5

I have the following setup on an Ubuntu machine:

~/dotfiles/authorized_keys2
~/.ssh/authorized_keys2 -> /home/wayne/dotfiles/authorized_keys2

I had the same setup on my Arch machine, but when I connect with -v,

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/wayne/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password

I found this page on the Arch Wiki, which has this line:

$ chmod 600 ~/.ssh/authorized_keys

So I added another symlink:

authorized_keys -> /home/wayne/dotfiles/authorized_keys2

And yet still, no dice. And yes, I have ensured that the correct key is present in authorized_keys.

Why can I not connect using my keys?

Edit:

My permissions are set correctly on my home and ssh folders (and key file):

drwxr-x--x 150 wayne       family  13k Aug 27 07:38 wayne/
drwx------   2 wayne       family 4.1k Aug 27 07:24 .ssh/
-rw-------   1 wayne       family 6.4k Aug 20 07:01 authorized_keys2
Community
  • 1
Wayne Werner
  • 11,713
  • there's something in /etc/... in the pam folder maybe? that might be wrong. some conf,though. – mikeserv Aug 27 '14 at 12:51
  • 2
    Did you change the chmod of authorized_keys2 too? if not, try to set chmod 600 on authorized_keys2. Put it on the source file, not on the link. – Chen A. Aug 27 '14 at 12:51
  • Have you checked where the sshd looks for authorized keys in your sshd config? – unR Aug 27 '14 at 13:29
  • AuthorizedKeysFile .ssh/authorized_keys, @unR – Wayne Werner Aug 27 '14 at 13:49
  • Looks like PubkeyAuthentication yes is commented out... though manpage says yes is the default and uncommenting that seems to have no effect – Wayne Werner Aug 27 '14 at 13:49
  • @kovadom updated - already was 600. – Wayne Werner Aug 27 '14 at 13:53
  • @WayneWerner shouldn't that be %h/.ssh/authorized_keys with the %h indicating the homedirectory? – unR Aug 27 '14 at 13:53
  • @unR the manpage says "AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory." - And after changing it to %h/.ssh/authorized_keys, still no dice. – Wayne Werner Aug 27 '14 at 13:59
  • It looks to be something strange with the symlink behavior - when I rm authorized_keys && cp authorized_keys2 authorized_keys all is well. – Wayne Werner Aug 27 '14 at 14:00
  • the %h is just a variable that the sshd will replace with the homedirectory of the user trying to log in. It will be an absolute path in the end. The are other variable too like %u for the user name so you could specifiy something like /etc/ssh/authorized_keys/%u_keys just fyi – unR Aug 27 '14 at 14:03
  • Is /home/wayne your home directory? If you can access the system logs on the server, is there anything about AppArmor or anything else from sshd? What are the permissions on /home/wayne/dotfiles and /home/wayne/dotfiles/authorized_keys2? – Gilles 'SO- stop being evil' Aug 27 '14 at 23:01
  • @Gilles yes it's my home. Dotfiles has the same rwxr-x-- permissions... wait no it doesn't! We have a winner! Apparently all directories in the path need to be non-world read/writable? – Wayne Werner Aug 28 '14 at 11:13
  • Yes, all the directories in the path need to be non-world writable. Normally this is only the home directory (and its parents), and ~/.ssh, but since you've symlinked the file from another directory, the permissions for that other directory matter as well. – Gilles 'SO- stop being evil' Aug 28 '14 at 11:22

3 Answers3

12

The permissions on your authorized_keys file and the directories leading to it must be sufficiently restrictive: they must be only writable by you or root (recent versions of OpenSSH also allow them to be group-writable if you are the single user in that group). See Why am I still getting a password prompt with ssh with public key authentication? for the full story.

In your case, authorized_keys is a symbolic link. As of OpenSSH 5.9 (I haven't checked other versions), in that case, the server checks the permissions leading to the ultimate target of the symbolic link, with all intermediate symbolic links expanded (the canonical path). Assuming that all components of /home/wayne/dotfiles/authorized_keys2 are directories except for the last one which is a regular files, OpenSSH checks the permissions of /home/wayne, /home/wayne/dotfiles and /home/wayne/dotfiles/authorized_keys2.

If you have root access on the server, check the server logs for a message of the form bad ownership or modes for ….

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
  • The nugget about the symbolic link was key for me here. One of my setups require that the user home be the website root within /var/www/vhosts/... In order to allow that user to login via ssh I had to create a /home/username with the .ssh/authorized_keys file within it. Setting up the symlink ln -s /home/username/.ssh .ssh from within the home directory of the user logged in. – Rebecca Dessonville Nov 30 '15 at 14:41
0

I had the same issue, got resolved by changing permissions of /home/user directory which was not correct it should be chmod 755

Rajendra
  • 1
-1

If SELINUX is set to enforcing, and the canonical path to your authorized_keys file has a symlink for any of the directories, it will fail. You need to set SELINUX to disabled.

frellus
  • 1
  • Welcome to *nix.SE! Consider expanding your post with links to documentation or explanation which supports your suggestion. – HalosGhost Sep 17 '14 at 16:33