ssh no longer allows public key authentication
My machine recently stopped accepting incoming public key authentication. I have an ubuntu 11.04 desktop that I ssh into from a windows machine. I use putty with pageant. I am able to connect but only with interactive password authentication, not with my rsa key that I have setup.
I have already verified that the key is listed in ~/.ssh/authorized_keys. How do I fix this and what do I check?
Solution 1:
If public key authentication doesn't work: make sure that on the server side, your home directory (~
), the ~/.ssh
directory, and the ~/.ssh/authorized_keys
file, are all writable only by their owner. In particular, none of them must be writable by the group (even if the user is alone in the group). chmod 755
or chmod 700
is ok, chmod 770
is not.
What to check when something is wrong:
- Run
ssh -vvv
to see a lot of debugging output. If you post a question asking why you can't connect with ssh, include this output (you may want to anonymize host and user names). - If you can, check the server logs in
/var/log/auth.log
. - If public key authentication isn't working, check the permissions again, especially the group bit (see above).
Solution 2:
I ran into the same thing and finally figured out that it was because I encrypted my home directory. SSH can't read the authorized_keys file until you log in, so basically it forces you to password authenticate first. See the section about the encrypted home directory on the following link:
https://help.ubuntu.com/community/SSH/OpenSSH/Keys#Encrypted_Home_Directory
Solution 3:
If you check the permissions on the directories, and there is a "." right after them, then you may have selinux enabled, which will mess w/ the key exchange, and default to manual password identification.
You can disable SELinux to troubleshoot by following the instructions here: http://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable-disable-enforcement.html, or just edit the /etc/selinux/config file and change it from "enforcing" to "disabled".
Hope this helps.
Solution 4:
I would ensure that you have your settings in /etc/ssh/sshd_config correct.
To force the use of PKI only and to disallow passwords find the line
#PasswordAuthentication yes
in your file, uncomment it and set it to
PasswordAuthenticate no
I would also read through the balance of the settings to ensure they make sense. In particular, try to ensure that you use RSA keys since DSA is know to be compromised.
Solution 5:
One possible cause of the problem is that you have DSA keys but now SSH (apparently) defaults to requiring RSA keys. I got the problem when upgrading to 16.04. You can see more here but the short answer is add the following to ~/.ssh/config
:
PubkeyAcceptedKeyTypes ssh-dss