SSH Passwordless Login – Troubleshooting When Already Logged In

passwordssh

So I set up passwordless ssh using the following: How can I set up password-less SSH login?

After setting this up, I'd expect that I wouldn't need a password to ssh. My issue is that on my first connection to ssh, it will ask me for a password, but additional sessions on top of that will not ask for a password.

I've already checked my sshd_config to make sure that it contains:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys

Pretty sure my permissions are right, because if they weren't then passwordless ssh wouldn't be working at all.

To add more "fun" to this problem, I noticed that when I restart my computer (either the client computer or the ssh server computer), sometimes it will work. Then when I shut down the computer and try it again the next day, it doesn't work anymore. Maybe this is completely random, but it's something I've noticed.

Best Answer

This is common issue with encrypted home, and was answered many times, for example on Unix, but is covered even in official Ubuntu documentation.

This is probably caused by the fact, that your home directory (and therefore the key) is not accessible during the login time. This can be caused by the fact, that your home is mounted from network drive (on shared system) after login or your home directory is encrypted (usually installs of workstations).

Solving this is complicated, but I will have a look for some discussion. Solution is to move the AuthorizedKeysFile to some other place, that will be accessible or us global store for keys (/etc/security/authorized_keys), or some kind of SSO management system (IPA, LDAP), which will get your key from directory server (yes, can be local). Depends on how much control of the target system you have.

Probably best solution is to store your keys in other place, changing the value in sshd_config:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys

Anyway, if you will move your authorized_keys, make sure they have proper permissions and count with the fact, that if you log in using public key, you will not be able to access your home directory (it is encrypted by your password!), unless you change the way how it is encrytpted.

Related Solutions

Ubuntu – A Linux container can use an authorized_keys file outside the home directory, but ephemeral containers based on it can’t. Why

This is an old question but it still comes up in google...

Authentication refused: bad ownership or modes for directory /

is caused by the sshd service having strict permissions requirements for the directory in which authorized_keys is found, not sure how you managed to make that the root directory (/) presumably something to do with the way your configuring containers.

If you cant change the permissions of / , which seems likely in this case, you can set

StrictModes no

in sshd_config.
Provided you don't have multiple users accessing the server, doing this has little impact to security.

Ubuntu – Hadoop in Ubuntu : Unable to create Passwordless SSH

The issue is due to the permission of the ~/.ssh/authorized_keys file. Its permission should not be such that others can write into the file.

For example, if the permission is set as octal 666 (it is devil indeed !!), as you can all others have the write permission in the file ~/.ssh/authorized_keys, then the file will be ignored by ssh and you will prompted for the password.

Assuming the file ~/.ssh/authorized_keys does not exists beforehand, the following command

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

will create the file ~/.ssh/authorized_keys with the permission determined by your umask value and then append the content of the ~/.ssh/id_rsa.pub file.

So, the solution is to change the permission of the file so that it is only writable by you, for example:

chmod 600 ~/.ssh/authorized_keys

Best Answer

Related Solutions

Ubuntu – A Linux container can use an authorized_keys file outside the home directory, but ephemeral containers based on it can’t. Why

Ubuntu – Hadoop in Ubuntu : Unable to create Passwordless SSH

Related Question