Why must I use sudo for ssh public key authentication to work?

I cannot ssh from my computer (OS X) to my raspberry pi (ubuntu mate), unless I use sudo. I am using a public/private keypair to authenticate.

The appropriate public key is added to the authorized_users file on the raspberry pi.

The permissions for my .ssh directory are 700. The permissions for my key files are 600.

This is the output from ssh with -v flag:

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/username/.ssh/id_rsa
debug1: Authentications that can continue: publickey 
debug1: Trying private key: /Users/username/.ssh/id_dsa
debug1: No more authentication methods to try. Permission denied (publickey).

ls:

-rw------- 1 username staff 3326 May 18 23:24 id_rsa 
-rw-r--r-- 1 username staff 752 May 18 23:24 id_rsa.pub

.ssh:

drwx------  11 username   staff    374 May 19 21:49 .ssh

IMerin

Posted 2015-05-20T01:45:03.750

Reputation: 39

Have you checked that username definitely owns .ssh and its contents? – Paul – 2015-05-20T01:50:15.737

@Paul Yes the appropriate user owns the .ssh directory and its contents – IMerin – 2015-05-20T01:51:58.350

And the .ssh directory itself? Please [edit] if you have more infomation to add to the question – Paul – 2015-05-20T01:54:28.490

@Paul, added .ssh information – IMerin – 2015-05-20T01:55:51.947

Hang on, when you do sudo it uses the root .ssh directory. What username are you logging into the rpi with? – Paul – 2015-05-20T01:57:24.553

@Paul, you're onto something here. Explicitly stating the username causes permission denied (public key), even when using sudo. It seems it's an issue with my setup on the raspberry pi, then. – IMerin – 2015-05-20T02:02:35.223

Yeah, you must be logging in a root remotely when you use sudo, so the problem probably lies in the authorized_keys of username – Paul – 2015-05-20T02:04:11.780

Answers

You probably shared root's ssh key, perhaps by doing sudo when you did ssh-copy-id. Make sure username's public key is also in the authorized_keys on the destination

Eric Renouf

Posted 2015-05-20T01:45:03.750

Reputation: 1 548

the key in authorized_users is identical to my non-root public key – IMerin – 2015-05-20T02:00:01.277

So if you do, say, md5sum on both id_rsa.pub and authorized_keys they're the same? (assuming you have only the one key in authorized_keys. Presumably if it works with sudo it should also match the /root/.ssh/id_rsa.pub file, so are all 3 the same? – Eric Renouf – 2015-05-20T02:03:06.633

there are multiple keys in authorized_key. I believe the issue is that I am logging in against the root on my raspberry pi when I want to be logging in as a specific user. I'm going to physically access the machine and check the user's authorized_key file – IMerin – 2015-05-20T02:04:57.317

Ah, well when you do sudo your default user to connect as will be root instead of username – Eric Renouf – 2015-05-20T02:07:05.950

There seems to be a disconnect here. You keep saying authorized_users; others keep saying authorized_keys. The public key for a user is put into the home directory for the user in a file called .ssh/authorized_keys, not .ssh/authorized_users. Since ssh is working for root, you might want to look at the directory for ~root/.ssh and make the directory for ~user_name/.ssh look the same - except, of course, that the keys will be the ones for that user, not for root.

froth

Posted 2015-05-20T01:45:03.750

Reputation: 46

Thanks, the authorized_users/authorized_keys thing was simply me typing the wrong name. The issue turned out to be that root owned the /etc/ssh directory, rather than username. I fixed that and everything appears to be working properly – IMerin – 2015-05-21T14:00:30.593

1A user should never own any files in the /etc directory. They need read and execute permission for /etc/ssh and read access to most of the files in the directory, the exceptions being the private key files and the sshd files. If the user owns a file in /etc they can give themselves write permission and affect every other user on the system including root. – froth – 2015-05-21T22:37:26.763