Passwordless authentication not working

0

I am trying to setup a passwordless authentication between my webserver & a reporting server using the below steps. It works fine in my dev environment , however in the customer environment it doesn't.

Steps :

As testUser user on web server : 

mkdir ~/.ssh

cd ~/.ssh

ssh-keygen (use default file location and empty passphrase)

ssh-keygen -t dsa (as before)

Transfer the generated public keys to Reporting server.

As testUser user - 

sftp testUser@<ReportServerName>

put id_dsa.pub

put id_rsa.pub

quit

Do the following steps on the Reporting server.

As testUser user

mkdir ~/.ssh

cd ~/.ssh

cat ~/id_rsa.pub >> authorized_keys

cat ~/id_dsa.pub >> authorized_keys2

rm ~/id_*.pub

chmod 644 auth*

As root user vi /etc/ssh/sshd_config

Uncomment ‘PubkeyAuthentication yes’

/etc/init.d/sshd restart

After doing these steps when I try to a sftp testUser@ it still asks me for a password.

Can someone help ?

Sameer

Posted 2016-07-07T10:33:09.440

Reputation: 1

Why are you putting one key in authorized_keys and the other in authorized_keys2? (The latter name has been abandoned many years ago.) Why do you have two keys in the first place? (Just one type is enough, usually rsa or ed25519.) – user1686 – 2016-07-07T10:55:41.583

it should be ~/.ssh/authorized_keys. Also what openssh version are you using? – Jakuje – 2016-07-07T11:38:40.860

Answers

2

There are multiple possible pitfalls here. Because you created the directories yourself, permissions may be wrong.

The following permissions are required:

  • The ~/.ssh directory should not be readable by anyone but the owner, so usually chmod 700. It must not be writable by anyone but the owner.
  • Private key files must not be readable or writable by anyone but the owner, so usually chmod 600. ssh-keygen already does that for you.
  • The ~/.ssh/authorized_keys file must not be writable by anyone but the owner, so at least chmod 644. (Public keys are not secret—per definition!)

If in doubt: Run sshd in debug mode. It will stay attached to the terminal:

sudo /usr/bin/sshd -p 2222 -d

Then, connect from your client, on port 2222:

ssh -p 2222 my-ssh-server

The server will log whatever error it encounters. It could be something likes this:

Authentication refused: bad ownership or modes for directory /home/fuzzy/.ssh

Daniel B

Posted 2016-07-07T10:33:09.440

Reputation: 40 502

Really helpful about running in debug mode. From that I quickly realized that not only .ssh, but the directory containing .ssh has to be chmod 700. None of the many instructions I read mentioned that. Thanks a lot! – GregT – 2017-10-26T23:02:31.543

0

There are a number of debug steps:

  • Check the logs on both sides. Likely /var/log/auth.log.
  • Run your ssh connection in verbose mode ssh -v.
  • Check access of the each directory from ~/.ssh to '/'. None of these directories can be or other writable.

You can test access with these two lines. (Assumes root permissions are OK).

cd ~/.ssh; DIR=$PWD
while [ $DIR != '/' ]; do ls -ld $DIR; DIR=$(dirname $DIR); done

BillThor

Posted 2016-07-07T10:33:09.440

Reputation: 9 384

Asked: 2016-07-07T10:33:09.440

Viewed: 2 487 times

Active: 2016-07-07T13:29:53.733