MacOS – How to fix ssh login that starts asking for password and `ls .ssh` is permission denied

macospermissionsshterminal

I use my Mac to login to remote hosts via Terminal.app using ssh and local stored keys a.k.a. passwordless login a.k.a authentication key login.

All of a sudden the new ssh login attempts are:

asking for the password, where before the logins were passwordless
return The authenticity of host XYZ can't be established.
yes answering Are you sure you want to continue connecting (yes/no)?
results in Failed to add the host to the list of known hosts (/Users/user/.ssh/known_hosts).

Also ls ~/.ssh results in all "Permission denied":

ls: authorized_keys: Permission denied
ls: config: Permission denied
ls: id_rsa: Permission denied
ls: id_rsa.pub: Permission denied
ls: known_hosts: Permission denied

How to fix this?

Best Answer

Wrong file permissions

Wrong permissions are set on some files inside the .ssh folder. Have a look at it from Terminal.app:

$ sudo ls -l ~/.ssh
-rw-r--r--+ 1 user  staff    393 27 nov 19:08 authorized_keys
-rw-r--r--+ 1 user  staff     16 26 apr  2016 config
-rw-------@ 1 user  staff   1743 16 sep  2008 id_rsa
-rw-r--r--@ 1 user  staff    400 16 sep  2008 id_rsa.pub
-rw-r--r--@ 1 user  staff  36654 26 nov 17:02 known_hosts

The first column (-rw-r--r--) displays the assigned unix file permissions for owner, group and others.

Read permissions for group and others are not allowed

The real issue here is not the first r on columns position 2, but the r's on position 5 and 8. This tells that group and others has read permissions for these files. And that read permission for others else then the file owner, is not permitted.

Fix

It can be fixed by removing all rights from group and everybody using the command chmod 600 filename. For this specific case a command that would work is:

$ sudo chmod 600 ~/.ssh/{authorized_keys,config,id_rsa.pub,known_hosts}

Result

After running this command the new permissons look like this:

$ ls -l ~/.ssh
total 104
-rw-------+ 1 user  staff   393B 27 nov 19:08 authorized_keys
-rw-------+ 1 user  staff    16B 26 apr  2016 config
-rw-------+ 1 user  staff   1,7K 16 sep  2008 id_rsa
-rw-------+ 1 user  staff   400B 16 sep  2008 id_rsa.pub
-rw-------+ 1 user  staff    36K 26 nov 17:02 known_hosts

Note: the ls command now runs without sudo.

Related Solutions

MacOS – How to fix Lion Mail.app that keeps asking for keychain password

Quit Mail. Open Keychain Access (Applications > Utilities). Select your Login keychain. Run Keychain First Aid (Keychain Access menu > Keychain First Aid).

Put in your password and run a verify. If there's any red, select repair and run it. Run another verify to make sure the errors are fixed.

Delete all of your mail entries. In the search bar, try putting in things like "pop," "imap", "gmail", even your email address. Quit Keychain Access.

Launch Mail. Get into the preferences (Mail menu > Preferences > Accounts). Fill in the passwords for each of your accounts. Also, go to the SMTP/Outgoing server menu, and edit. Fill in the passwords there as well. Close and save. Exit mail.

Launch mail. Make sure it retrieves mail properly. Send test emails to make sure it sends properly.

Done!

MacOS – Permission denied for symbolic link

Do a chmod on the symlink to give you the rights.

do shell script "chmod 755 /usr/bin/ant" with administrator privileges