Dear List,
I cannot get public ssh keys to work in a fresh install of centos6.5
This might be a centos bug.
I've googled for a solution.
Mostly I found threads suggesting I debug sshd or run ssh -v for clues.
Also I've seen threads suggesting I look at file and directory permissions.
I dont think I should need to debug sshd after a fresh install.
Also I think a fresh install should correctly set file and directory permissions.
I think ssh should just simply work or I should see some simple documentation to make it work.
Steps to reproduce this bug:
Get the latest copy of virtualbox software.
Get a centos6.5 dvd.
Press the new button in virtualbox
In the settings of the new install ask virtual box to setup a bridged adapter.
Walk through the virtualbox wizard UI.
When it asks for distribution point it at centos6.5 iso
When the iso boots inside of virtualbox, choose to install desktop which is the first choice of choices.
Eventually it will ask for a username, give the name of 'dan' and password paloalto9.
When presented a login screen, login as dan.
Start a terminal.
try ssh:
ssh dan@localhost
That should prompt you for password and log you in.
Also it should create ~dan/.ssh/
cd ~dan/.ssh/
do this:
ssh-keygen
That should create 2 files:
~dan/.ssh/id_rsa ~dan/.ssh/id_rsa.pub
do this:
cat ~dan/.ssh/id_rsa.pub > ~dan/.ssh/authorized_keys
try:
ssh dan@localhost
It should log me in.
Instead it prompts for password.
I've walked through this type of scenario many times over the past few years and it has always worked.
Currently it works well on ubuntu 12.04.
I think something in centos6 might be broken?
Perhaps there is a documented step somewhere which has been added to fresh centos installs which I missed?
Dan
On 05/09/2014 03:34 PM, Dan Bikle wrote:
Dear List,
I cannot get public ssh keys to work in a fresh install of centos6.5
[snip]
Steps to reproduce this bug:
[snip]
do this:
cat ~dan/.ssh/id_rsa.pub > ~dan/.ssh/authorized_keys
I think you're missing:
chmod 600 ~dan/.ssh/authorized_keys
Without it, sshd won't use the authorized_keys file if it's readable by other users. (I think that's related to "StrictMode"; consult sshd man page)
-Greg
try:
ssh dan@localhost
It should log me in.
Instead it prompts for password.
I've walked through this type of scenario many times over the past few years and it has always worked.
Currently it works well on ubuntu 12.04.
I think something in centos6 might be broken?
Perhaps there is a documented step somewhere which has been added to fresh centos installs which I missed?
Dan _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 09/05/14 06:42 PM, Greg Bailey wrote:
On 05/09/2014 03:34 PM, Dan Bikle wrote:
Dear List,
I cannot get public ssh keys to work in a fresh install of centos6.5
[snip]
Steps to reproduce this bug:
[snip]
do this:
cat ~dan/.ssh/id_rsa.pub > ~dan/.ssh/authorized_keys
I think you're missing:
chmod 600 ~dan/.ssh/authorized_keys
Without it, sshd won't use the authorized_keys file if it's readable by other users. (I think that's related to "StrictMode"; consult sshd man page)
-Greg
Check the selinux context as well (or, to test, setenforce 0 -> try again. Worked? selinux problem, fix the context).
https://alteeve.ca/w/AN!Cluster_Tutorial_2#SELinux_Related_Problems
On Fri, May 09, 2014 at 03:42:52PM -0700, Greg Bailey wrote:
I think you're missing:
chmod 600 ~dan/.ssh/authorized_keys
Without it, sshd won't use the authorized_keys file if it's readable by other users. (I think that's related to "StrictMode"; consult sshd man page)
No. Public keys are public and are happy to be readable.
What can _not_ be allowed is group/world writeable... ANYWHERE in the path.
eg if ~dan is /home then / must be owned by root and permission 755 /home must be owned by root and permission 755 /home/dan must be owned by dan and not be group/world writeable /home/dan/.ssh must be owned by dan and not be group/world writeable /home/dan/.ssh/authorized_keys must be owned by dan and not be group/world writeable
Also permissions of /etc /etc/ssh /etc/ssh/sshd_config and so on.
I noticed that authorized keys had the group-write-bits set to 6.
I fixed it:
chmod 644 ~dan/.ssh/authorized_keys
Now I can authenticate via public-key.
Yay! Thanks Stephen
On 5/9/14, Stephen Harris lists@spuddy.org wrote:
On Fri, May 09, 2014 at 03:42:52PM -0700, Greg Bailey wrote:
I think you're missing:
chmod 600 ~dan/.ssh/authorized_keys
Without it, sshd won't use the authorized_keys file if it's readable by other users. (I think that's related to "StrictMode"; consult sshd man page)
No. Public keys are public and are happy to be readable.
What can _not_ be allowed is group/world writeable... ANYWHERE in the path.
eg if ~dan is /home then / must be owned by root and permission 755 /home must be owned by root and permission 755 /home/dan must be owned by dan and not be group/world writeable /home/dan/.ssh must be owned by dan and not be group/world writeable /home/dan/.ssh/authorized_keys must be owned by dan and not be group/world writeable
Also permissions of /etc /etc/ssh /etc/ssh/sshd_config and so on.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Dan Bikle -
Digimer -
Greg Bailey -
Stephen Harris