SSH Login with no password

Hey everybody. I’m trying to set up passwordless SSH between two hosts but I’m having trouble authenticating. When I try to connect from the host I get the following:

matt@VidWebSatellite:~>ssh matt@192.168.59.134
Permission denied (publickey).

I generated the keys with “ssh-keygen -t rsa” and copied the contents of “~/.ssh/id_rsa.pub” to “/home/matt/.ssh/authorized_keys”. The .ssh directory is owned by matt:users and has 700 permissions. The authorized_keys file is owned by matt:users and has 600 permissions.

Here is the sshd_config from the server:

#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel DEBUG3

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	~/.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords yes

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of 
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
#GSSAPIEnableMITMAttack no
 

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes 
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server

# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

And here is the log of the connection attempt:

Aug  9 21:09:43 VidWebMaster sshd[13063]: debug3: fd 5 is not O_NONBLOCK
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Aug  9 21:09:43 VidWebMaster kernel: klogd 1.4.1, ---------- state change ----------
Aug  9 21:09:43 VidWebMaster sshd[13063]: debug1: Forked child 13518.
Aug  9 21:09:43 VidWebMaster sshd[13063]: debug3: send_rexec_state: entering fd = 8 config len 547
Aug  9 21:09:43 VidWebMaster sshd[13063]: debug3: ssh_msg_send: type 0
Aug  9 21:09:43 VidWebMaster sshd[13063]: debug3: send_rexec_state: done
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: inetd sockets after dupping: 3, 3
Aug  9 21:09:43 VidWebMaster sshd[13518]: Connection from 192.168.59.135 port 48904
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: match: OpenSSH_5.1 pat OpenSSH*
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: Enabling compatibility mode for protocol 2.0
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: Local version string SSH-2.0-OpenSSH_5.1
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: fd 3 setting O_NONBLOCK
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: Network child is on pid 13519
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: preauth child monitor started
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_receive entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: monitor_read: checking request 0
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_send entering: type 1
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: monitor_read: 0 used once, disabling now
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_receive entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: monitor_read: checking request 4
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_sign
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_sign: signature 0xb80b6f60(143)
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_send entering: type 5
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: monitor_read: 4 used once, disabling now
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_receive entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: monitor_read: checking request 6
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_pwnamallow
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: Trying to reverse map address 192.168.59.135.
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: parse_server_config: config reprocess config len 547
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_send entering: type 7
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: monitor_read: 6 used once, disabling now
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_receive entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: monitor_read: checking request 45
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: PAM: initializing for "matt"
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: PAM: setting PAM_RHOST to "192.168.59.135"
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: PAM: setting PAM_TTY to "ssh"
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: monitor_read: 45 used once, disabling now
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_receive entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: monitor_read: checking request 3
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_authserv: service=ssh-connection, style=
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug2: monitor_read: 3 used once, disabling now
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_receive entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: monitor_read: checking request 20
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_keyallowed entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_keyallowed: key_from_blob: 0xb80bba00
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: temporarily_use_uid: 1000/100 (e=0/0)
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: trying public key file /root/.ssh/authorized_keys
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: restore_uid: 0/0
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: temporarily_use_uid: 1000/100 (e=0/0)
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: trying public key file /root/.ssh/authorized_keys
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: restore_uid: 0/0
Aug  9 21:09:43 VidWebMaster sshd[13518]: Failed publickey for matt from 192.168.59.135 port 48904 ssh2
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_answer_keyallowed: key 0xb80bba00 is not allowed
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_send entering: type 21
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: mm_request_receive entering
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: do_cleanup
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug1: PAM: cleanup
Aug  9 21:09:43 VidWebMaster sshd[13518]: debug3: PAM: sshpam_thread_cleanup entering

Why is it looking in /root/.ssh/ for the authorized_keys file? What have I missed?

Cheers

It would be because of this line that you modified in /etc/ssh/sshd_config:

AuthorizedKeysFile	~/.ssh/authorized_keys

Before you modified it, it was:

#AuthorizedKeysFile     .ssh/authorized_keys

which is to say, the default was already correct, it’s relative to the home directory. By changing it to ~/.ssh/authorized_keys, you made it equal to /root/.ssh/authorized_keys, because the user running sshd is root.

Public key authentication works with the out of the box /etc/ssh/sshd_config. You made it not work by too much interference. :wink: So put things in /etc/ssh/sshd_config back the way you found them and it will work. After that you may wish to add

PermitRootLogin no

and

AllowUsers matt

to tighten up security.

You made it not work by too much interference.

Haha, story of my life. Thanks heaps, mate.

where is your private key is stored?