linaro 4.5.2-8ubuntu4) ) #67-Ubuntu SMP Thu Sep 6 18:15:24 UTC 2012

Connection:

artur@lothlorien:~$ ssh isd_programmer@server.isd -v
OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server.isd [192.168.1.201] port 22.
debug1: Connection established.
debug1: identity file /home/artur/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/artur/.ssh/id_rsa-cert type -1
debug1: identity file /home/artur/.ssh/id_dsa type -1
debug1: identity file /home/artur/.ssh/id_dsa-cert type -1
debug1: identity file /home/artur/.ssh/id_ecdsa type -1
debug1: identity file /home/artur/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-1ubuntu3
debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA bf:55:f2:57:f1:8e:c9:cf:a1:3f:f8:d0:81:6b:d4:7d
debug1: Host 'server.isd' is known and matches the ECDSA host key.
debug1: Found key in /home/artur/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/artur/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/artur/.ssh/id_dsa
debug1: Trying private key: /home/artur/.ssh/id_ecdsa
debug1: Next authentication method: password
isd_programmer@server.isd's password:

As for me looks like all is configured corect, but why I get prompt to enter password?

UPD (2013-06-07 07:05:12): found in sudo less -500 /var/log/auth.log:

Authentication refused: bad ownership or modes for directory /var/www

/var/www is home directory for isd_programmer@server.isd

Look at the logs on the server, and potentially start sshd with debug on the server (/usr/sbin/sshd -DDD) to see what it says. Note that stopping sshd wont kill your already open ssh sessions. — espenfjo, Jun 07 '13 at 06:46
Updated my question. Got information from `/var/log/auth.log` — Arthur Halma, Jun 07 '13 at 07:06

score 2 · Answer 1 · answered Jun 07 '13 at 06:50

Several reasons come to mind:

Server is configured to not allow key authentication
Client host is either not in hosts.allow or is in hosts.deny
Client user is not a permitted ssh user
Permissions prevent authorized_keys from being read (check all parent directories)
Permissions are too broad for authorized_keys (file and all parent directories must not be writable by anyone other than root and desired user).
key doesn't match

There are more reasons, these are the ones that came immediately to mind. Remember this site is about solving problems for everyone, not tailoring answers to your specific server.

score 1 · Accepted Answer · answered Jun 07 '13 at 07:31

Solved this problem myself. /var/www has rights:

drwxrwxr-x 112 isd_programmer www-data    4096 2013-06-07 10:24 www

I can't change permissions since there are more users in www-data group who need access to this folder. But StrictModes in /etc/ssh/sshd_config was set to yes (default). So I changed it to no and restarted sshd: sudo restart ssh.

score 0 · Answer 3 · answered Jun 07 '13 at 06:49

0

You missed private key in Client: (artur@lothlorien.isd).

In artur@lothlorien.isd, place id_rsa in /home/artur/.ssh/ for SSH to work.

answered Jun 07 '13 at 06:49

cuonglm

2,386
2
16
20

I have this file – Arthur Halma Jun 07 '13 at 06:51

SSH connection with public RSA key

Client: (artur@lothlorien.isd)

Server: (isd_programmer@server.isd)

Connection:

3 Answers3