[SOLVED] SSH athentication via RSA key fails.

remslug · 11-04-2013, 08:37 AM

Yeah, I know

Although, I need to perform the same install again on another couple of client/server boxes (same hardware, same distros). I have written down everything I did, so there's good probability I'll come across the same issue if I repeat the steps. I'll update this post in case I find out what was causing this problem.

In the meantime, I have marked this thread as solved.

Thanks, voleg.

remslug · 11-05-2013, 10:03 PM

I have found something interesting. The fact that it worked had nothing to do with the reboots. Actually what happens is:

If the same user is already logged into the server (whether that be locally or via another ssh session), key authentication works,
If they are not, key authentication fails

When it fails, it (as previously) is because the server can't open the authorized_keys file:

Code:

debug1: Could not open authorized keys '/home/me/.ssh/authorized_keys': No such file or directory

I can now reproduce this consistently.

I try to log into the server via SSH --> key authentication fails
I log into the server physically
I try to log into the server via SSH again --> key authentication WORKS
I exit the local session
I try to log into the server via SSH again --> key authentication fails

I did not change any rights or ownership. I don't understand this behaviour. I tried and google for something similar but could not find anything relevant. Am I missing something?

voleg · 11-05-2013, 11:43 PM

What is type of /home FS ?
Did you checked, what the state of selinux as i said above ?

Turbocapitalist · 11-06-2013, 01:21 AM

Is your home directory encrypted? One symptom is being unable to use keys unless already logged in. If so, you'll have to configure sshd to store keys in a second place, outside the encrypted directory using "AuthorizedKeysFile" in sshd_config. You could make a directory /etc/ssh/remslug and put the keys there. Then sshd_config could contain something like this:

Code:

AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/%u/authorized_keys

remslug · 11-06-2013, 07:05 AM

Quote:

What is type of /home FS ?
Did you checked, what the state of selinux as i said above ?

My /home filesystem is ext4.

SELinux is disabled (which is the default on Mint).

Code:

#$ getenforce 
Disabled

Quote:

Is your home directory encrypted? One symptom is being unable to use keys unless already logged in. If so, you'll have to configure sshd to store keys in a second place, outside the encrypted directory using "AuthorizedKeysFile" in sshd_config.

Good point. Yes, my filesystem is encrypted. That might be the problem.

I have copied authorized_keys in /etc/ssh/me/ and added the following line in /etc/ssh/sshd_config:

Code:

AuthorizedKeysFile /home/%u/.ssh/authorized_keys /etc/ssh/%u/authorized_keys

I set the following access rights:

Code:

drwxr-xr-x 22 root root 4096 juil. 21 23:55 /
drwxr-xr-x 157 root root 12288 nov.   6 13:21 /etc/
drwxr-xr-x 3 root root 4096 nov.   6 10:41 /etc/ssh/
drwx------ 2 me me 4096 nov.   6 10:43 /etc/ssh/me/
-rw------- 1 me me 398 nov.   6 10:43 authorized_keys

I rebooted to make sure I had no open sessions left and that all the changes had been taken into account.

Now, it seems to work.

ericson007 · 11-10-2013, 03:29 AM

Quote:

Originally Posted by voleg

An issue becomes interesting.

Are you sure that /home/me/.ssh/authorized_keys exist on server side ?
As I see, user "me" has UID/GID 1000/1000:

If you login as "me" on server, could you do "cat /home/me/.ssh/authorized_keys" ?
If you still has no solution, probably it is selinux problem.
Please set it to PERMISSIVE and check what happen in /var/log/messages.

I don't agree with this advice. Editing the file may very likely cause selinux issues so it is better to run

Code:

 restorecon -Rv ~/.ssh

remslug · 11-12-2013, 11:29 AM

Guys, this has been working consistently since I moved the authorized_keys file out of my encrypted home directory. I'm marking this as resolved.

Thanks a lot for the help.