passwordless ssh not working
After setting up password-less ssh, I was still asked for my user password. Looking at /var/log/auth.log
on the remote machine pointed out the issue:
sshd[4215]: Authentication refused: bad ownership or modes for directory /home/<user>
So, make sure to have it right:
chmod o-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
While forbidding other users to write over your .ssh
folder is obvious, having the same requirement for your home folder was trickier.
Also, check /etc/ssh/ssd_config
to ensure that RSAAuthentication
and PubkeyAuthentication
options aren't disabled. Default is yes
so that shouldn't be a problem.
Just make sure that you have followed the following procedure:
On Machine A
open a terminal and enter the commands as follows:
root@aneesh-pc:~# id
Just to make sure that we are root.
If the above command output something like below we are root else switch to root using the su
command
uid=0(root) gid=0(root) groups=0(root)
1) Create the keys.
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
49:7d:30:7d:67:db:58:51:42:75:78:9c:06:e1:0c:8d root@aneesh-pc
The key's randomart image is:
+--[ RSA 2048]----+
| ooo+==B|
| . E=.o+B|
| . . .+.*o|
| . . . ...|
| S |
| |
| |
| |
| |
+-----------------+
I haven't used any passphrase. If you need one you can use it.
2) Copy the public key in to machine B's .ssh/authorized_keys
file
root@aneesh-pc:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@mylap
root@mylap's password:
Now try logging into the machine, with ssh 'root@mylap'
, and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Replace mylap with the hostname or ip of the machine you want to login (i.e. machine B)
3) Login to B without password
root@aneesh-pc:~# ssh root@mylap
Warning: Permanently added 'mylap,192.168.1.200' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Wed Jul 27 15:23:58 2011 from streaming-desktop.local
aneesh@mylap:~$
On Machine B
4) Create the keys to login back to Machine A
root@mylap:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
35:9f:e7:81:ed:02:f9:fd:ad:ef:08:c6:4e:19:76:b1 root@streaming-desktop
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| o . |
| . + + o |
| S o * E |
| = O . |
| O + |
| + o o.|
| . o+=|
+-----------------+
5) Copy the public key in to machine A's .ssh/authorized_keys
file
root@mylap:~# ssh-copy-id -i /root/.ssh/id_rsa.pub root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
root@aneesh-pc's password:
Now try logging into the machine, with ssh 'root@aneesh-pc'
, and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
6) Login to A without password
ssh root@aneesh-pc
Warning: Permanently added 'aneesh-pc,192.168.1.20' (RSA) to the list of known hosts.
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Tue Jul 26 18:52:55 2011 from 192.168.1.116
If you are able to complete these steps You are done. Now you have two machines with ssh-key (public-key) enabled login.
Probably just a higher level permissions problem. You need to remove write permissions from group and other to your home directory and .ssh directory. To fix these permissions, run chmod 755 ~ ~/.ssh
or chmod go-w ~ ~/.ssh
.
If you're still having problems, issue the following grep on your log:
sudo egrep -i 'ssh.*LOCAL_USER_NAME' /var/log/secure
(replace LOCAL_USER_NAME
with your local user name...)
That should hopefully tell you more about your problem, assuming sshd authentication information is being logged to the secure log, which is should be by default. If you see errors that look like this:
DATE HOSTNAME sshd[1317]: Authentication refused: bad ownership or modes for directory /path/to/some/directory
It's the problem described above and you need to find the directory in question and remove the write permissions from group and other.
As for the reason that you would need to restrict write permissions to your home directory (even though permissions are already restricted on your .ssh and subsequent directories) it will allow other users to rename your .ssh directory and make a new one - although that would be unusable as is (due to wrong permissions) the fix for most users would probably be to change the permissions rather than check the content of the directory...
TLDNR: Allowing write access for group and/or other to your home directory will make ssh force password login.