on a CentOS 6.4 machine I’m creating accounts with empty passwords. Each user’s public key is located in /.ssh/authorized_keys.
When trying to SSH into that machine, following error message is displayed:
Permission denied (publickey).
In /etc/ssh/sshd_config I’ve set:
PasswordAuthentication no UsePAM no
If I set a password for the users, the public key auth works without any problems.
Could anyone tell me what I’m missing here?
This error is when you SSH in (with PuTTY, for example) without attaching the private key.
——– Original Message ——
I’ve never been completely clear on what UsePAM yes versus UsePam no actually does, other than that setting it to no seems to make things a lot more complicated. Perhaps you could try setting it to yes and see if that solves the problem?
Check /var/log/secure on the server for more details…
Check the permissions on the file and .ssh directory… Needs to be owned by the user and 600 on the file… This is a very common issue…
Also check context on the file and folder if selinux is enabled.
Hello, check permissions on /.ssh/authorized_keys. i guess issue related to permissions but i can be wrong
—– Original Message —
From what I read, it sounds like you are saying that you can’t log in with keypairs unless a password has been set. If so, this appears to be incorrect, at least as of CentOS 6. To test this, I did the following:
[root@norman ~]# adduser testnopw
[root@norman ~]# su – testnopw
[testnopw@norman ~]$ mkdir .ssh && chmod 600 .ssh;
[testnopw@norman ~]$ nano .ssh/authorized_keys
< - pasted id_dsa.pub from another account ->
[testnopw@norman ~]$ chmod 600 .ssh/authorized_keys
Now, as another account on the same server:
[bens@norman] SSH testnopw@localhost Enter passphrase for key ‘/home/bens/.ssh/id_dsa’:
Never, in the above script, was a password set.
secure log tells me exactly what the problem is:
“User username not allowed because account is locked”
Setting a password for that account unlocks it and SSH works as expected. I guess I have to work on my account creation routine.
Am 10.10.2013 21:49, schrieb James Hogarth:
you might look into mkpasswd, its probably excessively complicated, but it can set a users password
# mkpasswd -l 20 xyzzy zhRovbjh24hcqrg?xqoF
sets a gnarly 20 character password for the xyzzy user. easy to script.
You are right, that would do the trick when writing a script. But what I’m actually trying to accomplish is creating user accounts with the configuration manager “salt”.
In a blog post someone explained how to create users with it and he didn’t set a password, so I gave it chance and came across the SSH problem.
Am 11.10.2013 10:14, schrieb John R Pierce:
Am 11.10.2013 09:27, schrieb Michael Schultz:
I haven’t tried but maybe you could just try the obvious and unlock the account?
I think it is passwd -u [user]
This only works when there’s been a password set for the account before locking it. For obvious reasons empty passwords are not allowed :)
Am 11.10.2013 10:58, schrieb Rainer Traut:
I question why you want accounts without passwords when logging in via SSH and public keys does not use a password or even ask for one. Also anyone logged in can change users with only an su – and not need a password.
Have you tried setting PASS_MIN_LEN in /etc/login.defs to 0?
from the usermod and passwd manual page
… This puts a
Am 11.10.2013 14:51, schrieb Markus Falb:
My passwd and shadow look like the ones in your example, SELinux is disabled.
I think I’m just going to set account passwords, SSH pubkey auth works that way and it’s a lot more secure.
Thank you again for your help everyone, Michael