SSH key-based authentication doesn't work

Here's the /etc/ssh/sshd_config on the server:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
#Port 22
Port [Something none-standard]
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile    %h/.ssh/authorized_keys
AuthorizedKeysFile %h/.ssh/authorized_keys2

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

In /root/.ssh/ I have the file "authorized_keys2" which contains the public key. When I try to login from my pc with

ssh -i /place/of/private/key -p [the non-standard port] 123.465.798.123

it still asks for the root password. What's wrong?

9 Replies

It may be because you've specified root can't log in:

PermitRootLogin no

Also, check that the key in authorized_keys2 is all on one line. Sometimes it will get split across lines when you paste it.

-James

I've enabled root login and the key is in one line. Still no luck. Any ideas?

Did you try to set;

PasswordAuthentication no

What does the key look like? It should start with ssh-dss or ssh-rsa and end with ==

-James

Have you sent sshd SIGHUP (or restarted it) to cause it to reread the conf file?

I'm sure you know it's not considered best practice to use the root login for SSH.

@irgeek:

What does the key look like? It should start with ssh-dss or ssh-rsa and end with ==

-James
It starts with ssh-rsa and ends with ==

> Did you try to set;

PasswordAuthentication no No I didn't, but I shouldn't need to. Both password and key authentication should be able to work at the same time.

> Have you sent sshd SIGHUP (or restarted it) to cause it to reread the conf file?

I'm sure you know it's not considered best practice to use the root login for SSH.
I did restart sshd, no luck. I know I shouldn't use root login, I don't, I just enabled it for testing this.

Can't help it…you shouldn't be doing this for root -- even for testing as you mention. Ugh.

That being said…

First:

You don't mention what distro you are using, but generally speaking, any modern instance of SSHD is going to be looking for authorizedkeys, not authorizedkeys2. The authorizedkeys2 filename is deprecated. If in doubt, rename authorizedkeys2 to authorizedkeys and create a symlink from authorizedkeys2 to authorized_keys.

Second:

Make sure your directory & file permissions are correct.

~ ---> 0700

~/.ssh ---> 0700

~/.ssh/authorized_keys* ---> 0600

~/.ssh/id_* ---> 0600

~/.ssh/id_*.pub --> 0600 or 0640

in other words…

user's homedir is permission 0700

user's .ssh dir is 0700

authorizedkeys, authorizedkeys2 0600

all private keys 0600

all public keys -- does not matter but 0600 is not inappropriate

If these file & dir permissions are not correct, key auth will always fail.

Have you checked /var/log/secure to check for error messages associated with authentication? That's your best bet to tell you what's broken. FIle permissions and any other issues will be logged there, or depending on your syslog.conf, perhaps /var/log/messages, or whatever is defined for authpriv.* in /etc/syslog.conf.

> any modern instance of SSHD is going to be looking for authorizedkeys, not authorizedkeys2. The authorizedkeys2 filename is deprecated. If in doubt, rename authorizedkeys2 to authorizedkeys and create a symlink from authorizedkeys2 to authorized_keys. Check my initial post, I've specified````

AuthorizedKeysFile %h/.ssh/authorized_keys

AuthorizedKeysFile %h/.ssh/authorized_keys2
````so it should be fine. I'll check the file permissions and logs and report back. Thanks!

Try to connect from your Linode to itself via "ssh -v localhost" and it should tell you what's wrong.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct