SSH still asks for password after setting up key based authentication
I have successfully created a key based auth for root user from my A machine to my B machine.
Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.
So, I ran on A machine
ssh-keygen -t rsa, accepted all paths, so/home/USER/.ssh/id_rsaand with no phrases
ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage
Now try logging into the machine bla bla bla
So everything seems to be OK.
But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USER/.ssh/id_dsa
debug3: no such identity: /home/USER/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USER@BmachinesIP's password:
So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:
on A machine:
drwx------ 2 USER USER SIZE DATE TIME .ssh
-rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
-rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub
and on B machine:
drwx------ 2 USER defaultGroup SIZE DATE TIME .ssh
-rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys
linux authentication ssh
edited Oct 31 '11 at 10:14
slhck
160k47445467
asked Oct 31 '11 at 9:33
trattotratto
181117
migrated from stackoverflow.com Oct 31 '11 at 10:06
This question came from our site for professional and enthusiast programmers.
add a comment |
I have successfully created a key based auth for root user from my A machine to my B machine.
Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.
So, I ran on A machine
ssh-keygen -t rsa, accepted all paths, so/home/USER/.ssh/id_rsaand with no phrases
ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage
Now try logging into the machine bla bla bla
So everything seems to be OK.
But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USER/.ssh/id_dsa
debug3: no such identity: /home/USER/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USER@BmachinesIP's password:
So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:
on A machine:
drwx------ 2 USER USER SIZE DATE TIME .ssh
-rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
-rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub
and on B machine:
drwx------ 2 USER defaultGroup SIZE DATE TIME .ssh
-rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys
linux authentication ssh
edited Oct 31 '11 at 10:14
slhck
160k47445467
asked Oct 31 '11 at 9:33
trattotratto
181117
migrated from stackoverflow.com Oct 31 '11 at 10:06
This question came from our site for professional and enthusiast programmers.
add a comment |
I have successfully created a key based auth for root user from my A machine to my B machine.
Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.
So, I ran on A machine
ssh-keygen -t rsa, accepted all paths, so/home/USER/.ssh/id_rsaand with no phrases
ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage
Now try logging into the machine bla bla bla
So everything seems to be OK.
But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USER/.ssh/id_dsa
debug3: no such identity: /home/USER/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USER@BmachinesIP's password:
So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:
on A machine:
drwx------ 2 USER USER SIZE DATE TIME .ssh
-rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
-rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub
and on B machine:
drwx------ 2 USER defaultGroup SIZE DATE TIME .ssh
-rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys
linux authentication ssh
edited Oct 31 '11 at 10:14
slhck
160k47445467
asked Oct 31 '11 at 9:33
trattotratto
181117
I have successfully created a key based auth for root user from my A machine to my B machine.
Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.
So, I ran on A machine
ssh-keygen -t rsa, accepted all paths, so/home/USER/.ssh/id_rsaand with no phrases
ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage
Now try logging into the machine bla bla bla
So everything seems to be OK.
But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USER/.ssh/id_dsa
debug3: no such identity: /home/USER/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USER@BmachinesIP's password:
So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:
on A machine:
drwx------ 2 USER USER SIZE DATE TIME .ssh
-rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
-rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub
and on B machine:
drwx------ 2 USER defaultGroup SIZE DATE TIME .ssh
-rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys
linux authentication ssh
linux authentication ssh
edited Oct 31 '11 at 10:14
slhck
160k47445467
asked Oct 31 '11 at 9:33
trattotratto
181117
edited Oct 31 '11 at 10:14
slhck
160k47445467
asked Oct 31 '11 at 9:33
trattotratto
181117
edited Oct 31 '11 at 10:14
slhck
160k47445467
edited Oct 31 '11 at 10:14
slhck
160k47445467
edited Oct 31 '11 at 10:14
slhck
160k47445467
160k47445467
asked Oct 31 '11 at 9:33
trattotratto
181117
asked Oct 31 '11 at 9:33
trattotratto
181117
asked Oct 31 '11 at 9:33
trattotratto
181117
181117
migrated from stackoverflow.com Oct 31 '11 at 10:06
This question came from our site for professional and enthusiast programmers.
migrated from stackoverflow.com Oct 31 '11 at 10:06
This question came from our site for professional and enthusiast programmers.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
I have found a solution. There was an issue in permissions.
/home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
answered Oct 31 '11 at 11:16
trattotratto
181117
2
Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.
– jchook
Feb 18 '13 at 16:47
Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 22:54
Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 23:02
2
Essentially you need these permissions:chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working
– erik
Jul 30 '13 at 21:27
2
I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.
– Amalgovinus
Jun 17 '14 at 2:05
|
show 1 more comment
Same problem for me fresh CentOS7 install.
1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.
I still got password prompt after checking all that was ok.
Run ssh client with -vvv logs:
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Server (/var/log/secure) logs:
Failed publickey for * from * port * ssh2: RSA *
ssh server doesn't send more error info to client as that would be a security risk.
If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?
Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.
my current working sshd_config settings:
[root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?
answered May 4 '16 at 12:47
gaoithegaoithe
37135
add a comment |
The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.
To check,
$ sudo ls -Z /home/
If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.
To fix,
$ sudo semanage fcontext -a -t user_home_t /home/azureuser
$ sudo restorecon -vvRF /home/azureuser
The key based login should now work.
edited Jan 2 at 8:29
slhck
160k47445467
answered Jan 2 at 8:25
xcodexxcodex
11
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f352368%2fssh-still-asks-for-password-after-setting-up-key-based-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I have found a solution. There was an issue in permissions.
/home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
answered Oct 31 '11 at 11:16
trattotratto
181117
2
Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.
– jchook
Feb 18 '13 at 16:47
Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 22:54
Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 23:02
2
Essentially you need these permissions:chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working
– erik
Jul 30 '13 at 21:27
2
I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.
– Amalgovinus
Jun 17 '14 at 2:05
|
show 1 more comment
I have found a solution. There was an issue in permissions.
/home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
answered Oct 31 '11 at 11:16
trattotratto
181117
2
Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.
– jchook
Feb 18 '13 at 16:47
Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 22:54
Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 23:02
2
Essentially you need these permissions:chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working
– erik
Jul 30 '13 at 21:27
2
I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.
– Amalgovinus
Jun 17 '14 at 2:05
|
show 1 more comment
I have found a solution. There was an issue in permissions.
/home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
answered Oct 31 '11 at 11:16
trattotratto
181117
I have found a solution. There was an issue in permissions.
/home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
answered Oct 31 '11 at 11:16
trattotratto
181117
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
edited Aug 14 '12 at 5:16
Sathyajith Bhat♦
52.8k29155252
52.8k29155252
answered Oct 31 '11 at 11:16
trattotratto
181117
answered Oct 31 '11 at 11:16
trattotratto
181117
answered Oct 31 '11 at 11:16
trattotratto
181117
181117
2
Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.
– jchook
Feb 18 '13 at 16:47
Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 22:54
Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 23:02
2
Essentially you need these permissions:chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working
– erik
Jul 30 '13 at 21:27
2
I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.
– Amalgovinus
Jun 17 '14 at 2:05
|
show 1 more comment
2
Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.
– jchook
Feb 18 '13 at 16:47
Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 22:54
Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 23:02
2
Essentially you need these permissions:chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working
– erik
Jul 30 '13 at 21:27
2
I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.
– Amalgovinus
Jun 17 '14 at 2:05
2
2
Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.
– jchook
Feb 18 '13 at 16:47
Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.
– jchook
Feb 18 '13 at 16:47
Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 22:54
Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 22:54
Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 23:02
Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.
– Pablo Olmos de Aguilera C.
Apr 7 '13 at 23:02
2
2
Essentially you need these permissions:
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working– erik
Jul 30 '13 at 21:27
Essentially you need these permissions:
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working– erik
Jul 30 '13 at 21:27
2
2
I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.
– Amalgovinus
Jun 17 '14 at 2:05
I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.
