I'm trying to setup ssh authentication with key files in stead of username/password. The client is a Windows box running PuTTY and the server is a Ubuntu 12.04 LTS server.

I downloaded puttygen.exe and had it generate a key pair. In /etc/ssh/sshd_config I have this line:

AuthorizedKeysFile %h/.ssh/authorized_keys

and on my client's public key file it says this:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: ""
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAr3Qo6T5XU06ZigGOd3eKvfBhFLhg5kWv8lz6
qJ2G9XCbexlPQGanPhh+vcPkhor6+7OmB+WSdHeNO652kTofnauTKcTCbHjsT7cJ
GNrO8WVURRh4fabknUHPmauerWQZ6TgRPGaz0aucU+2C+DUo2SKVFDir1vb+4u83
AV1pKxs=
---- END SSH2 PUBLIC KEY ----

I copied the part from "ssh-rsa AAA" to "" and put that in the file ~/.ssh/authorized_keys on my server (in my own homefolder). In PuTTY under Connection > SSH > Auth I entered the path to the private key it generated on my client and saved the session settings.

I restarted the ssh server with

sudo service ssh restart

Now if I load the profile in PuTTY (I verified the private key is still in Connection > SSH > Auth and that the path is correct) and run the profile, it says

Server refused our key

I tried putting the public key in a file under the directory ./ssh/authorized_keys/ but that didn't help so I used ./ssh/authorized_keys as a file, pasting the key in it. I also tried generating a private/public key pair on the server, putting the public key in ./ssh/authorized_files and loading the private one in PuTTY on my client. Rebooting the server didn't help either.

I found that the error may be solved by putting the key in a place outside the user's home folder but that's only useful if the home folder is encrypted, which this one is not.

Also tried generating a 4096 bit key, thinking perhaps 1024 was too short.

How can I get this to work? Thanks!

EDIT:

Ok, /var/log/auth.log said:

sshd: Authentication refused: bad ownership or modes for directory /home/vorkbaard/.ssh

Google tells me ~/.ssh/ should be 700 and and ~/.ssh/authorized_keys should be 600, so I did that. Now /var/log/auth.log says:

sshd: error: key_read: uudecode AAAAB3N [etc etc etc until about 3/4 of my public key]

2

16 Answers

Ok, it is fixed however I don't see how this is different from what I tried already.

What I did:

• generate a key pair with puttygen.exe (length: 1024 bits)
• load the private key in the PuTTY profile
• enter the public key in ~/.ssh/authorized_keys in one line(ssh-rsa {your_public_key} with no more than once space between ssh-rsa and your key)
• chmod 700 ~/.ssh
• chmod 600 ~/.ssh/authorized_keys
• chown $USER:$USER ~/.ssh -R
• change /etc/ssh/sshd_config so it contains AuthorizedKeysFile %h/.ssh/authorized_keys
• sudo service ssh restart

For troubleshooting do # tail -f /var/log/auth.log.

Thanks for your help!

20

I just encountered this problem. Despite having the config set correctly as is already mentioned in this thread (permissions on authorized_keys etc.), it turns out I had the public key in the wrong format. It was in the form of:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "imported-openssh-key"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDUoj0N3vuLpeviGvZTasGQ...
... lPmTrOfVTxI9wjax2JvKcyE0fiNMzXO7qiHJsQM9G9ZB4Lkf71kT
---- END SSH2 PUBLIC KEY ----

Which wasn't working. But got it working having it in the form:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU.....j0N3vuLpeviGvZTasGQa1rcJiPXQMW7v3uurb+n94B9MQaaWR0odsg5DJQL92TNenOda5BO1nd08y6+sdLQmHXExTz6X8FzgoVsAkEl3RscxcxHUksiKA9JfTo38vQvG/bPxIHMCuSumCQVA1laf3rO/uOrkcB7iMWhaoi1/z6AbFtPzeh7xjGfInMWwtBI0CsHSRF73VWIxT26w0P+KjafCjSn/7vDO1bT8QHujSQelU/GqaVEvbbvPl1a7POVjKgHLNekolwRKfNeVEewcnmZaoqfHgOKlPmTrOfVTxI9wjax2JvKcyE0fiNMzXO7qiHJsQM9G9ZB4Lkf71kT UserName@HOSTNAME

6

I had to change permissions to home directory

chmod 700 ~

5

the problem is that windows uses a different new line than linux, so when copying the key from windows to linux, there is a \n at the end of the line that you can not see on linux in the editor.

If you tail the /var/log/auth.log and try to login, the error is like:

sshd: error: key_read: uudecode AAAAB3N[....]==\n

If you change your key on windows so its in a single line without a new line at the end and copy it then to linux, it should work (did the trick for me).

1

I had to change the ~/.ssh directory permissions from 770 to 700 and the ~/.ssh/authorized_keys file permissions from 660 to 600.

For some reason removing group permissions fixed this issue for me.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

The ~/.ssh/authorized_keys file requires keys to be all on one line. If you added it across multiple lines as in your paste above, try joining the lines.

2

Here's what worked for me:

In puttygen, after you've generated your keys, make sure that you copy and paste the information from the top field to go into your authorized_keys file. If you save your public key to your client machine, and then open it up, the text is different from the text at the top of the puttygen screen. Again, make sure that you copy and paste the text from the TOP of the puttygen screen (after you've created your keys) into your authorized_keys file which should be located in ~/.ssh.

1

Sometimes it can be a problem associated with having the public key not on one line, so this approach seems to solve it:

echo 'the content of the public key' >> /root/.ssh/authorized_keys

In addition to all the above answers, make sure you copy and paste the key from puttygen correctly!

If you just double-click on the bulk of the key string to select it, you may not get the entire string, because the text box splits lines on some characters, like +, such that you don't select the text after the + character (which you can't see because the text box is too small). Be sure to select the entire string manually, from the ssh-rsa to the very end of the text box.

for me the problem was i'd created ~/.ssh/authorized_keys using root so root owned. I had to chown sshuser:sshuser ~/.ssh/authorized_keys then it started working

I too faced this error and solved it by changing the permissions of authorized_keys file to 600.

chmod 600 ~/.ssh/authorized_keys

Common error is that people uses text editor (like Vim) and paste the copied text before activating the "insert" (press +i in Vim before pasteing)

If you tried many ways inside .ssh and all failed, there is a possibility that you may need to chmod g-w ~ if you work in a multi-user enviornment.

In fact, I changed authorized_keys's permission to 644, then problem solved.

chmod 644 ~/.ssh/authorized_keys

to debug open ssh one can use:

sudo `which sshd` -p 2020 -Dd

it runs sshd on other port 2020. it runs sshd as a current program so output goes to screen. if closed it is closed.

then try to connect.

explanation:

• `which sshd` - locates the sshd address , try execute which sshd see what it prints. when using back quotes it executes and returns the result in place.
• -p 2020 - specifies port
• -D - log to file
• -d - log to screen

1

I had this issue on an AWS instance where I had moved /home from the root disk to a new separate disk at xvdf, for free space reasons.

There was nothing in the logs, not under auth or secure, or messages.

In the end I guessed SELinux was the culprit, and some googling lead me to audit2allow -w -a which showed a useful error when opening the user's authorized_keys file.

The fix was to run restorecon -R -v /home which relabelled things on the new disk and then selinux was happy to use the user's .ssh/authorized_keys file.