[TriLUG] Public Key Authentication with SSH

[Brian Blater (BBList)]

>>> On Thu, Jan 26, 2006 at 11:07 am, in message
<43D8F3B0.8030805 at joyner.ws>,
aaron at joyner.ws wrote: 
> Owen Berry wrote:
> 
>>You need to have the private key in the correct place on the local
>>machine, or look at using the - i option when calling ssh. If you
call
>>ssh- keygen without - f it will create the keys in the correct place
with
>>the correct file names. Or copy the files so it matches:
>>
>>$ ls ~/.ssh
>>authorized_keys  config  id_dsa  id_dsa.pub  known_hosts
>>
>>Also note that the .ssh directory and contents should all only be
>>readable by the owner.
>>
> SSH is actually very picky about that last part.  Ensure that on
your
> local machine, your .ssh/id_dsa is 600 or 400, otherwise ssh will
wig
> out.  Also, make sure that no one has write permissions to the
> directory, it should be at most 755.  2755 (setgid on the dir) will
> cause it to fail, I've had this bite me more than once.
> 
> You should also know that from the client, if you're unsure what's
going
> on, you can do `ssh - v remotehost` which will give you some very
handy
> debugging information.  You can also add additional v's, up to 3,
but
> for debugging authentication method problems the first level of
> verbosity is usually sufficient.  Also probably overkill for your
> situation, but it's sometimes helpful to kill sshd on the remote
host,
> and run it with the - d flag for debugging.  This can help
troubleshoot
> permissions problems and invalid authentication methods on the server
side.
> 
> Good luck with getting things set up!
> Aaron S. Joyner

I recreated the public and private keys and named them id_dsa. I
verified that they are in the ~/.ssh directory of the local host. I
verified perms on the file was 600 and the directory was 750. I copied
the .pub key to the remote host and added it to the authorized_keys
file.

I then did the ssh -v remotehost and was still prompted for a password.
This is what I saw in the debug:
debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bblater/.ssh/identity
debug1: Trying private key: /home/bblater/.ssh/id_rsa
debug1: Offering public key: /home/bblater/.ssh/id_dsa
debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:   
So, it looks like it is finding the private key and offering it, but I
still end up with the password prompt. So, I looked at the
/var/log/messages file on the remote host and I'm getting the following:
Authentication refused: bad ownership or modes for directory
/home/bblater. Checked the perms here and the ~/.ssh directory was set
to 750 owner=username, group=username. I changed perms to 700, same
problem. So, a little google groups search and I find the option
StrictModes no. Set that, restart sshd and it works. If I look at the
perms on the remotehost ~/.ssh directory they are as follows:
drwx------   2 bblater bblater  144 2006-01-26 13:04 ./
drwxrwx---  30 bblater bblater 1408 2006-01-26 13:04 ../
-rw-------   1 bblater bblater 1115 2006-01-26 13:04 authorized_keys
-rw-r--r--   1 bblater bblater 1115 2006-01-26 13:02 id_dsa.pub
-rw-------   1 bblater bblater  934 2006-01-12 13:35 known_hosts

I guess I'm not sure where the ownership or modes problem is on the
directory.


Thanks,
Brian