How to use public-key ssh authentication

5

I have 2 ubuntu 12.04 (beta) servers (node1 and node2) and want to establish passwordless root access between them. Other users should not have access to other boxes. Also note that ssh default port is changed to 220.

Here's what I did:

sudo -i
cd /root/.ssh
ssh-keygen -t rsa # with default name and empty password
cat id_rsa.pub > authorized_keys

then copied id_rsa & id_rsa.pub to node2 and added id_rsa.pub to authorized_keys. Both hosts have the same /root/.ssh/config file:

Host node1
Hostname 1.2.3.4
Port 220
IdentityFile /root/.ssh/id_rsa

Host node2
Hostname 5.6.7.8
Port 220
IdentityFile /root/.ssh/id_rsa

Now the problem is that when I type ssh node2 it asks me for password. What may be the problem?

Update:

Debug info on client:

debug1: Server host key: RSA ***
debug1: Host '[*.*.*.*]:220' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

Debug info on server:

debug1: userauth-request for user root service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "*.*.*.*"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user root service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Found matching RSA key: ****
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x7f0647b0c1b0 is allowed
debug3: mm_request_send entering: type 22
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
Postponed publickey for root from *.*.*.* port 38887 ssh2 [preauth]

Permissions:

drwx------ 2 root root   4096 Mar 26 15:34 .ssh

-rw------- 1 root root  840 Mar 26 14:50 authorized_keys
-rw-r--r-- 1 root root  225 Mar 26 15:34 config
-rw------- 1 root root 1679 Mar 26 14:47 id_rsa
-rw-r--r-- 1 root root 2652 Mar 26 14:39 known_hosts

Some lines from config files:

PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys
UsePAM no # also tried yes

Poma

Posted 2012-03-26T11:19:01.713

Reputation: 1 267

Have you been through all the other questions about this first? There are many suggestions as to how to troubleshoot this problem, and it generally comes down to permissions on .ssh/* and /etc/sshd_config – Paul – 2012-03-26T12:26:50.537

@Paul Yep I've read those (not all to be honest) and found nothing useful – Poma – 2012-03-26T13:22:39.470

Is that debug from the client side? Can you enable debugging on the server side and see what it doesn't like? – Paul – 2012-03-26T23:08:33.083

1What's the permission for /root itself? It would be better practice to have to key-pairs and add the public key to the remote side's authorized_keys, rather than copying the private keys across. – Bruno – 2012-03-27T01:38:57.360

@Paul added server debug info to my question – Poma – 2012-03-27T16:06:04.417

@Bruno /root permissions are 700 as always – Poma – 2012-03-27T16:06:28.643

Poma, are you certain that is the end of the server debug - the pasted log doesn't get to the point where it fails, there should be more after the postponed. – Paul – 2012-03-27T21:10:20.900

@Paul yes this is the last line. At this point ssh client asks for password. – Poma – 2012-03-31T10:47:36.873

I don't see an id_rsa.pub in your permissions listing. Do you have one on the "client" machine? Also, best practice would dictate that root@machinea copies its id_rsa.pub into machineb:/root/.ssh/authorized_keys and root@machineb copies its id_rsa.pub into machinea:/root/.ssh/authorized_keys. This is where a comment field is helpful (authorized_keys, just after the key, space, then a comment). Also http://askubuntu.com/questions/54670/passwordless-ssh-not-working suggest that user dir (/root?) have go+rx permission.

– maxwellb – 2012-05-03T09:49:14.107

Answers

3

Is root's home directory encrypted (perhaps by ecryptfs)?

I was having a similar issue where public key authentication would not work unless the user already had an active session. Reading this question, I realized that by choosing to encrypt the user's home directory I was preventing sshd from reading ~/.ssh/authorized_keys unless the user was already logged in on another session (which would then automatically decrypt the home directory).

I resolved the issue by switching to unencrypted home directories, after which public key authentication started working.

eallrich

Posted 2012-03-26T11:19:01.713

Reputation: 31

+1: thanks, I was having a problem with .Xauthority and I thought it was related. It seems this is the first time I try to ssh to my other PC without being logged in... – Avio – 2012-09-30T17:39:37.193

1

ssh comes with a command to copy the public key to the remote server, ssh-copy-id. It takes care of any necessary permissions and various other "gotcha" issues.

Example:

ssh-copy-id -i $HOME/.ssh/id_dsa user@server.example.com

After copying with ssh-copy-id you should no longer be asked for a password when you ssh.

Michael Hampton

Posted 2012-03-26T11:19:01.713

Reputation: 11 744

0

Some suggestions:

  • Check the permissions of your /root/.ssh (and its contents
  • Check whether ssh allows root-login and/or public key authentication (/etc/ssh/sshd_config iirc)
  • use ssh -v -v to see more debugging output

jakob

Posted 2012-03-26T11:19:01.713

Reputation: 241

I've already checked those. Everything looks ok to me. I've updated my answer with more info. – Poma – 2012-03-26T13:14:21.007

0

Use LogLevel DEBUG in /etc/ssh/sshd_config to debug. One possible gotcha is having the .ssh directory in /home/someuser/, as it should be under /root/.

tuomassalo

Posted 2012-03-26T11:19:01.713

Reputation: 423

0

I encountered this, because I had one encrypted user on my system. This leads the sshd into the assumption, that every users directory is encrypted and the authorized_keys file is located under /etc/ssh/username/authorized_keys

For me it worked, after I moved the authorized key to /etc/ssh/username/ and then chown -R username:username /etc/ssh/username/. Funny enough, that I had to do this for every user, even the not encrypted ones!

ansi_lumen

Posted 2012-03-26T11:19:01.713

Reputation: 219

Asked: 2012-03-26T11:19:01.713

Viewed: 17 670 times

Active: 2013-09-10T10:34:34.310