Ubuntu
openssh package

why does ssh autologin through public keys fail silently sometimes?

Asked by enb

Binary package hint: ssh

I created id_dsa.pub and id_dsa on my client computer (did not use a passphrase), I then added the contents of the .pub file to two other computers, renaming the file authorized_keys on both. However, while one computer does not ask for passwords for ssh login attempts from the client, the other one still does ask for the password everytime. All 3 computers are x64 maverick, and because I followed the same procedure for both ssh servers, one of them has to be a bug.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:

This question was originally filed as bug #669338.

Revision history for this message
enb (elitenoobboy) said : 		#1

What is incomplete about it?

Revision history for this message
Clint Byrum (clint-fewbar) said : 		#2

Sorry enb, I typed a fairly lengthy comment and hit submit, but I think I may have closed my browser before it was sent.

First off, the file must be ~/.ssh/authorized_keys. Second, the permissions on ~/.ssh and ~/.ssh/authorized_keys must be secure enough so that other users cannot see the contents, or sshd will complain.

Try

ls -ld ~/.ssh

and

ls -l ~/.ssh/authorized_keys

and make sure that other users cannot read or access them.

If the permissions are correct, then you may want to look in /var/log/auth.log on the systems where this fails for any error messages stating why.

If there are no errors in auth.log and your permissions seem correct, then you can try

ssh -v [ whatever other options you want ]

And paste or upload that as a text file here.

So, marking Incomplete (again) pending response from enb.

Also please do not Confirm your own bug reports. See https://wiki.ubuntu.com/Bugs/Status for information on when marking a bug as Confirmed is appropriate.

Revision history for this message
enb (elitenoobboy) said : 		#3

"the permissions on ~/.ssh and ~/.ssh/authorized_keys must be secure enough so that other users cannot see the contents"

After looking at auth.log, I get
    Authentication refused: bad ownership or modes for directory /home/username
So, I removed w and x from my main folder for group and others, which made it work, but before I changed that, the .ssh folder had no permissions for group or others, and I changed authorized_keys so that group and others also had no permissions for group and others.

So, by what you said, the permissions for .ssh/ and authorized_keys were satisfied, but it still failed because it required the users main folder. Should this behaviour of also expecting certain permissions for the users main folder be considered a bug? Is it documented anywhere?

Revision history for this message
Clint Byrum (clint-fewbar) said : 		#4

Right, I forgot that ~ has to be secure as well.

Yes this is documented and desired as the default behavior. From man sshd_config :

     StrictModes
             Specifies whether sshd should check file modes and ownership of the user’s files and home directory before accepting login. This is normally
             desirable because novices sometimes accidentally leave their directory or files world-writable. The default is “yes”.

You can turn this off in /etc/ssh/sshd_config by changing

StrictModes yes

to

StrictModes no

Though it is not recommended.

I will go ahead and convert this to a question.

Revision history for this message
Clint Byrum (clint-fewbar) said : 		#5

The user's home directory and certain files must be unaccessible to other users if the StrictModes setting is set to 'yes' in /etc/ssh/sshd_config. This is on by default to protect from accidentally allowing another user to add keys to your authorized_key file.

Can you help with this problem?

Provide an answer of your own, or ask enb for more information if necessary.

To post a message you must log in.