Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After never having a problem setting up rsa ssh key authentication for the root user on linux (raspbian stretch) I do not seem to be having the same luck with non-super users that I add.
I'm following what I 'think' is the exact same procedure for setting up bob as I do root, however when I log in as bob with bob's key I always get
Code:
login as: bob
Server refused our key
bob@192.168.16.2's password:
I am able to login as bob with the password, and as root with both root password and root's key's
Here is what I did as root to setup bob
Code:
# adduser bob
Adding user `bob' ...
Adding new group `bob' (1001) ...
Adding new user `bob' (1001) with group `bob' ...
Creating home directory `/home/bob' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:Shhhhhhhhhhhhhh...
passwd: password updated successfully
Changing the user information for bob
Enter the new value, or press ENTER for the default
Full Name []: Maintenance
Room Number []: 123
Work Phone []: 123
Home Phone []: 123
Other []: 123
#usermod -aG sudo mant
I use PuTTYgen to create 2048 bit RSA key pairs "Public key for pasting into OpenSSH authorized_keys file:" goes in bob's authorized_keys file and the ppk (private) key is used on the PuTTY end.
As I said I've done this countless times with root users without any issue so I must be creating the bob user incorrectly?
sshd_config gives ~ path so presume this is the folder of who ever is logging in?
Code:
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile ~/.ssh/authorized_keys
I've also tried installing the key in /home/root/.key/authorized_keys as well as owning /home/bob/.ssh/authorized_keys as root.
I've read the various old threads on the topic but no luck
I use PuTTYgen to create 2048 bit RSA key pairs "Public key for pasting into OpenSSH authorized_keys file:" goes in bob's authorized_keys file and the ppk (private) key is used on the PuTTY end.
PuTTY does not have the right format for its keys. So you may have skipped the step for converting the public key before uploading to the server.
Code:
ssh-keygen -i -f putty_key.pub > ssh_key.pub
Also, the restart of the SSH server is unnecessary. It only ever needs to be restarte when you change the configuration for sshd itself.
Did you check permissions and ownership of the key files?
Code:
root@xxxxxx:/home# ls -la /home
drwxr-xr-x 4 root root 4096 Jun 26 09:48 bob
drwxr-xr-x 2 pi pi 4096 May 28 13:19 pi
root@xxxxxx:/home# ls -la /home/bob
drwxr-xr-x 4 root root 4096 Jun 26 09:48 .
drwxr-xr-x 5 root root 4096 May 28 11:34 ..
-rw------- 1 mant mant 114 Jun 26 09:54 .bash_history
-rw-r--r-- 1 mant mant 220 May 24 07:42 .bash_logout
-rw-r--r-- 1 mant mant 3523 May 24 07:42 .bashrc
drwxr-xr-x 2 mant mant 4096 Jun 26 09:48 .nano
-rw-r--r-- 1 mant mant 675 May 24 07:42 .profile
drw------- 2 mant mant 4096 Jun 27 08:36 .ssh
root@xxxxxx:/home# ls -la /home/bob/.ssh
drw------- 2 mant mant 4096 Jun 27 08:36 .
drwxr-xr-x 4 root root 4096 Jun 26 09:48 ..
-rw------- 1 root root 403 Jun 27 07:39 authorized_keys
I have also tried chmod root:root /home/bob/.ssh after reading sshd needs root access to the authorized_keys file.
I guess I'm confused about the permisions and location of the authorized_keys file? This line in the sshd_config should mean the home folder of what ever user is logging in?
Code:
AuthorizedKeysFile ~/.ssh/authorized_keys
I suppose I could create a system wide authorized_keys file but then that would allow this bob user to login as root as my keys have no passphrase.
Quote:
Originally Posted by Turbocapitalist
PuTTY does not have the right format for its keys. So you may have skipped the step for converting the public key before uploading to the server.
As mentioned the PuTTY format seems to work perfectly fine for my root user account on this device. I've done this the same way on many machines (CentOS, Debian, Ubuntu) The difference this time is I'm trying to do the same for this non super user 'bob' and it's not working.
Quote:
Originally Posted by Turbocapitalist
Also, the restart of the SSH server is unnecessary. It only ever needs to be restarte when you change the configuration for sshd itself.
root@xxxxxx:/home# ls -la /home
drwxr-xr-x 4 root root 4096 Jun 26 09:48 bob
drwxr-xr-x 2 pi pi 4096 May 28 13:19 pi
root@xxxxxx:/home# ls -la /home/bob
drwxr-xr-x 4 root root 4096 Jun 26 09:48 .
drwxr-xr-x 5 root root 4096 May 28 11:34 ..
