Debugging SSH public key authentication problems

In: Operating Systems

28 Feb 2007

After a longer than desired struggle with getting sshd to accept my public key, I think a blog post is in order to remind myself not to repeat the same mistakes. Here’s how you should go about debugging your SSH public key authentication woes:

  • Getting more debug info when connecting with your ssh client: Add a ‘-v’ option to your ssh command (e.g. ssh chuyeow@remotehost -v -v -v). Add more ‘-v’ for more detailed debug (you can do up to ‘-v -v -v’ I think).
  • Debugging on the remote host by running sshd in debug mode: Run ‘/usr/sbin/sshd -d -p 2222′ on the remote host and connect to it. ’2222′ here is the port number of the sshd process you started on the remote host.
  • tail the authentication log: Run ‘tail -f /var/log/auth.log’ on the remotehost. You can watch the log as you try to connect via SSH with your key.
  • Make sure your ssh key agent is running: Do a ‘ps aux|grep ssh-agent’. Make sure your key agent is running. If you’re not using ssh-agent (I like keychain from Gentoo, or SSHKeyChain for Mac OS X), do whatever you have to do to ensure that your keychain is running.
  • Make sure your private key is added to the ssh key agent: Do a ‘ssh-add -l’ to check that ssh-agent has your key. Likewise, if you are using something else, check your keychain application has your private key.
  • Check the permissions on your home directory, .ssh directory, and the authorized_keys file: If your ssh server is running with ‘StrictModes on’, it will refuse to use your public keys in the ~/.ssh/authorized_keys file. Your home directory should be writable only by you, ~/.ssh should be 700, and authorized_keys should be 600.

Tailing the authentication log was the clincher for me this time – my problem was the group permissions on the home folder were incorrectly set (the error message I got from auth.log was: ‘Authentication refused: bad ownership or modes for directory /home/chuyeow’). Just had to fix it so it was no longer group-writable. Of course, this can also be fixed by turning setting ‘StrictModes off’ in your sshd config (/etc/ssh/sshd_config), but it’s not really recommended. Plus, you may not always have the rights to edit that file anyway.

13 Responses to Debugging SSH public key authentication problems

Avatar

Chris Combs

April 4th, 2007 at 3am

Thanks for the StrictModes tip. So much for group-writable home directories!

Avatar

Chu Yeow

April 7th, 2007 at 12pm

I didn’t mention this in the post, but I had a group-writable home directory because we were using this particular user account as a common “deploy” user for our developers.

Avatar

Contentious Content » Blog Archive » How to setup ssh so that manual password entry is not needed

May 14th, 2007 at 11pm

[...] 5. See the following post for debugging clues, if necessary: http://blog.codefront.net/2007/02/28/debugging-ssh-public-key-authentication-problems/ [...]

Avatar

RichardBronosky

November 15th, 2007 at 11pm

If your ssh server is running with ‘StrictModes on’, it will refuse to use your public keys in the ~/.ssh/authorized_keys file. Your home directory should be writable only by you

This was it! This drove me crazy for months. Out of dozens of servers only one insisted on a password login. I never thought that permissions on my home folder would matter (as long as the owner and permissions of the .ssh folder was okay).

God bless you hacker!

Avatar

Felix Geisendörfer

March 13th, 2008 at 7pm

Thank you so much for this man! This drove me nuts for month, had the exact same problem with a group-writeable home dir!

Avatar

How to setup ssh so that manual password entry is not needed « My Blog

April 8th, 2009 at 2am

[...] See the following post for debugging clues, if necessary: http://blog.codefront.net/2007/02/28/debugging-ssh-public-key-authen Possibly related posts: (automatically generated)CyberPower intros Atom-powered Windows Home Server [...]

Avatar

ihuerta.net — Debugging SSH public key authentication problems

September 28th, 2010 at 10pm

Avatar

SSH-key for apache user?

February 2nd, 2011 at 6pm

[...] than trying to figure out if the env variables were set up properly. I found the following page Debugging SSH public key authentication problems useful. I used scp -vvv -B during [...]

Avatar

SLAD install issue with openssl key verification

February 23rd, 2012 at 2am

[...] under the user home directory. What I would suggest is turning on ssh debugging. See this link: http://blog.codefront.net/2007/02/28…tion-problems/ Even better, have a look at this one: http://www.tek-tips.com/faqs.cfm?fid=6934 which discusses [...]

Avatar

Debugging SSH public key authentication problems – redemption in a blog | Qq Blog :)

May 14th, 2012 at 10am

[...] Debugging SSH public key authentication problems – redemption in a blog. [...]

Avatar

SSH Public Key Problems Troubleshooting « rsingh

June 23rd, 2012 at 10pm

Avatar

Stop entering passwords: How to set up ssh public/private key authentication for connections to a remote server » TechNotes

March 31st, 2013 at 5pm

[...] And change the “yes” to “no”. You’ll need to reboot or restart the ssh server for this to take effect. An alternate, and probably more secure fix is to check the permissions on your home directory – if it is not writable by anyone but the owner, then it should not be necessary to change the StrictModes parameter. For more troubleshooting hints see Debugging SSH public key authentication problems. [...]

Avatar

created pub/priv keys using putty, created .ssh folder and authorized_keys, still not working - Just just easy answers

September 6th, 2013 at 3pm