6

Possible Duplicate:
Why am I still getting a password prompt with ssh with public key authentication?

I'm setting up a remote server. The sshd is configured to use publickey only. There are two accounts on the remote machine with identical .ssh/authorized_keys, so that I can log in as either using the same key. One of the two is root, and when I try:

ssh -i /path/to/privatekey root@remote.server

I get in, no problem. However, when I try the other (non-privelleged) user:

ssh -i /path/to/privatekey bob@remote.server

It fails. -v reveals:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /path/to/privatekey
debug1: Authentications that can continue: publickey
debug1: Trying private key: /path/to/privatekey
**debug1: key_parse_private_pem: PEM_read_PrivateKey failed**
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/path/to/privatekey':

The asterisked line does not occur with the successful root@server login. This is also strange since ssh-agent already has the passphrase for this key; I am not asked with the root@server login. The failed bob@server login ends:

debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Permissions, etc. on /home/bob/.ssh are correct [but no execute bit on .ssh directory, see comments]. This was actually a system upgrade/reinstall, and I have a backup of the previous /etc including the sshd configuration. I haven't changed anything (although when I allow password authentification, bob can get in), and this was how I was using the system before via git -- so I have a bunch of project git remote ids keyed to use bob@server via ssh, and don't want to have to change those because I can't get sshd to work the way it did previously...

Community
  • 1
goldilocks
  • 87,661
  • 30
  • 204
  • 262
  • 1
    Is the owner of .ssh directory and authorized_keys file is bob in bob home directory and whether the permissions is 700 for .ssh directory and 600 for authorized_keys file – pradeepchhetri Dec 06 '12 at 19:02
  • $#@! I used chmod -R 600 .ssh when I set this up, not thinking it would matter whether the directory had the execute bit set (700). But it did. If you want to put that in an answer I'll give you a check. – goldilocks Dec 06 '12 at 19:09
  • I have put it as an answer. :P – pradeepchhetri Dec 06 '12 at 19:15
  • @goldilocks Yup - the executable bit on directory allows you to change to it and under normal circumstances, root can bypass this. You could probably actually go with chmod 0100 .ssh, if ssh knows what file to open, so it doesn't need to be able to read the contents directory. – peterph Dec 06 '12 at 19:16

1 Answers1

7

Please confirm the following things:

  1. Permission of the .ssh directory is 700. Execute permission on a directory is required in order to enter into a directory.

  2. Permission of authorized_keys file must be 600.

Being a sysadmin, I also have faced this kind of issue.

jasonwryan
  • 73,126
pradeepchhetri
  • 9,959