ssh public key authentication

English Applications
1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, I have a problem with the ssh public key…
1- create a public key without passphrase (ssh-keygen)
2- copy the id_rsa.pub file to the directory .ssh on my home dir in the
server
3- cat id_rsa.pub >> authorized_keys

but when I ssh to the server still ask for the password
If I do
[user@client]:~/.ssh$ ssh -o PreferredAuthentications=publickey server
Permission denied (publickey,keyboard-interactive).

The server /etc/ssh/sshd_config file is:

$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options change a

default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Disable legacy (protocol version 1) support in the server for new

installations. In future the default will change to require explicit

activation of protocol 1

Protocol 2

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

Set this to ‘yes’ to enable support for the deprecated ‘gssapi’

authentication

mechanism to OpenSSH 3.8p1. The newer ‘gssapi-with-mic’ mechanism is

included

in this release. The use of ‘gssapi’ is deprecated due to the presence

of

potential man-in-the-middle attacks, which ‘gssapi-with-mic’ is not

susceptible to.
#GSSAPIEnableMITMAttack no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to ‘no’.

UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/lib64/ssh/sftp-server

This enables accepting locale enviroment variables LC_* LANG, see

sshd_config(5).
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

VampirD

General Failure is the supreme commander of the Microsoft army.
All operation made by this army ends on him.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAksYMs8ACgkQuyH6KAqYAt299QCdHSqBhxiLbTYECKDoXQVZ1yCE
ZfEAn2+9keJo4B7ldvIBkIpmvG7ayT8d
=/Vs5
-----END PGP SIGNATURE-----

2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Add some verbosity to your login (-v, -vv, or -vvv) and post the output
here. Also make sure that your authorized_keys file, as well as the
directories containing it, are not accessible to any user except you or to
any group. Make permissions 600 (rw-------) for files or 700 (rwx------)
for the .ssh directory and see if that helps. Make sure the key files are
also locked down on your client side.

Good luck.

VampirD wrote:
> Hi, I have a problem with the ssh public key…
> 1- create a public key without passphrase (ssh-keygen)
> 2- copy the id_rsa.pub file to the directory .ssh on my home dir in the
> server
> 3- cat id_rsa.pub >> authorized_keys
>
> but when I ssh to the server still ask for the password
> If I do
> [user@client]:~/.ssh$ ssh -o PreferredAuthentications=publickey server
> Permission denied (publickey,keyboard-interactive).
>
> The server /etc/ssh/sshd_config file is:
>
> # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> #Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # Disable legacy (protocol version 1) support in the server for new
> # installations. In future the default will change to require explicit
> # activation of protocol 1
> Protocol 2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> PermitRootLogin no
> #StrictModes yes
> MaxAuthTries 3
> #MaxSessions 10
>
> #RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don’t trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don’t read the user’s ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> # Set this to ‘yes’ to enable support for the deprecated ‘gssapi’
> authentication
> # mechanism to OpenSSH 3.8p1. The newer ‘gssapi-with-mic’ mechanism is
> included
> # in this release. The use of ‘gssapi’ is deprecated due to the presence
> of
> # potential man-in-the-middle attacks, which ‘gssapi-with-mic’ is not
> susceptible to.
> #GSSAPIEnableMITMAttack no
>
>
>
>
> # Set this to ‘yes’ to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of “PermitRootLogin without-password”.
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to ‘no’.
> UsePAM yes
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> #ChrootDirectory none
>
> # no default banner path
> #Banner none
>
> # override default of no subsystems
> Subsystem sftp /usr/lib64/ssh/sftp-server
>
> # This enables accepting locale enviroment variables LC_* LANG, see
> sshd_config(5).
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # ForceCommand cvs server
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLGD+DAAoJEF+XTK08PnB5a9wQAMS+JlYu3dGu94+eL/8gI+/+
+QHQdv3RcMAC8bb8WaJkanBB28J9aLCmR+kwLIYvgXQnXuXi+3oP3JSI6uRh1RoD
n2AdxFRRzpjy0KRTu9dVUI3HsvHM0wIApZ1NIgNs5rqRpfuXBKiUfMFsYr+yYiQH
TI6Y4pTq6B5RW88nbiy5kgmpN3Zrezmk1AZ61+/SaS1ud6WSzKe1tLjZ/idW1Eq5
LGID2gJlNhKgMLWqvy/k8vadDdavOncmvgfqLNGN7nbgCJu1phr3bn5jVrbx0EV7
olalRVHQAX/D/iIjA1GQ1UXDMBM2kbADcHdP0e3y6OT9FH8Pu9fWZsjTvgCrcESs
osXE330aXAAFZK0NKv2Lcl5YkzCwyc4oG65832pu8D9jbqgHQZEOkXLh7cxjQmYY
j6UBbwFymFls4XFSGPLzsdRM6cVjTeU+mjK1W0m1EFodlEJR+Dfh8MvgYvA3SCGd
H+u92yIsaSx6tjg+xcVQ98ar9yNGgtDFkOTa3yhK/DymzzLNUHzaZkffG58+8E8Q
kDvkHKNKGuTVgyrZvDKcqHgCi9iO0aPtbiOc8qW6cfk/yRQPH3ZAdysOrDmNzTl/
R7c3o++bWQHWSj9vfpysBFan184UrIX5XTcUBA02BbbDE7mV62efUkBDMSSP77Cg
7sl3aO50BZCnL2ADkbTW
=go5s
-----END PGP SIGNATURE-----