– Amalgovinus
Jun 17 '14 at 2:05
|
show 1 more comment
Same problem for me fresh CentOS7 install.
1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.
I still got password prompt after checking all that was ok.
Run ssh client with -vvv logs:
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Server (/var/log/secure) logs:
Failed publickey for * from * port * ssh2: RSA *
ssh server doesn't send more error info to client as that would be a security risk.
If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?
Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.
my current working sshd_config settings:
[root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?
answered May 4 '16 at 12:47
gaoithegaoithe
37135
add a comment |
Same problem for me fresh CentOS7 install.
1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.
I still got password prompt after checking all that was ok.
Run ssh client with -vvv logs:
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Server (/var/log/secure) logs:
Failed publickey for * from * port * ssh2: RSA *
ssh server doesn't send more error info to client as that would be a security risk.
If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?
Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.
my current working sshd_config settings:
[root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?
answered May 4 '16 at 12:47
gaoithegaoithe
37135
add a comment |
Same problem for me fresh CentOS7 install.
1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.
I still got password prompt after checking all that was ok.
Run ssh client with -vvv logs:
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Server (/var/log/secure) logs:
Failed publickey for * from * port * ssh2: RSA *
ssh server doesn't send more error info to client as that would be a security risk.
If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?
Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.
my current working sshd_config settings:
[root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?
answered May 4 '16 at 12:47
gaoithegaoithe
37135
Same problem for me fresh CentOS7 install.
1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)
chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.
I still got password prompt after checking all that was ok.
Run ssh client with -vvv logs:
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
Server (/var/log/secure) logs:
Failed publickey for * from * port * ssh2: RSA *
ssh server doesn't send more error info to client as that would be a security risk.
If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?
Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.
my current working sshd_config settings:
[root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?
answered May 4 '16 at 12:47
gaoithegaoithe
37135
answered May 4 '16 at 12:47
gaoithegaoithe
37135
answered May 4 '16 at 12:47
gaoithegaoithe
37135
answered May 4 '16 at 12:47
gaoithegaoithe
37135
37135
add a comment |
add a comment |
The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.
To check,
$ sudo ls -Z /home/
If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.
To fix,
$ sudo semanage fcontext -a -t user_home_t /home/azureuser
$ sudo restorecon -vvRF /home/azureuser
The key based login should now work.
edited Jan 2 at 8:29
slhck
160k47445467
answered Jan 2 at 8:25
xcodexxcodex
11
add a comment |
The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.
To check,
$ sudo ls -Z /home/
If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.
To fix,
$ sudo semanage fcontext -a -t user_home_t /home/azureuser
$ sudo restorecon -vvRF /home/azureuser
The key based login should now work.
edited Jan 2 at 8:29
slhck
160k47445467
answered Jan 2 at 8:25
xcodexxcodex
11
add a comment |
The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.
To check,
$ sudo ls -Z /home/
If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.
To fix,
$ sudo semanage fcontext -a -t user_home_t /home/azureuser
$ sudo restorecon -vvRF /home/azureuser
The key based login should now work.
edited Jan 2 at 8:29
slhck
160k47445467
answered Jan 2 at 8:25
xcodexxcodex
11
The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.
To check,
$ sudo ls -Z /home/
If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.
To fix,
$ sudo semanage fcontext -a -t user_home_t /home/azureuser
$ sudo restorecon -vvRF /home/azureuser
The key based login should now work.
edited Jan 2 at 8:29
slhck
160k47445467
answered Jan 2 at 8:25
xcodexxcodex
11
edited Jan 2 at 8:29
slhck
160k47445467
edited Jan 2 at 8:29
slhck
160k47445467
edited Jan 2 at 8:29
slhck
160k47445467
160k47445467
answered Jan 2 at 8:25
xcodexxcodex
11
answered Jan 2 at 8:25
xcodexxcodex
11
answered Jan 2 at 8:25
xcodexxcodex
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f352368%2fssh-still-asks-for-password-after-setting-up-key-based-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
