SSH still asks for password after setting up key based authentication












10















I have successfully created a key based auth for root user from my A machine to my B machine.



Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.



So, I ran on A machine





  1. ssh-keygen -t rsa, accepted all paths, so /home/USER/.ssh/id_rsa and with no phrases


  2. ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage



Now try logging into the machine bla bla bla




So everything seems to be OK.



But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:



debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USER/.ssh/id_dsa
debug3: no such identity: /home/USER/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USER@BmachinesIP's password:


So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:



on A machine:



drwx------  2 USER USER    SIZE DATE TIME .ssh
-rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
-rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub


and on B machine:



drwx------  2 USER defaultGroup    SIZE DATE TIME .ssh
-rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys









share|improve this question















migrated from stackoverflow.com Oct 31 '11 at 10:06


This question came from our site for professional and enthusiast programmers.




















    10















    I have successfully created a key based auth for root user from my A machine to my B machine.



    Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.



    So, I ran on A machine





    1. ssh-keygen -t rsa, accepted all paths, so /home/USER/.ssh/id_rsa and with no phrases


    2. ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage



    Now try logging into the machine bla bla bla




    So everything seems to be OK.



    But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
    I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:



    debug1: Authentications that can continue: publickey,password
    debug3: start over, passed a different list publickey,password
    debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/USER/.ssh/id_rsa
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /home/USER/.ssh/id_dsa
    debug3: no such identity: /home/USER/.ssh/id_dsa
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    USER@BmachinesIP's password:


    So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:



    on A machine:



    drwx------  2 USER USER    SIZE DATE TIME .ssh
    -rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
    -rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub


    and on B machine:



    drwx------  2 USER defaultGroup    SIZE DATE TIME .ssh
    -rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys









    share|improve this question















    migrated from stackoverflow.com Oct 31 '11 at 10:06


    This question came from our site for professional and enthusiast programmers.


















      10












      10








      10


      6






      I have successfully created a key based auth for root user from my A machine to my B machine.



      Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.



      So, I ran on A machine





      1. ssh-keygen -t rsa, accepted all paths, so /home/USER/.ssh/id_rsa and with no phrases


      2. ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage



      Now try logging into the machine bla bla bla




      So everything seems to be OK.



      But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
      I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:



      debug1: Authentications that can continue: publickey,password
      debug3: start over, passed a different list publickey,password
      debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
      debug3: authmethod_lookup publickey
      debug3: remaining preferred: keyboard-interactive,password
      debug3: authmethod_is_enabled publickey
      debug1: Next authentication method: publickey
      debug1: Offering public key: /home/USER/.ssh/id_rsa
      debug3: send_pubkey_test
      debug2: we sent a publickey packet, wait for reply
      debug1: Authentications that can continue: publickey,password
      debug1: Trying private key: /home/USER/.ssh/id_dsa
      debug3: no such identity: /home/USER/.ssh/id_dsa
      debug2: we did not send a packet, disable method
      debug3: authmethod_lookup password
      debug3: remaining preferred: ,password
      debug3: authmethod_is_enabled password
      debug1: Next authentication method: password
      USER@BmachinesIP's password:


      So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:



      on A machine:



      drwx------  2 USER USER    SIZE DATE TIME .ssh
      -rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
      -rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub


      and on B machine:



      drwx------  2 USER defaultGroup    SIZE DATE TIME .ssh
      -rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys









      share|improve this question
















      I have successfully created a key based auth for root user from my A machine to my B machine.



      Now, I created a new user on B machine, the same as on A machine, let's call him USER. I created a home dir for him on B machine /home/USER and I want to create key based auth for him from machine A to B machine.



      So, I ran on A machine





      1. ssh-keygen -t rsa, accepted all paths, so /home/USER/.ssh/id_rsa and with no phrases


      2. ssh-copy-id -i /home/USER/.ssh/id_rsa.pub USER@BmachinesIP, entered password and got massage



      Now try logging into the machine bla bla bla




      So everything seems to be OK.



      But when I tried to connect ssh USER@BmachinesIP I was asked for a password.
      I tried to see the log and ran ssh -vvv USER@BmachinesIP and here is a part of output:



      debug1: Authentications that can continue: publickey,password
      debug3: start over, passed a different list publickey,password
      debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
      debug3: authmethod_lookup publickey
      debug3: remaining preferred: keyboard-interactive,password
      debug3: authmethod_is_enabled publickey
      debug1: Next authentication method: publickey
      debug1: Offering public key: /home/USER/.ssh/id_rsa
      debug3: send_pubkey_test
      debug2: we sent a publickey packet, wait for reply
      debug1: Authentications that can continue: publickey,password
      debug1: Trying private key: /home/USER/.ssh/id_dsa
      debug3: no such identity: /home/USER/.ssh/id_dsa
      debug2: we did not send a packet, disable method
      debug3: authmethod_lookup password
      debug3: remaining preferred: ,password
      debug3: authmethod_is_enabled password
      debug1: Next authentication method: password
      USER@BmachinesIP's password:


      So, can anyone tell me what I've done wrong or what I should change? Maybe the issue is in the permissions, here they are:



      on A machine:



      drwx------  2 USER USER    SIZE DATE TIME .ssh
      -rw------- 1 USER USER 1675 2011-10-31 14:36 id_rsa
      -rw-r--r-- 1 USER USER 413 2011-10-31 14:36 id_rsa.pub


      and on B machine:



      drwx------  2 USER defaultGroup    SIZE DATE TIME .ssh
      -rw------- 1 USER defaultGroup SIZE DATE TIME authorized_keys






      linux authentication ssh






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Oct 31 '11 at 10:14









      slhck

      160k47444466




      160k47444466










      asked Oct 31 '11 at 9:33









      trattotratto

      181117




      181117




      migrated from stackoverflow.com Oct 31 '11 at 10:06


      This question came from our site for professional and enthusiast programmers.






      migrated from stackoverflow.com Oct 31 '11 at 10:06


      This question came from our site for professional and enthusiast programmers.
























          3 Answers
          3






          active

          oldest

          votes


















          13














          I have found a solution. There was an issue in permissions.



          /home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755






          share|improve this answer





















          • 2





            Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.

            – jchook
            Feb 18 '13 at 16:47











          • Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?

            – Pablo Olmos de Aguilera C.
            Apr 7 '13 at 22:54











          • Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.

            – Pablo Olmos de Aguilera C.
            Apr 7 '13 at 23:02






          • 2





            Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working

            – erik
            Jul 30 '13 at 21:27








          • 2





            I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.

            – Amalgovinus
            Jun 17 '14 at 2:05



















          2














          Same problem for me fresh CentOS7 install.



          1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)



          chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys


          2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.



          I still got password prompt after checking all that was ok.



          Run ssh client with -vvv logs:



          debug3: send_pubkey_test 
          debug2: we sent a publickey packet, wait for reply


          Server (/var/log/secure) logs:



          Failed publickey for * from * port * ssh2: RSA *


          ssh server doesn't send more error info to client as that would be a security risk.



          If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?



          Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.



          my current working sshd_config settings:



          [root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config  
          HostKey /etc/ssh/ssh_host_rsa_key
          HostKey /etc/ssh/ssh_host_dsa_key
          SyslogFacility AUTHPRIV
          LogLevel VERBOSE
          RSAAuthentication yes
          PubkeyAuthentication yes
          AuthorizedKeysFile .ssh/authorized_keys
          HostbasedAuthentication yes
          PasswordAuthentication yes
          ChallengeResponseAuthentication no
          GSSAPIAuthentication no
          GSSAPICleanupCredentials no
          UsePAM yes
          X11Forwarding yes
          UseDNS no
          AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
          AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
          AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
          AcceptEnv XMODIFIERS
          Subsystem sftp /usr/libexec/openssh/sftp-server


          So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?






          share|improve this answer































            0














            The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.



            To check,



            $ sudo ls -Z /home/


            If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.



            To fix,



            $ sudo semanage fcontext -a -t user_home_t /home/azureuser
            $ sudo restorecon -vvRF /home/azureuser


            The key based login should now work.






            share|improve this answer

























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f352368%2fssh-still-asks-for-password-after-setting-up-key-based-authentication%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              13














              I have found a solution. There was an issue in permissions.



              /home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755






              share|improve this answer





















              • 2





                Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.

                – jchook
                Feb 18 '13 at 16:47











              • Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 22:54











              • Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 23:02






              • 2





                Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working

                – erik
                Jul 30 '13 at 21:27








              • 2





                I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.

                – Amalgovinus
                Jun 17 '14 at 2:05
















              13














              I have found a solution. There was an issue in permissions.



              /home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755






              share|improve this answer





















              • 2





                Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.

                – jchook
                Feb 18 '13 at 16:47











              • Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 22:54











              • Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 23:02






              • 2





                Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working

                – erik
                Jul 30 '13 at 21:27








              • 2





                I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.

                – Amalgovinus
                Jun 17 '14 at 2:05














              13












              13








              13







              I have found a solution. There was an issue in permissions.



              /home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755






              share|improve this answer















              I have found a solution. There was an issue in permissions.



              /home/USER on remote machine was granted all permissions, but for key based auth it must be set to 755







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Aug 14 '12 at 5:16









              Sathyajith Bhat

              52.7k29154252




              52.7k29154252










              answered Oct 31 '11 at 11:16









              trattotratto

              181117




              181117








              • 2





                Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.

                – jchook
                Feb 18 '13 at 16:47











              • Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 22:54











              • Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 23:02






              • 2





                Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working

                – erik
                Jul 30 '13 at 21:27








              • 2





                I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.

                – Amalgovinus
                Jun 17 '14 at 2:05














              • 2





                Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.

                – jchook
                Feb 18 '13 at 16:47











              • Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 22:54











              • Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.

                – Pablo Olmos de Aguilera C.
                Apr 7 '13 at 23:02






              • 2





                Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working

                – erik
                Jul 30 '13 at 21:27








              • 2





                I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.

                – Amalgovinus
                Jun 17 '14 at 2:05








              2




              2





              Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.

              – jchook
              Feb 18 '13 at 16:47





              Wow. Amazing that there is zero debug output about permissions even though they are central to proper public key config.

              – jchook
              Feb 18 '13 at 16:47













              Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?

              – Pablo Olmos de Aguilera C.
              Apr 7 '13 at 22:54





              Wow, you are right. Now it's working.... though I really want to keep the permission it had originally (775). Any clue about how to change that?

              – Pablo Olmos de Aguilera C.
              Apr 7 '13 at 22:54













              Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.

              – Pablo Olmos de Aguilera C.
              Apr 7 '13 at 23:02





              Seems that there's no way, only workaround would be set the StrictModes no in sshd_config. :/.

              – Pablo Olmos de Aguilera C.
              Apr 7 '13 at 23:02




              2




              2





              Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working

              – erik
              Jul 30 '13 at 21:27







              Essentially you need these permissions: chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys, then it works. Copied from the answer of Maxime R. from here: askubuntu.com/questions/54670/passwordless-ssh-not-working

              – erik
              Jul 30 '13 at 21:27






              2




              2





              I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.

              – Amalgovinus
              Jun 17 '14 at 2:05





              I've done all these permissions changes, and it still asks me for a password when I ssh. I've also verified that the private key is the same on both machines (Ubuntu). Pretty puzzled.

              – Amalgovinus
              Jun 17 '14 at 2:05













              2














              Same problem for me fresh CentOS7 install.



