ssh public key problem

[Lotharster]

I am trying to get ssh public key authenitcation to work, but I'm always greeted with a password prompt. I did the following:

1.) Created a public/private key pair via

Code:

$ ssh-keygen -b 2048 -t dsa

2.) scp'd the id_dsa.pub file to the remote server and added it to the authorized_keys file via

Code:

$ cat id_dsa.pub >>authorized_keys

3.) added the private key to my ssh-agent via

Code:

$ ssh-add

In the sshd_conf file on the remote machine, PubkeyAuthentication is set to yes, so it should work. Logging in via password authentication also works fine. So what is the poblem?

PS: This is the ssh output with the -vvv option enabled (abridged):

Code:

(...)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/lo/.ssh/id_dsa (0x8090518)
debug2: key: /home/lo/.ssh/identity ((nil))
debug2: key: /home/lo/.ssh/id_rsa ((nil))
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/lo/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/lo/.ssh/identity
debug3: no such identity: /home/lo/.ssh/identity
debug1: Trying private key: /home/lo/.ssh/id_rsa
debug3: no such identity: /home/lo/.ssh/id_rsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

[anomie]

Where is the authorized_keys file on the remote machine? It needs to be in the ~/.ssh directory.

Permissions should look like so:

Code:

hector@troy:~/.ssh> ls -la

drwx------   2 hector users 4096 2005-11-23 23:32 .
drwx------  17 hector users 8192 2005-12-23 14:01 ..
-rw-------   1 hector users  391 2005-10-29 16:23 authorized_keys

[Lotharster]

The authorized_keys file is in the right directory, the permissions are OK.

[anomie]

Some basic stuff then:
1. Same user name on both machines?
2. What ssh command are you using to do this?
3. On the local machine, what does

Code:

grep 'IdentityFile' /etc/ssh/ssh_config

show you?
4. Did you remember to restart sshd on the remote machine after setting PubkeyAuthentication to yes in sshd_config?
5. On the local machine, what do the permissions for ~/.ssh/id_dsa look like?

[Lotharster]

Some basic stuff then:
1. Same user name on both machines?

No, see below.

2. What ssh command are you using to do this?

$ ssh remoteuser@remotemachine.domain.com

3. On the local machine, what does

Code:

grep 'IdentityFile' /etc/ssh/ssh_config

show you?

# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa

4. Did you remember to restart sshd on the remote machine after setting PubkeyAuthentication to yes in sshd_config?

I did not have to change anything there, the settings were already ok.

5. On the local machine, what do the permissions for ~/.ssh/id_dsa look like?

the permissions are:

Code:

-rw-------  1 lo lo 1,2K 2005-12-24 15:59 id_dsa

ssh with password authentication works fine, so the basics must be configured right.
Any more ideas?

[anomie]

I wonder if this has something to do with how the authorized_keys file was created. Could you run (on the remote machine):

Code:

cat ~/.ssh/authorized_keys

But do not post the output here. Have a look at the user@host part at the very end of the output. What does it say there?

Also, for peace of mind could you post the results (run from remote machine) of:

Code:

grep 'Pubkey' /etc/ssh/sshd_config

And the permissions for both ~/.ssh and ~/.ssh/authorized_keys on the remote machine. I know you checked, but might as well double-check.

[Lotharster]

Have a look at the user@host part at the very end of the output. What does it say there?

It says something like

Code:

== username@localmachine

where username is my username on the local machine and localmachine is the name of my local machine.

Also, for peace of mind could you post the results (run from remote machine) of:

Code:

grep 'Pubkey' /etc/ssh/sshd_config

It is:

Code:

PubkeyAuthentication yes

And the permissions for both ~/.ssh and ~/.ssh/authorized_keys on the remote machine. I know you checked, but might as well double-check.

The permissions are:

Code:

drwx------   2 schmidlo exp1  544 Dec 29 14:14 .ssh
-rw-------   1 schmidlo exp1 2.2K Dec 29 14:14 authorized_keys

[anomie]

No problems there. One more thing occurs to me; can you post the results (run on remote machine) of

Code:

grep 'AuthorizedKeysFile' /etc/ssh/sshd_config

If we see anything other than .ssh/authorized_keys there we can adjust accordingly.

If that is the value you see there, then this is a very strange problem. What I would do in that case is:

• Copy the .pub key to the remote .ssh directory again, giving it the appropriate name (assuming authorized_keys unless you find out otherwise). This time clobber the existing file with the > redirection operator (not >>) - unless you have a good reason not to.
• Restart sshd on the remote machine - even if you think you don't need to.
• Try again.

[anomie]

P.S. One question about your ls listing in your post above. The authorized_keys file is within the .ssh directory, correct?

The way you posted it it looks like they're on the same directory level (which won't work).

[Lotharster]

No problems there. One more thing occurs to me; can you post the results (run on remote machine) of

Code:

grep 'AuthorizedKeysFile' /etc/ssh/sshd_config

It returns:
#AuthorizedKeysFile %h/.ssh/authorized_keys
which should be ok, because according to the manpage of sshd_config, the default value is ~/.ssh/authorized_keys.

If that is the value you see there, then this is a very strange problem. What I would do in that case is:

• Copy the .pub key to the remote .ssh directory again, giving it the appropriate name (assuming authorized_keys unless you find out otherwise). This time clobber the existing file with the > redirection operator (not >>) - unless you have a good reason not to.
• Restart sshd on the remote machine - even if you think you don't need to.
• Try again.

I copied the public key file and added it to authorized keys, but it did not work. Restarting sshd is not possible since I don't have root access on that machine. I guess I have to talk to the system administrator. But thanks for your suggestions.