ssh public key authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, I have a problem with the ssh public key...
1- create a public key without passphrase (ssh-keygen)
2- copy the id_rsa.pub file to the directory .ssh on my home dir in the
server
3- cat id_rsa.pub >> authorized_keys

but when I ssh to the server still ask for the password
If I do
[user@client]:~/.ssh$ ssh -o PreferredAuthentications=publickey server
Permission denied (publickey,keyboard-interactive).

The server /etc/ssh/sshd_config file is:

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable support for the deprecated 'gssapi'
authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is
included
# in this release. The use of 'gssapi' is deprecated due to the presence
of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
susceptible to.
#GSSAPIEnableMITMAttack no




# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/lib64/ssh/sftp-server

# This enables accepting locale enviroment variables LC_* LANG, see
sshd_config(5).
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

- --
VampirD

General Failure is the supreme commander of the Microsoft army.
All operation made by this army ends on him.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAksYMs8ACgkQuyH6KAqYAt299QCdHSqBhxiLbTYECKDoXQVZ1yCE
ZfEAn2+9keJo4B7ldvIBkIpmvG7ayT8d
=/Vs5
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Add some verbosity to your login (-v, -vv, or -vvv) and post the output
here. Also make sure that your authorized_keys file, as well as the
directories containing it, are not accessible to any user except you or to
any group. Make permissions 600 (rw-------) for files or 700 (rwx------)
for the .ssh directory and see if that helps. Make sure the key files are
also locked down on your client side.

Good luck.





VampirD wrote:
> Hi, I have a problem with the ssh public key...
> 1- create a public key without passphrase (ssh-keygen)
> 2- copy the id_rsa.pub file to the directory .ssh on my home dir in the
> server
> 3- cat id_rsa.pub >> authorized_keys
>
> but when I ssh to the server still ask for the password
> If I do
> [user@client]:~/.ssh$ ssh -o PreferredAuthentications=publickey server
> Permission denied (publickey,keyboard-interactive).
>
> The server /etc/ssh/sshd_config file is:
>
> # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> #Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # Disable legacy (protocol version 1) support in the server for new
> # installations. In future the default will change to require explicit
> # activation of protocol 1
> Protocol 2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> PermitRootLogin no
> #StrictModes yes
> MaxAuthTries 3
> #MaxSessions 10
>
> #RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable support for the deprecated 'gssapi'
> authentication
> # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is
> included
> # in this release. The use of 'gssapi' is deprecated due to the presence
> of
> # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
> susceptible to.
> #GSSAPIEnableMITMAttack no
>
>
>
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> #ChrootDirectory none
>
> # no default banner path
> #Banner none
>
> # override default of no subsystems
> Subsystem sftp /usr/lib64/ssh/sftp-server
>
> # This enables accepting locale enviroment variables LC_* LANG, see
> sshd_config(5).
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # ForceCommand cvs server
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLGD+DAAoJEF+XTK08PnB5a9wQAMS+JlYu3dGu94+eL/8gI+/+
+QHQdv3RcMAC8bb8WaJkanBB28J9aLCmR+kwLIYvgXQnXuXi+3oP3JSI6uRh1RoD
n2AdxFRRzpjy0KRTu9dVUI3HsvHM0wIApZ1NIgNs5rqRpfuXBKiUfMFsYr+yYiQH
TI6Y4pTq6B5RW88nbiy5kgmpN3Zrezmk1AZ61+/SaS1ud6WSzKe1tLjZ/idW1Eq5
LGID2gJlNhKgMLWqvy/k8vadDdavOncmvgfqLNGN7nbgCJu1phr3bn5jVrbx0EV7
olalRVHQAX/D/iIjA1GQ1UXDMBM2kbADcHdP0e3y6OT9FH8Pu9fWZsjTvgCrcESs
osXE330aXAAFZK0NKv2Lcl5YkzCwyc4oG65832pu8D9jbqgHQZEOkXLh7cxjQmYY
j6UBbwFymFls4XFSGPLzsdRM6cVjTeU+mjK1W0m1EFodlEJR+Dfh8MvgYvA3SCGd
H+u92yIsaSx6tjg+xcVQ98ar9yNGgtDFkOTa3yhK/DymzzLNUHzaZkffG58+8E8Q
kDvkHKNKGuTVgyrZvDKcqHgCi9iO0aPtbiOc8qW6cfk/yRQPH3ZAdysOrDmNzTl/
R7c3o++bWQHWSj9vfpysBFan184UrIX5XTcUBA02BbbDE7mV62efUkBDMSSP77Cg
7sl3aO50BZCnL2ADkbTW
=go5s
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks ab, I changed the permissions and now it works ^_^

- --
VampirD

General Failure is the supreme commander of the Microsoft army.
All operation made by this army ends on him.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAksZPZMACgkQuyH6KAqYAt3IhgCfXdqADxVn/3iw4ezHEKEGPIa2
Eo0Anil2Dhea/350jg54lbaDk3CQmuEw
=+Ry8
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good to hear. Thank-you for posting back your results.

Good luck.





VampirD wrote:
> Thanks ab, I changed the permissions and now it works ^_^
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLGT6jAAoJEF+XTK08PnB5lUQP/28PnWUBGZim4VRn9kW+8jhK
++pMaTq307IvglPPCLB2hL7wTgJdskxCFnE3msQFgE5b0hR9rgZ5NO2tgEqz96wT
K/I3h2zWBWpWSxQDOiksfMZl/7iQhMc/kYvYNSEMEuEkqSlUL0rWg+tHYrsa4le7
R1HTlkgcDtUKBUAsSES7sVYJcdgRhMV8pxhmhOQ+pdmypvSIH3tJtaMQ+AZAO6gZ
1YIQ5LYvl1yo0V87lmbd2nIgfyO0S7PZpxqpnY9XiW8jrfMyQXWcnd9H8e7cv9aH
BdCOb+mVXT6AdB0DfhdrLLEwopva1pFB+SZ2PoG+6YvbeHFUIZZhk+4LwhN2FNLn
to6p8OFhJZs1phXH32Tp086J+nWLXj3GfO65CDNVINrRp7gNo7sdZMpr0gsdg0nI
bLSwWHhaficG9clMuykKdDwJ0ZCEvs+5sF11Gc5YZdSOXWr7jNQdXZWycxGYwafJ
X4bAaksAZcy2EhjYyDL5tkRErEPU2pRp03E7l53oGD6aa744Cx18EH/2jmSQXXyV
u5PWxiHGzVrY/zfQV/c2rru19n27DA9myz2hHo9FdF8Z8/8GiHsKAyrMcECyGYUG
lK71xW+C0miwZN08adVDSDEdkdj/mDTs0Rmj7Z0jIKbokBBT/u/RQsvoZxuZyJb+
sK/77E623DTtDlPDbiJG
=bbPQ
-----END PGP SIGNATURE-----