OpenSSH public key authentication fails

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

This article describes how to resolve issues with SSH authentication using public key authentication. In the article SSH key login, it is explained how to set up public key authentication in general.

Server-side problems

In most cases, the reason why public key authentication is not working can be found in the file and directory permissions. The home directory on the server as well as the sub-directory .ssh is not allowed to have writing rights for group and other. Furthermore, the file authorized_keys must be accessible only to the owner.

To set the rights correctly, log in to the server with the user for whom the SSH authentication should function. 

chmod go-w $HOME $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chown `whoami` $HOME/.ssh/authorized_keys

If this is not possible, you can alternatively deactivate the right verification of the server. The following option must be entered in the /etc/ssh/sshd_config file: 

StrictModes no

Another error source can be the wrong settings in /etc/ssh/sshd_config. Here is an extract of options that can influence the public key authentication:

  • AuthorizedKeysFile
  • PreferredAuthentications
  • PubkeyAuthentication

More settings can be found in the man sshd_config manpage.

Client-sided problems

Alternatively, there may still be issues on the client side, that is, on the computer from which the SSH connection is initiated.

If the file rights are set open for the private key, the following error message is displayed by the SSH client: 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for 'xyz' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: xyz
Permission denied (publickey,gssapi-with-mic).

In this case, the private key is ignored. Set the rights correctly using the following command: 

chmod 600 $HOME/.ssh/<Keyname>

Another possible error source could be a wrong setting in .ssh/config or /etc/ssh/ssh_config. An excerpt of possible options that may affect public key authentication, can be found here:

  • PreferredAuthentications
  • PubkeyAuthentication

All settings can be found in the man ssh_config manpage.

Sources:

Author: Christoph Mitasch

Christoph Mitasch works in the Web Operations & Knowledge Transfer team at Thomas-Krenn. He is responsible for the maintenance and further development of the webshop infrastructure. After an internship at IBM Linz, he finished his diploma studies "Computer- and Media-Security" at FH Hagenberg. He lives near Linz and beside working, he is an enthusiastic marathon runner and juggler, where he hold various world-records.


Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

OpenSSH configuration
Show article
Restrict executable SSH-commands via authorized keys
Show article
Secure SSH login with 2 factor authentication
Show article