SSH still asks for password after setting up key based authentication

I have successfully created a key based auth for root user from my A machine to my B machine.

Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.

So, I ran on A machine

ssh-keygen -t rsa, accepted all paths, so /home/USER/.ssh/id_rsa and with no phrases
ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage

Now try logging into the machine bla bla bla

So everything seems to be OK.

But when I tried to connect ssh USER@BmachinesIP I was asked for a password. I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USER/.ssh/id_dsa
debug3: no such identity: /home/USER/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USER@BmachinesIP's password:

So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:

on A machine:

drwx------  2 USER USER    SIZE DATE TIME .ssh
-rw-------  1 USER USER 1675 2011-10-31 14:36 id_rsa
-rw-r--r--  1 USER USER 413 2011-10-31 14:36 id_rsa.pub

and on B machine:

drwx------  2 USER defaultGroup    SIZE DATE TIME .ssh
-rw-------    1 USER defaultGroup    SIZE DATE TIME authorized_keys

tratto

Posted 2011-10-31T09:33:33.870

Reputation: 231

Answers

I have found a solution. There was an issue in permissions.

/home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755

tratto

Posted 2011-10-31T09:33:33.870

Reputation: 231

Same problem for me fresh CentOS7 install. I checked permissions. Played with /etc/ssh/sshd_config settings && service sshd restart. Client (ssh -vvv) logs "debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply". Server logs "Failed publickey for * from * port * ssh2: RSA *".Try "LogLevel VERBOSE" in sshd_config. INTERESTING If I run sshd on different port 'sshd -p 5555 -d'. The key works. Passwordless login ok. WTF? Well. Then I disabled selinux. Rebooted. Passwordless login worked ok. – gaoithe – 2016-05-04T12:33:21.367

2Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config. – jchook – 2013-02-18T16:47:56.553

Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that? – Pablo Olmos de Aguilera C. – 2013-04-07T22:54:49.893

Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/. – Pablo Olmos de Aguilera C. – 2013-04-07T23:02:34.193

Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: http://askubuntu.com/questions/54670/passwordless-ssh-not-working

– erik – 2013-07-30T21:27:05.197

2I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled. – Amalgovinus – 2014-06-17T02:05:39.037

Same problem for me fresh CentOS7 install.

1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)

chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys

2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.

I still got password prompt after checking all that was ok.

Run ssh client with -vvv logs:

debug3: send_pubkey_test 
debug2: we sent a publickey packet, wait for reply

Server (/var/log/secure) logs:

Failed publickey for * from * port * ssh2: RSA *

ssh server doesn't send more error info to client as that would be a security risk.

If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?

Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.

my current working sshd_config settings:

[root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config  
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
HostbasedAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem   sftp    /usr/libexec/openssh/sftp-server

So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?

gaoithe

Posted 2011-10-31T09:33:33.870

Reputation: 423

The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.

To check,

$ sudo ls -Z /home/

If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.

To fix,

$ sudo semanage fcontext -a -t user_home_t /home/azureuser
$ sudo restorecon -vvRF /home/azureuser

The key based login should now work.

sentifool

Posted 2011-10-31T09:33:33.870

Reputation: 1