ssh no longer allows public key authentication

ssh authentication

My machine recently stopped accepting incoming public key authentication. I have an ubuntu 11.04 desktop that I ssh into from a windows machine. I use putty with pageant. I am able to connect but only with interactive password authentication, not with my rsa key that I have setup.

I have already verified that the key is listed in ~/.ssh/authorized_keys. How do I fix this and what do I check?


Solution 1:

If public key authentication doesn't work: make sure that on the server side, your home directory (~), the ~/.ssh directory, and the ~/.ssh/authorized_keys file, are all writable only by their owner. In particular, none of them must be writable by the group (even if the user is alone in the group). chmod 755 or chmod 700 is ok, chmod 770 is not.

What to check when something is wrong:

  • Run ssh -vvv to see a lot of debugging output. If you post a question asking why you can't connect with ssh, include this output (you may want to anonymize host and user names).
  • If you can, check the server logs in /var/log/auth.log.
  • If public key authentication isn't working, check the permissions again, especially the group bit (see above).

Solution 2:

I ran into the same thing and finally figured out that it was because I encrypted my home directory. SSH can't read the authorized_keys file until you log in, so basically it forces you to password authenticate first. See the section about the encrypted home directory on the following link:

https://help.ubuntu.com/community/SSH/OpenSSH/Keys#Encrypted_Home_Directory

Solution 3:

If you check the permissions on the directories, and there is a "." right after them, then you may have selinux enabled, which will mess w/ the key exchange, and default to manual password identification.

You can disable SELinux to troubleshoot by following the instructions here: http://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable-disable-enforcement.html, or just edit the /etc/selinux/config file and change it from "enforcing" to "disabled".

Hope this helps.

Solution 4:

I would ensure that you have your settings in /etc/ssh/sshd_config correct.

To force the use of PKI only and to disallow passwords find the line 

#PasswordAuthentication yes

in your file, uncomment it and set it to 

PasswordAuthenticate no

I would also read through the balance of the settings to ensure they make sense. In particular, try to ensure that you use RSA keys since DSA is know to be compromised.

Solution 5:

One possible cause of the problem is that you have DSA keys but now SSH (apparently) defaults to requiring RSA keys. I got the problem when upgrading to 16.04. You can see more here but the short answer is add the following to ~/.ssh/config:

PubkeyAcceptedKeyTypes ssh-dss

Related

What is the difference between compare() and compareTo()?
Is it possible to make a Tree View with Angular?
JSONP with ASP.NET Web API
How to include multiple js files using jQuery $.getScript() method
How to support both armv6 and armv7s for release build in xcode 4.5
How to prevent multiple instances of an Activity when it is launched with different Intents
Setting an object to null vs Dispose()
Xcode 4.2 debug doesn't symbolicate stack call
Sort points in clockwise order?
Load RSA public key from file
Why does Python print unicode characters when the default encoding is ASCII?
How to perform a real time search and filter on a HTML table