ssh: 12.04 Cannot open authorized keys
I cannot get sshd to read authorized_keys (see auth.log dump for more) and thus it won't allow RSA-based connections. I'm stuck with password log-in (and trying to transition away from that). It claims that the authorized_keys file does not exist. It does (exist) and is accessible by <user> (600). sshd has NOT been added to <group> (it's a standard Ubuntu Server 12.04 install).
Changes to the dumps, etc. (below):
OpenSSH user: <user> (user name is of the form "abcd-efgh", btw)
OpenSSH user's group: <group> (i.e., same name as user, standard Ubuntu install)
OpenSSH client ip: <client ip>
OpenSSH server hostname: <host>
System Info:
This is a new Ubuntu Server (12.04) install. All patches have been applied (as of the timestamps you see below). This is a "textbook" installation and I can log in with password fine (and then sudo). root is as configured by Ubuntu installer (not using it directly). The machine ONLY has OpenSSH installed (i.e., choose OpenSSH in Ubuntu Installation and nothing else). OpenSSH on the machine is accessible via direct and network interfaces (but RSA-based auth fails always). Not using DSA. Not allowing OpenSSH v1.
It shouldn't matter, but... I'm connecting (via TCP) from a Windows 7 client via PuTTY (with Pageant configured to present the private key, etc.). The private key (.ppk form) is a "textbook" password protected, RSA-2, 1024b key.
Files Info:
/home/<user> is 750
/home/<user>/.ssh is 700 (was 750)
/home/<
ALL of those directories/files are owned by <user> and <group> (i.e., standard Ubuntu Server installation stuff)
authorized_keys HAS a single, valid ssh-rsa key line plus one \n (atend). There are no extra chars at the start of the file (i.e., first char is 's' of ssh-rsa)
There are NO other files in ~/.ssh/
Dump of (relevant part of) auth.log
----------
May 19 12:22:06 <host> sshd[7558]: debug1: userauth-request for user <user> service ssh-connection method none [prea
uth]
May 19 12:22:06 <host> sshd[7558]: debug1: attempt 0 failures 0 [preauth]
May 19 12:22:27 <host> sshd[7558]: debug1: PAM: initializing for "<user>"
May 19 12:22:27 <host> sshd[7558]: debug1: PAM: setting PAM_RHOST to "<client ip>"
May 19 12:22:27 <host> sshd[7558]: debug1: PAM: setting PAM_TTY to "ssh"
May 19 12:22:27 <host> sshd[7558]: debug1: userauth-request for user <user> service ssh-connection method publickey
[preauth]
May 19 12:22:27 <host> sshd[7558]: debug1: attempt 1 failures 0 [preauth]
May 19 12:22:27 <host> sshd[7558]: debug1: test whether pkalg/pkblob are acceptable [preauth]
May 19 12:22:27 <host> sshd[7558]: debug1: Checking blacklist file /usr/share/
May 19 12:22:27 <host> sshd[7558]: debug1: Checking blacklist file /etc/ssh/
May 19 12:22:27 <host> sshd[7558]: debug1: temporarily_
May 19 12:22:27 <host> sshd[7558]: debug1: trying public key file /home/<
May 19 12:22:27 <host> sshd[7558]: debug1: Could not open authorized keys '/home/
ch file or directory
May 19 12:22:27 <host> sshd[7558]: debug1: restore_uid: 0/0
May 19 12:22:27 <host> sshd[7558]: Failed publickey for <user> from <client ip> port 55099 ssh2
Dump of sshd_config:
----------
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/
#HostKey /etc/ssh/
#HostKey /etc/ssh/
#Privilege Separation is turned on for security
UsePrivilegeSep
# Lifetime and size of ephemeral version 1 server key
KeyRegeneration
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentic
#AuthorizedKeysFile %h/.ssh/
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_
RhostsRSAAuthen
# similar for protocol version 2
HostbasedAuthen
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthen
#IgnoreUserKnow
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPass
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeRespon
# Change to no to disable tunnelled clear text passwords
#PasswordAuthen
# Kerberos options
#KerberosAuthen
#KerberosGetAFS
#KerberosOrLoca
#KerberosTicket
# GSSAPI options
#GSSAPIAuthenti
#GSSAPICleanupC
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeRespon
# PasswordAuthent
# PAM authentication via ChallengeRespon
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthent
# and ChallengeRespon
UsePAM yes
# Restrict access to the following user(s).
#AllowUsers <user>
Question information
- Language:
- English Edit question
- Status:
- Expired
- For:
- Ubuntu openssh Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply: