Adding a public key to ~/.ssh/authorized_keys does not log me in automatically

Question

I added the public SSH key to the authorized_keys file. ssh localhost should log me in without asking for the password.

I did that and tried t

Answer 1

Issue these on the command line:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

After you do this, make sure your directory is like this:

drwx------ 2 lab lab 4.0K Mar 13 08:33 .
drwx------ 8 lab lab 4.0K Mar 13 08:07 ..
-rw------- 1 lab lab  436 Mar 13 08:33 authorized_keys
-rw------- 1 lab lab 1.7K Mar 13 07:35 id_rsa
-rw-r--r-- 1 lab lab  413 Mar 13 07:35 id_rsa.pub

Answer 2

Setting ssh authorized_keys seem to be simple, but it hides some traps I'm trying to figure.

-- SERVER --

In /etc/ssh/sshd_config, set passwordAuthentication yes to let the server temporarily accept password authentication

-- CLIENT --

consider Cygwin as Linux emulation and install & run OpenSSH

1. Generate private and public keys (client side) # ssh-keygen

Here pressing just Enter, you get default two files, "id_rsa" and "id_rsa.pub", in ~/.ssh/, but if you give a name_for_the_key, the generated files are saved in your current working directory.

2. Transfer the your_key.pub file to the target machine, ssh-copy-id user_name@host_name

If you didn't create a default key, this is the first step to go wrong ... you should use:

ssh-copy-id -i path/to/key_name.pub user_name@host_name

3. Logging ssh user_name@host_name will work only for the default id_rsa file, so here is the second trap. You need to do ssh -i path/to/key_name user@host

(Use ssh -v ... option to see what is happening.)

If the server still asks for a password then you gave something. To Enter passphrase: when you've created keys (so it's normal).

If ssh is not listening on the default port 22, you must use ssh -p port_nr.

-- SERVER -----

4. Modify file /etc/ssh/sshd_config to have

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys

(uncomment if case)

This tells ssh to accept file authorized_keys and look in the user home directory for the key_name sting written in the .ssh/authorized_keys file.

5 Set permissions on the target machine

chmod 755 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Also turn off pass authentication,

passwordAuthentication no

to close the gate to all ssh root/admin/....@your_domain attempts.

6. Ensure ownership and group ownership of all non-root home directories are appropriate.

chown -R ~ usernamehere
chgrp -R ~/.ssh/ user

===============================================

7. Consider the excellent http://www.fail2ban.org

8. Extra SSH tunnel to access a MySQL (bind = 127.0.0.1) server

Answer 3

You need to verify the properties of the files.

To assign the required property, use:

$ chmod 600 ~/.ssh/sshKey
$ chmod 644 ~/.ssh/sshKey.pub

Answer 4

I had this problem and none of the other answers solved it, although of course the other answers were correct.

In my case, it turned out that the /root directory itself (not e.g. /root/.ssh) had the wrong permissions. I needed:

chown root.root /root
chmod 700 /root

Of course, those permissions should be something like that (maybe chmod 770) regardless. However, it specifically prevented sshd from working, even though /root/.ssh and /root/.ssh/authorized_keys both had correct permissions and owners.

Answer 5

I have had the same issues since before, but today I had to set up one new server. What I could learn in this time...

The basic process to allow authentication without a password is as follows:

1. On the server, validate if your home folder has the .ssh folder. If it doesn't exist, you can create it manually with a mkdir command and then to assign the correct permissions with chmod, or otherwise you could use the same utility, ssh-keygen, to create private/public keys, but on the server for your user. This process will create the required .ssh folder.

2. On the local machine you also need to create the private/public keys with the ssh-keygen utility.

3. You need to move your public key to file .ssh/authorized_keys to the server. To achieve this, you can use the ssh-copy-id utility, or you can do it manually using the cat and scp commands.

4. In the best of cases, this will allow connect to your server without a password.

OK, now the issues that I found today: first there are several key generation algorithms: rsa, dsa, ecdsa and ed25519 and there are many releases of OpenSSH (you can have one version on your local machine and an old version on your server):

Hint: Using ssh -v helps to see additional information when you are connecting to the server.

OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f 31 Mar 2020

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

The error in my case today was that I was trying to use a key with a "newer" generation algorithm that was not supported by the installed version of OpenSSH on the server. When I had checked the supported algorithms, another error that I found was that the server was rejecting my algorithm:

debug1: Skipping ssh-dss key /home/user/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes

After that, I had to change the algorithm of my key and then I could connect with the server successfully.

OpenSSH releases notes: Link

Answer 6

SELinux can also cause authorized_keys not to work. Especially for root in CentOS 6 and 7. There isn't any need to disable it though.

Once you've verified your permissions are correct, you can fix this like so:

chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
restorecon -R -v /root/.ssh