3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks ab, I changed the permissions and now it works :slight_smile:

VampirD

General Failure is the supreme commander of the Microsoft army.
All operation made by this army ends on him.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAksZPZMACgkQuyH6KAqYAt3IhgCfXdqADxVn/3iw4ezHEKEGPIa2
Eo0Anil2Dhea/350jg54lbaDk3CQmuEw
=+Ry8
-----END PGP SIGNATURE-----

4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good to hear. Thank-you for posting back your results.

Good luck.

VampirD wrote:
> Thanks ab, I changed the permissions and now it works :slight_smile:
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLGT6jAAoJEF+XTK08PnB5lUQP/28PnWUBGZim4VRn9kW+8jhK
++pMaTq307IvglPPCLB2hL7wTgJdskxCFnE3msQFgE5b0hR9rgZ5NO2tgEqz96wT
K/I3h2zWBWpWSxQDOiksfMZl/7iQhMc/kYvYNSEMEuEkqSlUL0rWg+tHYrsa4le7
R1HTlkgcDtUKBUAsSES7sVYJcdgRhMV8pxhmhOQ+pdmypvSIH3tJtaMQ+AZAO6gZ
1YIQ5LYvl1yo0V87lmbd2nIgfyO0S7PZpxqpnY9XiW8jrfMyQXWcnd9H8e7cv9aH
BdCOb+mVXT6AdB0DfhdrLLEwopva1pFB+SZ2PoG+6YvbeHFUIZZhk+4LwhN2FNLn
to6p8OFhJZs1phXH32Tp086J+nWLXj3GfO65CDNVINrRp7gNo7sdZMpr0gsdg0nI
bLSwWHhaficG9clMuykKdDwJ0ZCEvs+5sF11Gc5YZdSOXWr7jNQdXZWycxGYwafJ
X4bAaksAZcy2EhjYyDL5tkRErEPU2pRp03E7l53oGD6aa744Cx18EH/2jmSQXXyV
u5PWxiHGzVrY/zfQV/c2rru19n27DA9myz2hHo9FdF8Z8/8GiHsKAyrMcECyGYUG
lK71xW+C0miwZN08adVDSDEdkdj/mDTs0Rmj7Z0jIKbokBBT/u/RQsvoZxuZyJb+
sK/77E623DTtDlPDbiJG
=bbPQ
-----END PGP SIGNATURE-----