-rw------- 1 mant mant 114 Jun 26 09:54 .bash_history
-rw-r--r-- 1 mant mant 220 May 24 07:42 .bash_logout
-rw-r--r-- 1 mant mant 3523 May 24 07:42 .bashrc
drwxr-xr-x 2 mant mant 4096 Jun 26 09:48 .nano
-rw-r--r-- 1 mant mant 675 May 24 07:42 .profile
drw------- 2 mant mant 4096 Jun 27 08:36 .ssh
root@xxxxxx:/home# ls -la /home/bob/.ssh
drw------- 2 mant mant 4096 Jun 27 08:36 .
drwxr-xr-x 4 root root 4096 Jun 26 09:48 ..
-rw------- 1 root root 403 Jun 27 07:39 authorized_keys
I have also tried chmod root:root /home/bob/.ssh after reading sshd needs root access to the authorized_keys file.
You don't want to chmod to change ownership, you want to chown. In other words, chown bob:bob /home/.ssh.
Better yet, since you should own everything in your home directory
Code:
chown -R bob:bob /home/bob
Quote:
I guess I'm confused about the permisions and location of the authorized_keys file? This line in the sshd_config should mean the home folder of what ever user is logging in?
Yes, the tilde (~) is short hand for the root of your user home directory.
Quote:
Code:
AuthorizedKeysFile ~/.ssh/authorized_keys
I suppose I could create a system wide authorized_keys file but then that would allow this bob user to login as root as my keys have no passphrase.
Exactly. This looks like a permissions and ownership issue.
So sorry I made things needlessly confusing by trying (and not going a good job of) refactoring mant to bob for the forum posts. The user name I was trying to create was mant their was no bob .
Anyway so as suggested I started again, this time with a real bob.
Code:
root@xxxxxx:~# adduser bob
Adding user `bob' ...
Adding new group `bob' (1002) ...
Adding new user `bob' (1002) with group `bob' ...
Creating home directory `/home/bob' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:bob
Retype new UNIX password:bob
passwd: password updated successfully
Changing the user information for bob
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
root@xxxxxx:~# usermod -aG sudo bob
Then I ssh in via a new terminal as bob with no key using bob's pass 'bob'. This time I use ssh-keygen rather then PuTTYgen...
Code:
bob@xxxxxx:~ $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bob/.ssh/id_rsa):
Created directory '/home/bob/.ssh'.
Enter passphrase (empty for no passphrase): [no passphrase]
Enter same passphrase again: [no passphrase]
Your identification has been saved in /home/bob/.ssh/id_rsa.
Your public key has been saved in /home/bob/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:V8xoylA3pk+/1gA5i7R8LhHMaFM8smuxsgS313UBLiU bob@xxxxxx
The key's randomart image is:
+---[RSA 2048]----+
| .E *. |
| .*oB *. |
| =oB.O +. |
| . ..o* X.*. |
| o . =S.=.o |
| + = .= + |
| . = . . o . |
| . . . |
| |
+----[SHA256]-----+
[obviously I will burn that key later]
Then check permissions..
Code:
bob@xxxxxx:~ $ ls -la
total 28
drwxr-xr-x 4 bob bob 4096 Jun 28 11:02 .
drwxr-xr-x 6 root root 4096 Jun 28 10:59 ..
-rw-r--r-- 1 bob bob 220 Jun 28 10:59 .bash_logout
-rw-r--r-- 1 bob bob 3523 Jun 28 10:59 .bashrc
drwxr-xr-x 2 bob bob 4096 Jun 28 11:02 .nano
-rw-r--r-- 1 bob bob 675 Jun 28 10:59 .profile
drwx------ 2 bob bob 4096 Jun 28 11:02 .ssh
bob@xxxxxx:~ $ cd .ssh
bob@xxxxxx:~/.ssh $ ls -la
total 16
drwx------ 2 bob bob 4096 Jun 28 11:02 .
drwxr-xr-x 4 bob bob 4096 Jun 28 11:02 ..
-rw------- 1 bob bob 1679 Jun 28 11:01 id_rsa
-rw-r--r-- 1 bob bob 392 Jun 28 11:01 id_rsa.pub
Copy the key in...
Code:
cat id_rsa.pub >> authorized_keys
and just to be sure.
