Linode Forum

[dcelasun]

Here's the /etc/ssh/sshd_config on the server:

Code: # Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
#Port 22
Port [Something none-standard]
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile   %h/.ssh/authorized_keys
AuthorizedKeysFile %h/.ssh/authorized_keys2

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes


In /root/.ssh/ I have the file "authorized_keys2" which contains the public key. When I try to login from my pc with
Code: ssh -i /place/of/private/key -p [the non-standard port] 123.465.798.123 it still asks for the root password. What's wrong?

[irgeek]

It may be because you've specified root can't log in:
Code: PermitRootLogin no
Also, check that the key in authorized_keys2 is all on one line. Sometimes it will get split across lines when you paste it.
-James

[dcelasun]

I've enabled root login and the key is in one line. Still no luck. Any ideas?

[krmdrms]

Did you try to set;
PasswordAuthentication no

[irgeek]

What does the key look like? It should start with ssh-dss or ssh-rsa and end with ==

-James

[ttl]

Have you sent sshd SIGHUP (or restarted it) to cause it to reread the conf file?

I'm sure you know it's not considered best practice to use the root login for SSH.

[dcelasun]

irgeek wrote: What does the key look like? It should start with ssh-dss or ssh-rsa and end with ==

-James
It starts with ssh-rsa and ends with ==

Quote: Did you try to set;
PasswordAuthentication no No I didn't, but I shouldn't need to. Both password and key authentication should be able to work at the same time.

Quote: Have you sent sshd SIGHUP (or restarted it) to cause it to reread the conf file?

I'm sure you know it's not considered best practice to use the root login for SSH.
I did restart sshd, no luck. I know I shouldn't use root login, I don't, I just enabled it for testing this.

[skavoovie]

Can't help it...you shouldn't be doing this for root -- even for testing as you mention. Ugh.

That being said...


First:

You don't mention what distro you are using, but generally speaking, any modern instance of SSHD is going to be looking for authorized_keys, not authorized_keys2. The authorized_keys2 filename is deprecated. If in doubt, rename authorized_keys2 to authorized_keys and create a symlink from authorized_keys2 to authorized_keys.


Second:

Make sure your directory & file permissions are correct.

~ ---> 0700
~/.ssh ---> 0700
~/.ssh/authorized_keys* ---> 0600
~/.ssh/id_* ---> 0600
~/.ssh/id_*.pub --> 0600 or 0640

in other words...
user's homedir is permission 0700
user's .ssh dir is 0700
authorized_keys, authorized_keys2 0600
all private keys 0600
all public keys -- does not matter but 0600 is not inappropriate

If these file & dir permissions are not correct, key auth will always fail.

Have you checked /var/log/secure to check for error messages associated with authentication? That's your best bet to tell you what's broken. FIle permissions and any other issues will be logged there, or depending on your syslog.conf, perhaps /var/log/messages, or whatever is defined for authpriv.* in /etc/syslog.conf.

[dcelasun]

Quote: any modern instance of SSHD is going to be looking for authorized_keys, not authorized_keys2. The authorized_keys2 filename is deprecated. If in doubt, rename authorized_keys2 to authorized_keys and create a symlink from authorized_keys2 to authorized_keys. Check my initial post, I've specified Code: #AuthorizedKeysFile   %h/.ssh/authorized_keys
AuthorizedKeysFile %h/.ssh/authorized_keys2 so it should be fine. I'll check the file permissions and logs and report back. Thanks!

[drake127]

Try to connect from your Linode to itself via "ssh -v localhost" and it should tell you what's wrong.