SSH key-based authentication doesn't work
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
#Port 22
Port [Something none-standard]
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile %h/.ssh/authorized_keys2
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
In /root/.ssh/ I have the file "authorized_keys2" which contains the public key. When I try to login from my pc with
ssh -i /place/of/private/key -p [the non-standard port] 123.465.798.123
it still asks for the root password. What's wrong?
9 Replies
PermitRootLogin no
Also, check that the key in authorized_keys2 is all on one line. Sometimes it will get split across lines when you paste it.
-James
PasswordAuthentication no
-James
I'm sure you know it's not considered best practice to use the root login for SSH.
@irgeek:
What does the key look like? It should start with ssh-dss or ssh-rsa and end with ==
-James
It starts with ssh-rsa and ends with ==
> Did you try to set;
PasswordAuthentication no No I didn't, but I shouldn't need to. Both password and key authentication should be able to work at the same time.
> Have you sent sshd SIGHUP (or restarted it) to cause it to reread the conf file?
I'm sure you know it's not considered best practice to use the root login for SSH.
I did restart sshd, no luck. I know I shouldn't use root login, I don't, I just enabled it for testing this.
That being said…
First:
You don't mention what distro you are using, but generally speaking, any modern instance of SSHD is going to be looking for authorizedkeys, not authorizedkeys2. The authorizedkeys2 filename is deprecated. If in doubt, rename authorizedkeys2 to authorizedkeys and create a symlink from authorizedkeys2 to authorized_keys.
Second:
Make sure your directory & file permissions are correct.
~ ---> 0700
~/.ssh ---> 0700
~/.ssh/authorized_keys* ---> 0600
~/.ssh/id_* ---> 0600
~/.ssh/id_*.pub --> 0600 or 0640
in other words…
user's homedir is permission 0700
user's .ssh dir is 0700
authorizedkeys, authorizedkeys2 0600
all private keys 0600
all public keys -- does not matter but 0600 is not inappropriate
If these file & dir permissions are not correct, key auth will always fail.
Have you checked /var/log/secure to check for error messages associated with authentication? That's your best bet to tell you what's broken. FIle permissions and any other issues will be logged there, or depending on your syslog.conf, perhaps /var/log/messages, or whatever is defined for authpriv.* in /etc/syslog.conf.
> any modern instance of SSHD is going to be looking for authorizedkeys, not authorizedkeys2. The authorizedkeys2 filename is deprecated. If in doubt, rename authorizedkeys2 to authorizedkeys and create a symlink from authorizedkeys2 to authorized_keys.
Check my initial post, I've specified````
AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile %h/.ssh/authorized_keys2
````so it should be fine. I'll check the file permissions and logs and report back. Thanks!