Code:
bob@xxxxxx:~/.ssh $ chmod 600 ~/.ssh/authorized_keys
bob@xxxxxx:~/.ssh $ chmod 700 ~/.ssh
bob@xxxxxx:~/.ssh $ ls -la ~/
total 32
drwxr-xr-x 4 bob bob 4096 Jun 28 11:17 .
drwxr-xr-x 6 root root 4096 Jun 28 10:59 ..
-rw------- 1 bob bob 5 Jun 28 11:17 .bash_history
-rw-r--r-- 1 bob bob 220 Jun 28 10:59 .bash_logout
-rw-r--r-- 1 bob bob 3523 Jun 28 10:59 .bashrc
drwxr-xr-x 2 bob bob 4096 Jun 28 11:02 .nano
-rw-r--r-- 1 bob bob 675 Jun 28 10:59 .profile
drwx------ 2 bob bob 4096 Jun 28 11:31 .ssh
bob@xxxxxx:~/.ssh $ ls -la ~/.ssh/
total 20
drwx------ 2 bob bob 4096 Jun 28 11:31 .
drwxr-xr-x 4 bob bob 4096 Jun 28 11:17 ..
-rw------- 1 bob bob 392 Jun 28 11:05 authorized_keys
-rw------- 1 bob bob 1679 Jun 28 11:01 id_rsa
-rw-r--r-- 1 bob bob 392 Jun 28 11:01 id_rsa.pub
bob@xxxxxx:~/.ssh $ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYtlJ/lXgaPC4gl2vZG1C/+s4+2+I3ExYZYrPaIC6k305IKG5OcdWSIdbZSqF0e6E7FwrEPPfJ14XpgQo7youDiKplONdwQLuV72kI5xYNXZ3ct96HGv7WN19vvAYua0XYF/iOtlgeKHgFnkZoxlebpzdu+LqOZkrDyNBLxT5aW2UEZ7z/MSfgaJVikO1q1gFeFgbDt19SUZEbEJ23YJyjShAl3O94opBZ0Lt2YW+ExIEsJaQdMTMat+F0oR1pVCi2tinnxWZLzNe/4chA5Tr+4hGq/CT3tIT6bwmRv1ZjlmU+l3UBRFaGxztm1f4IVORreKvnIIpbzLVpcp9rbFTl bob@xxxxxx
Next I copied id_rsa to another debian box and tried it out. It still probmpts for password 'bob' but does not throw an error about the key like PuTTY does.
Code:
root@yyyyyy:~/keys# ssh -i bob_id bob@192.168.16.71
bob@192.168.16.71's password:
Last login: Thu Jun 28 11:19:34 2018 from 192.168.16.79
bob@xxxxxx:~ $
I also created a PuTTY style key with PuTTYgen by loading the id file and exporting "Save private key" and same error...
Code:
login as: bob
Server refused our key
bob@192.168.16.71's password:
and as requested here is the root user files.. I had to omit lots of them except for .ssh stuff.
Code:
root@xxxxxx:~# ls -la ~
total 28536
drwx------ 11 root root 4096 Jun 28 09:16 .
drwxr-xr-x 21 root root 4096 Apr 18 11:08 ..
-rw------- 1 root root 8886 Jun 28 09:16 .bash_history
-rw-r--r-- 1 root root 570 Mar 13 01:03 .bashrc
-rw-r--r-- 1 root root ...
drwx------ 2 root root 4096 Jun 28 09:22 .ssh
root@xxxxxx:~# ls -la .ssh/
total 12
drwx------ 2 root root 4096 Jun 28 09:22 .
drwx------ 11 root root 4096 Jun 28 09:16 ..
-rw------- 1 root root 398 Jun 28 09:22 authorized_keys
root@xxxxxx:~#
So I'm still lost. Could this be a specific Raspbian Stretch thing?
This shouldn’t be so complicated...but I don’t so it often enough to help. I thought the process was to generate the keys on the server and copy the public key to the client, but I’m probably wrong about that. I do know there are some excellent tutorials on the web around how to do this. Maybe someone else knows where thy are. Or search LQ...I know I’ve seen links posted on this subject.
I’ll refer you post #3 re: puttygen. I either store a password in putty (it gets stored in the registers,by default...I don’t recall if in the clear there), or just type it when I need too,so I’m ignorant there, too
At least you’ve learned not to futz with permies on a users home directory, and that the .ssh directory and the files therein must be available only to the user to work.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.