For various reasons, there are three accounts on this Linux server that I want to access with SSH using my RSA key pair. I generate them and copy my key into each account, tune up the authorized keys file and prepare for satisfaction. What I got was much less. Only one of the accounts logged in using the RSA key. The other two ignored the key and insisted on a password.
The first thing I did was install the key on a couple of other servers and demonstrated that the keys were good.
Then I had my SSH client show me the transcript and did one million things. I now know a ton about the sshd file. I changed permissions, did careful reinstallations, I spent hours to no avail. I consulted my genius son. At the end, I was still getting this:
That's right, it was actually trying to use the key and it was being rejected. Then, it would ask for a password. I was stuck and gave up. Actually, I ran out of time.
Some time later, I was building a new Linux server at my day job and, damned if I don't run into the same problem. So, I dig in and try again.
This time I'm in a slightly different context and, I'm not sure how I got there but found out about this:
It turns on debugging on the server side. (It's a little bit annoying because, after one try, it breaks something and I had to reboot to get everybody cleaned up and working again for another try. I'm sure there's a better way but I don't really care. Rebooting was ok on this server.)
To use it, I logged in with one terminal window, turned on debugging, then tried to log in with another window. The debug window showed a transcript of the server side of the experience.
I didn't grab a complete transcript but it did include this phrase:
So, I cycle back and make sure that my .ssh directory is set correctly:
Still no dice.
I'm thrashing about, feeling desperate and miserable and, suddenly, Voila!, I notice that the freaking account (root, in this case) is not owned by its correct user. I know, wtf?, but there it is. For some reason, the image used to create the server has weirdness on the ownership of account directories. I reflect on "bad ownership or modes" and, moments later,
and, bada bing, it works. I go to the server that was killing me previously and, who knows why, the accounts that fail are not owned properly. More chown and life is good.
The first thing I did was install the key on a couple of other servers and demonstrated that the keys were good.
Then I had my SSH client show me the transcript and did one million things. I now know a ton about the sshd file. I changed permissions, did careful reinstallations, I spent hours to no avail. I consulted my genius son. At the end, I was still getting this:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/tqwhite/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
That's right, it was actually trying to use the key and it was being rejected. Then, it would ask for a password. I was stuck and gave up. Actually, I ran out of time.
Some time later, I was building a new Linux server at my day job and, damned if I don't run into the same problem. So, I dig in and try again.
This time I'm in a slightly different context and, I'm not sure how I got there but found out about this:
sshd -d
It turns on debugging on the server side. (It's a little bit annoying because, after one try, it breaks something and I had to reboot to get everybody cleaned up and working again for another try. I'm sure there's a better way but I don't really care. Rebooting was ok on this server.)
To use it, I logged in with one terminal window, turned on debugging, then tried to log in with another window. The debug window showed a transcript of the server side of the experience.
I didn't grab a complete transcript but it did include this phrase:
bad ownership or modes for directory
So, I cycle back and make sure that my .ssh directory is set correctly:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Still no dice.
I'm thrashing about, feeling desperate and miserable and, suddenly, Voila!, I notice that the freaking account (root, in this case) is not owned by its correct user. I know, wtf?, but there it is. For some reason, the image used to create the server has weirdness on the ownership of account directories. I reflect on "bad ownership or modes" and, moments later,
sudo chown root:root /root
and, bada bing, it works. I go to the server that was killing me previously and, who knows why, the accounts that fail are not owned properly. More chown and life is good.