SSH Public Key password problem

[paraglidersd]

Greetings,

This issue appears related to many other posts I have seen in forums on ssh public keys/automatic logins. I have followed multiple tutorials and tried everything mentioned in forums that I have seen (including permissions and ensuring the my sshd_config file is correct).

I have 2 servers running RH Linux 6.0 on 64 bit machines. Server1 is 'hardened' (locked down as it needs to be as secure as possible). Server2 is not. I generated a public key on a third box (ssh-keygen -t rsa) and used scp to copy the public key to both machines (my_home_dir/.ssh). I restarted the ssh daemon on both boxes.

When I attempt to log in to server1, I get prompted for a password. When I log in to server2, I do not.

I have gone as far as copying the sshd_config from server2 to server1 and restarting the sshd daemon on server1. I have checked permissions and have tried everything I can find on various forums

When I run the ssh command from the 3rd box in debug mode (ssh -vvv server1 or ssh -vvv server2) I notice that I get the same debug output UP TO the point where I see the output "we sent a public key package, wait for reply". The next line in the debug output from server2 is "Server accepts key, pkalg ssh-rsa blen 149". The next line in the debug output from server1 is "Authentications that can continue: publickey, gssapi-keyex......."

What other issues could possibly cause this situation?

Any help is appreciated.
thanks,
Bill

[atreyu]

when you say you copied the public key to servers 1 and 2, what exactly does that mean? did you just copy the files there

Code:

e.g. scp ~/.ssh/id_dsa.pub server1:.ssh/

or did you actually copy their contents into the remote file ~/.ssh/authorized_keys2 (which is what you should have done)?

this is what the ssh-keygen program does for you, btw.

[paraglidersd]

I have tried both ways. I used keygen to gen the public and private key on client1. I tried using scp to copy the public key (id_rsa.pub) to 'my_home_dir/.ssh/authorized_keys' on server1 and also to server2. I also tried cutting and pasting the contents of the id_rsa.pub to authorized_keys on server1 and server2. So, the scenario is that I did a keygen on the client. Copied public key from client to both servers 'authorized_keys'. Made sure that the /etc/ssh/sshd_config file on both servers contained lines:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

When I log in to server2 from client1, I dont get prompted for a password. When I log in to server1 from client1, I do get prompted for a password. Both servers are running RH linux and are 64 bit machines. The difference is that I had to put some 'hardening' techniques (e.g., more secure) on the server that still prompts for password.

[paraglidersd]

I know its a shot in the dark, but:

As I mentioned, I have server1 and server2 (I will call them server_pw, server_nopw). server_nopw is the one that doesnt prompt me for a password.

I noticed something different in the systems. There are different services running. I used a 'chkconfig --list | grep on' command. Could this have something to do with the problem on the server_pw machine? The services that ARE running on the server_nopw but NOT running on the server_pw (the one that asks me for a password) are:

NetworkManager
abrtd
acpid
atd
autofs
bluetooth
cups
iscsi
iscsid
ksm
ksmtuned
libvirt-guests
libvirtd
nfslock
portreserve
postfix
rhnsd
rpcbind
rpcgssd
rpcidmapd
rsyslog
sysstat
udev-post

Are any of those services pertinent to getting the public key authentication to work?

[atreyu]

I have tried both ways. I used keygen to gen the public and private key on client1. I tried using scp to copy the public key (id_rsa.pub) to 'my_home_dir/.ssh/authorized_keys' on server1 and also to server2. I also tried cutting and pasting the contents of the id_rsa.pub to authorized_keys on server1 and server2. So, the scenario is that I did a keygen on the client. Copied public key from client to both servers 'authorized_keys'. Made sure that the /etc/ssh/sshd_config file on both servers contained lines:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

When I log in to server2 from client1, I dont get prompted for a password. When I log in to server1 from client1, I do get prompted for a password. Both servers are running RH linux and are 64 bit machines. The difference is that I had to put some 'hardening' techniques (e.g., more secure) on the server that still prompts for password.

try the file authorized_keys2 (note the 2 at the end of the file.

[manyrootsofallevil]

you could use the diff command to compare both sshd_config files and post the results here.

Since you have used hardened one of the servers it's possible that it might be preventing passphraseless key logins (not sure if this is actually possible, i've never tried to do it myself)

[paraglidersd]

Problem solved. Not only does the .ssh directory have strict permissions (along with files in that directory), but the parent directory has strict permission requirements. Changed directory permissions to 750 and all was well. Also, found out that you can set a parameter in the sshd_config file to override that strict permission requirement (StrictMode = no)

Thank you very much for all of your help on this issue.