My machine recently stopped accepting incoming public key authentication. I have an ubuntu 11.04 desktop that I ssh into from a windows machine. I use putty with pageant. I am able to connect but only with interactive password authentication, not with my rsa key that I have setup.
I have already verified that the key is listed in ~/.ssh/authorized_keys. How do I fix this and what do I check?
39 Answers
If public key authentication doesn't work: make sure that on the server side, your home directory (~), the ~/.ssh directory, and the ~/.ssh/authorized_keys file, are all writable only by their owner. In particular, none of them must be writable by the group (even if the user is alone in the group). chmod 755 or chmod 700 is ok, chmod 770 is not.
What to check when something is wrong:
- Run
ssh -vvvto see a lot of debugging output. If you post a question asking why you can't connect with ssh, include this output (you may want to anonymize host and user names). - If you can, check the server logs in
/var/log/auth.log. - If public key authentication isn't working, check the permissions again, especially the group bit (see above).
I ran into the same thing and finally figured out that it was because I encrypted my home directory. SSH can't read the authorized_keys file until you log in, so basically it forces you to password authenticate first. See the section about the encrypted home directory on the following link:
If you check the permissions on the directories, and there is a "." right after them, then you may have selinux enabled, which will mess w/ the key exchange, and default to manual password identification.
You can disable SELinux to troubleshoot by following the instructions here: , or just edit the /etc/selinux/config file and change it from "enforcing" to "disabled".
Hope this helps.
3I would ensure that you have your settings in /etc/ssh/sshd_config correct.
To force the use of PKI only and to disallow passwords find the line
#PasswordAuthentication yes in your file, uncomment it and set it to
PasswordAuthenticate noI would also read through the balance of the settings to ensure they make sense. In particular, try to ensure that you use RSA keys since DSA is know to be compromised.
1One possible cause of the problem is that you have DSA keys but now SSH (apparently) defaults to requiring RSA keys. I got the problem when upgrading to 16.04. You can see more here but the short answer is add the following to ~/.ssh/config:
PubkeyAcceptedKeyTypes ssh-dss I fixed this problem by un-commenting "PasswordAuthentication yes" in /etc/ssh/sshd_config.
Due to a need for troubleshooting communication between two different machines, I had two private keys in ~/.ssh on the client side.
Instead of configuring each server host with the respective private key in ~/.ssh/identity as I should have done, I had the secondary (and in this case wrong) key configured for all hosts:
Host *
IdentityFile ~/.ssh/identity_bCorrecting ~/.ssh/identity resolved the issue:
Host a
IdentityFile ~/.ssh/identity_a
Host b
IdentityFile ~/.ssh/identity_b I just had the same problem but changing the permissions with chmod wasn't helping, since it turned out I didn't have ownership of the ~/.ssh/authorized_keys file. You can change ownership of the .ssh directory with:
sudo chown -R "$USER" ~/.ssh Somehow this worked for me:
root@kaiser:~# vim /etc/ssh/sshd_config
Change this line from yes to no 28 StrictModes no
Try again
sysadmin@suselinux1:~> con sysadmin kaiser Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-25-generic i686)
- Documentation:
Last login: Fri Nov 9 15:40:11 2012 from 10.1.3.25 sysadmin@kaiser:~$ date vie nov 9 17:53:11 CST 2012 sysadmin@kaiser:~$
2