CentOS 6.5 Fresh Install, Public SSH Keys Cannot Authenticate
Dear List,
I cannot get public SSH keys to work in a fresh install of CentOS6.5
This might be a CentOS bug.
I’ve googled for a solution.
Mostly I found threads suggesting I debug sshd or run SSH -v for clues.
Also I’ve seen threads suggesting I look at file and directory permissions.
I dont think I should need to debug sshd after a fresh install.
Also I think a fresh install should correctly set file and directory permissions.
I think SSH should just simply work or I should see some simple documentation to make it work.
Steps to reproduce this bug:
Get the latest copy of virtualbox software.
Get a CentOS6.5 dvd.
Press the new button in virtualbox
In the settings of the new install ask virtual box to setup a bridged adapter.
Walk through the virtualbox wizard UI.
When it asks for distribution point it at CentOS6.5 iso
When the iso boots inside of virtualbox, choose to install desktop which is the first choice of choices.
Eventually it will ask for a username, give the name of ‘dan’ and password paloalto9.
When presented a login screen, login as dan.
Start a terminal.
try ssh:
ssh dan@localhost
That should prompt you for password and log you in.
Also it should create ~dan/.ssh/
cd ~dan/.ssh/
do this:
ssh-keygen
That should create 2 files:
~dan/.ssh/id_rsa
~dan/.ssh/id_rsa.pub
do this:
cat ~dan/.ssh/id_rsa.pub > ~dan/.ssh/authorized_keys
try:
ssh dan@localhost
It should log me in.
Instead it prompts for password.
I’ve walked through this type of scenario many times over the past few years and it has always worked.
Currently it works well on ubuntu 12.04.
I think something in CentOS6 might be broken?
Perhaps there is a documented step somewhere which has been added to fresh CentOS installs which I missed?
Dan
4 thoughts on - CentOS 6.5 Fresh Install, Public SSH Keys Cannot Authenticate
[snip]
[snip]
I think you’re missing:
chmod 600 ~dan/.ssh/authorized_keys
Without it, sshd won’t use the authorized_keys file if it’s readable by other users. (I think that’s related to “StrictMode”; consult sshd man
page)
-Greg
Check the selinux context as well (or, to test, setenforce 0 -> try again. Worked? selinux problem, fix the context).
https://alteeve.ca/w/AN!Cluster_Tutorial_2#SELinux_Related_Problems
No. Public keys are public and are happy to be readable.
What can _not_ be allowed is group/world writeable… ANYWHERE in the path.
eg if ~dan is /home then
/ must be owned by root and permission 755
/home must be owned by root and permission 755
/home/dan must be owned by dan and not be group/world writeable
/home/dan/.ssh must be owned by dan and not be group/world writeable
/home/dan/.ssh/authorized_keys must be owned by dan and
not be group/world writeable
Also permissions of /etc /etc/ssh /etc/ssh/sshd_config and so on.
I noticed that authorized keys had the group-write-bits set to 6.
I fixed it:
chmod 644 ~dan/.ssh/authorized_keys
Now I can authenticate via public-key.
Yay!
Thanks Stephen