              1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)



              chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys


              2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.



              I still got password prompt after checking all that was ok.



              Run ssh client with -vvv logs:



              debug3: send_pubkey_test 
              debug2: we sent a publickey packet, wait for reply


              Server (/var/log/secure) logs:



              Failed publickey for * from * port * ssh2: RSA *


              ssh server doesn't send more error info to client as that would be a security risk.



              If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?



              Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.



              my current working sshd_config settings:



              [root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config  
              HostKey /etc/ssh/ssh_host_rsa_key
              HostKey /etc/ssh/ssh_host_dsa_key
              SyslogFacility AUTHPRIV
              LogLevel VERBOSE
              RSAAuthentication yes
              PubkeyAuthentication yes
              AuthorizedKeysFile .ssh/authorized_keys
              HostbasedAuthentication yes
              PasswordAuthentication yes
              ChallengeResponseAuthentication no
              GSSAPIAuthentication no
              GSSAPICleanupCredentials no
              UsePAM yes
              X11Forwarding yes
              UseDNS no
              AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
              AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
              AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
              AcceptEnv XMODIFIERS
              Subsystem sftp /usr/libexec/openssh/sftp-server


              So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?






              share|improve this answer




























                2














                Same problem for me fresh CentOS7 install.



                1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)



                chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys


                2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.



                I still got password prompt after checking all that was ok.



                Run ssh client with -vvv logs:



                debug3: send_pubkey_test 
                debug2: we sent a publickey packet, wait for reply


                Server (/var/log/secure) logs:



                Failed publickey for * from * port * ssh2: RSA *


                ssh server doesn't send more error info to client as that would be a security risk.



                If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?



                Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.



                my current working sshd_config settings:



                [root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config  
                HostKey /etc/ssh/ssh_host_rsa_key
                HostKey /etc/ssh/ssh_host_dsa_key
                SyslogFacility AUTHPRIV
                LogLevel VERBOSE
                RSAAuthentication yes
                PubkeyAuthentication yes
                AuthorizedKeysFile .ssh/authorized_keys
                HostbasedAuthentication yes
                PasswordAuthentication yes
                ChallengeResponseAuthentication no
                GSSAPIAuthentication no
                GSSAPICleanupCredentials no
                UsePAM yes
                X11Forwarding yes
                UseDNS no
                AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
                AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
                AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
                AcceptEnv XMODIFIERS
                Subsystem sftp /usr/libexec/openssh/sftp-server


                So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?






                share|improve this answer


























                  2












                  2








                  2







                  Same problem for me fresh CentOS7 install.



                  1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)



                  chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys


                  2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.



                  I still got password prompt after checking all that was ok.



                  Run ssh client with -vvv logs:



                  debug3: send_pubkey_test 
                  debug2: we sent a publickey packet, wait for reply


                  Server (/var/log/secure) logs:



                  Failed publickey for * from * port * ssh2: RSA *


                  ssh server doesn't send more error info to client as that would be a security risk.



                  If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?



                  Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.



                  my current working sshd_config settings:



                  [root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config  
                  HostKey /etc/ssh/ssh_host_rsa_key
                  HostKey /etc/ssh/ssh_host_dsa_key
                  SyslogFacility AUTHPRIV
                  LogLevel VERBOSE
                  RSAAuthentication yes
                  PubkeyAuthentication yes
                  AuthorizedKeysFile .ssh/authorized_keys
                  HostbasedAuthentication yes
                  PasswordAuthentication yes
                  ChallengeResponseAuthentication no
                  GSSAPIAuthentication no
                  GSSAPICleanupCredentials no
                  UsePAM yes
                  X11Forwarding yes
                  UseDNS no
                  AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
                  AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
                  AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
                  AcceptEnv XMODIFIERS
                  Subsystem sftp /usr/libexec/openssh/sftp-server


                  So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?






                  share|improve this answer













                  Same problem for me fresh CentOS7 install.



                  1. check home dir permissions and ~/.ssh and ~/.ssh/authorized_keys permissions (as per @erik)



                  chmod o-w ~/; chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys


                  2. check /etc/ssh/sshd_config settings && service sshd restart (after each edit) Useful: try "LogLevel VERBOSE" in sshd_config.



                  I still got password prompt after checking all that was ok.



                  Run ssh client with -vvv logs:



                  debug3: send_pubkey_test 
                  debug2: we sent a publickey packet, wait for reply


                  Server (/var/log/secure) logs:



                  Failed publickey for * from * port * ssh2: RSA *


                  ssh server doesn't send more error info to client as that would be a security risk.



                  If I ran sshd on different port 'sshd -p 5555 -d'. The key worked. Passwordless login ok. WTF?



                  Then I disabled selinux (set SELINUX=disabled in /etc/selinux/config) and reboot. Passwordless login then worked ok.



                  my current working sshd_config settings:



                  [root@hp-bl-05 ~]# grep -vE "^#|^$" /etc/ssh/sshd_config  
                  HostKey /etc/ssh/ssh_host_rsa_key
                  HostKey /etc/ssh/ssh_host_dsa_key
                  SyslogFacility AUTHPRIV
                  LogLevel VERBOSE
                  RSAAuthentication yes
                  PubkeyAuthentication yes
                  AuthorizedKeysFile .ssh/authorized_keys
                  HostbasedAuthentication yes
                  PasswordAuthentication yes
                  ChallengeResponseAuthentication no
                  GSSAPIAuthentication no
                  GSSAPICleanupCredentials no
                  UsePAM yes
                  X11Forwarding yes
                  UseDNS no
                  AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
                  AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
                  AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
                  AcceptEnv XMODIFIERS
                  Subsystem sftp /usr/libexec/openssh/sftp-server


                  So it would be nice to know could we change something small in selinux to get passwordless ssh login to work. Can anyone improve the answer?







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered May 4 '16 at 12:47









                  gaoithegaoithe

                  37135




                  37135























                      0














                      The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.



                      To check,



                      $ sudo ls -Z /home/


                      If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.



                      To fix,



                      $ sudo semanage fcontext -a -t user_home_t /home/azureuser
                      $ sudo restorecon -vvRF /home/azureuser


                      The key based login should now work.






                      share|improve this answer






























                        0














                        The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.



                        To check,



                        $ sudo ls -Z /home/


                        If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.



                        To fix,



                        $ sudo semanage fcontext -a -t user_home_t /home/azureuser
                        $ sudo restorecon -vvRF /home/azureuser


                        The key based login should now work.






                        share|improve this answer




























                          0












                          0








                          0







                          The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.



                          To check,



                          $ sudo ls -Z /home/


                          If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.



                          To fix,



                          $ sudo semanage fcontext -a -t user_home_t /home/azureuser
                          $ sudo restorecon -vvRF /home/azureuser


                          The key based login should now work.






                          share|improve this answer















                          The solution is not disabling SELinux but to fix the SELinux permissions of the user directory. The user directory context must be set to user_home_t.



                          To check,



                          $ sudo ls -Z /home/


                          If the context for your user directory is anything than user_home_t, SELinux would not allow SSH via public key into that user directory for that user.



                          To fix,



                          $ sudo semanage fcontext -a -t user_home_t /home/azureuser
                          $ sudo restorecon -vvRF /home/azureuser


                          The key based login should now work.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Jan 2 at 8:29









                          slhck

                          160k47444466




                          160k47444466










                          answered Jan 2 at 8:25









                          xcodexxcodex

                          11




                          11






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f352368%2fssh-still-asks-for-password-after-setting-up-key-based-authentication%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Probability when a professor distributes a quiz and homework assignment to a class of n students.

                              Aardman Animations

                              Are they similar matrix