Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 01-18-2012, 02:42 PM   #16
LQ Newbie
Registered: Jan 2007
Posts: 3

Rep: Reputation: 0
AuthorizedKeysFile setting

Found it. It should be

AuthorizedKeysFile /home/%u/.ssh/authorized_keys
Old 01-18-2012, 03:26 PM   #17
Senior Member
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 374Reputation: 374Reputation: 374Reputation: 374
I realize you have a working solution, but (in a slight defense of the OpenSSH developers) I took a look at the code.

If the value AuthorizedKeysFile does not use an absolute path, the program does some manipulation to convert it to an absolute path. Among other things (like the '%u' substitution you found), it converts the non-absolute file to an absolute file by prepending the user's home directory.

From what I saw, it gets the user's home directory by calling getpwnam(). The getpwnam() function is a system-wide function--not written by the OpenSSH developers. The information getpwnam() provides is most/all the information in /etc/passwd. Basically, ssh then does this:

absolute_path = user_home_path_from_getpwnam + '/' + ssh_config_file_AuthorizedKeysFile

Now, given that your debug messages show that the path being checked for the authorized keys file was "//.ssh/authorized_keys" indicates to me that whatever account you were using to start ssh does not have a home directory listed in /etc/passwd or the home directory is listed as '/'. If neither of those is the case, then the OpenSSH developers would probably like for you to file a bug and work with them to find out what the core problem is.

Also, as a side note, the OpenSSH code does take into account the '~' notation. In fact, what I saw indicates that the filename would be properly handled if either the '~/' or '~username/' form were used.

Last edited by Dark_Helmet; 01-18-2012 at 03:47 PM.
Old 01-18-2012, 11:32 PM   #18
LQ Newbie
Registered: Nov 2009
Posts: 4

Rep: Reputation: 0
Red face

The correct format for this setting should be:

AuthorizedKeysFile     %h/.ssh/authorized_keys
And, at least on all the SLES and debian/ubuntu that I have, that should be the default value if you comment it out.

Specifying as I've read before:

AuthorizedKeysFile     /home/%u/.ssh/authorized_keys
won't work for root, only for normal users as long as they have their homes under /home/ (which could be a safe setup, but that's another story).

Ssh, at least on the referred distros, and while from OpenSSH packages, should be absolutely 0 trouble to set up for passwordless authentication, unless you mess up something with the server config beforehand, while trying to "fix" a problem that you created by placing the wrong file name or the wrong dir/file permissions/ownership.

In case of doubt, always use the debug config for both server (sshd_config) and client (-vvv parameter), debugging is there for a reason.



Originally Posted by nperrins View Post
We have had two of us working on getting ssh keys working on a Fedora Core 13 server. We have done this kind of thing many times before and truly believe the ssh set up to be a real pain. For one reason or another you can waste days of time getting it to work.

I have to post this one because the previous poster has almost hit the nail on the head - and we have spent all this time not seeing it here because we weren't searching for the right thing. So for all others out there I think it only right to add a few terms for searching here:

putty keys do not connect
cannot ssh connect to linux server
Fedora Core 13 cannot ssh
linux ssh drops key
sshd bugs

OK, the problem is inside the sshd_config file. There is a setting

AuthorizedKeysFile .ssh/authorized_keys

This is a real bad bug because you look at it and you think it is OK. The problem is that the only way you can find this problem is to see where it looks. You do this by putting sshd into debug logging (by changing another setting in sshd_config - LogLevel INFO to LogLevel DEBUG). When you do that, /var/log/secure shows that sshd is looking for //.ssh/authorized_keys.

So, the previous poster is correct in saying that changing it to /root/.ssh/authorized_keys works. But, of course, you then have to use the same public key for every users (not good). So, the answer is to amend the sshd_config file to look in all users .ssh folders. I haven't done this yet, but it should be straight forward (~/ won't cut it. root sees this as its own home)

So, I have just lost about 20 hours of my life just for that. Thanks guys.
Old 02-11-2017, 08:45 PM   #19
LQ Newbie
Registered: Feb 2017
Posts: 1

Rep: Reputation: Disabled
Thanks for the fix _anonymous!

Originally Posted by _anonymous View Post
I used absolute path in sshd_config as "AuthorizedKeysFile /root/.ssh/authorized_keys".
file permissions were made 700 for .ssh & authorized_keys.

Restarted sshd and then it worked.
I know this is a few years old, but I just wanted to thank-you for this post. I spent the last 2 hours trying to get this to work and finally this was the solution :-D.


fail, key, login, passwordless, root, rsa, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH with passwordless public/private key not working on another account on server infocom Linux - Server 14 12-27-2010 05:09 AM
Can't use passwordless ssh sunhui Linux - Security 1 10-03-2006 08:29 PM
Passwordless SSH with SSH commercial server and open ssh cereal83 Linux - General 7 04-18-2006 12:34 PM
Can't get passwordless ssh working thorney Linux - Networking 3 11-27-2005 10:08 PM
Regarding Passwordless SSH nedian123 Linux - Software 1 08-05-2004 05:07 PM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:21 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration