Thursday, December 11, 2008

Lessons learned about ssh key authentication

So, we just replaced our test box with a virtual Solaris 10 box running on VMWare and Intel.  We moved over everything from our old test box including our subversion (svn) repository.  I had no trouble putting my public key on the box and getting ssh to work without any password required, so I was able to use svn+ssh with no trouble.  I am using Mac OS X which made it VERY slick!

My boss using Windows, Putty, and Pagent could not get the password prompt to go away no matter what he or I did even though it worked just fine on the old test box.  Our Unix admin that set up the box was also at a loss.  After reading everything we could on the internet and copying and transmitting and changing keys so many times we wanted to barf I sat down to find out what was different about his account.  

I switched his public keys in authorized_keys to mine and tried to connect.... no dice!  So it was something about the remote system.  I checked the passwd file and the group file...he was set up just like me.  Everyone said to check the permissions of the .ssh folder and the files in it, but they were all OK.  Then I actually copied my home directory into his home directories place and changed the owner of the files.  Then I could log right in.

It turned out that the difference was that his home directory had somehow become world readable and that prevented it from working!  

So, here are the things to check if you can't get it to work:

  1. Make sure your home directory's permissions are drwxr-xr-x (chmod 755)
  2. Make sure your .ssh directory's permissions are drwx------ (chmod 700)
  3. Make sure your authorized_keys file permissions are -rw------- (chmod 600)
  4. Make sure the 3 files above are owned by your user.
  5. Make sure the public key in your authorized_keys file is one long line with no breaks.
  6. Check your sshd_config file (/etc/ssh/sshd_config on Solaris 10) is set up with

    PubkeyAuthentication yes

    This is the default, so just don't set it to no.
Also, it doesn't matter where you make the key (client or server) just as long as you put the public key on the server and the private key on the client.  The otherwise very nice post at 
http://www.andremolnar.com/how_to_set_up_ssh_keys_with_putty_and_not_get_server_refused_our_key
is incorrect on this (It might help you avoid the issue in #5 above though).


0 comments: