Wednesday, August 02, 2006

ssh authorized_keys

just now, one user complained that he can't use his public key as an authentication to remote server.
he already generate the public key & did all the necessary steps but still the remote server asked for password after key in the public key.

i tried used my id and it worked just fine, so it could be something wrong with his id or his public key. try to regenerate his public key but still the same thing.
as you see from below verbose message of ssh, it still asked for password after key in the public key:
user1@local_server $ ssh -v remote_server
OpenSSH_3.8.1p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to remote_server [ip_address] port 22.
debug1: Connection established.
debug1: identity file /glb/home/user1/.ssh/identity type -1
debug1: identity file /glb/home/user1/.ssh/id_rsa type 1
debug1: identity file /glb/home/user1/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)>
Enter passphrase for key '/glb/home/user1/.ssh/id_dsa':
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased
debug1: Next authentication method: password
user1@remote_server's password:
a friend of mine (trew) found the solution... thanks :)
it is actually because his home directory is group writable (775). for security reason, authorized_keys file cannot be writable by anyone else, this also apply to the parent directory of authorized_keys file, in this case - his home directory.
for more info refer to at the authorized_keys section.

No comments: