Check permissions. OpenSSH will not allow public-key authentication if a user's home directory, ~/.ssh, or ~/.ssh/authorized_keys is world writable. Also, ~/.ssh and ~/.ssh/authorized_keys should probably not be group-writable either. Leave IdentityFile at the default, it's has nothing to do with the server aspect. It points to the default private key file used by the ssh client on UNIX/Linux. ssh_config is used only by the ssh client, and not the OpenSSH sshd server. The contents of authorized_keys should be one line per public key that is authorized to log in and look something like this:
ssh-rsa AAA.../Us= My Public Key comment
Where ... is a bunch of base64 characters ([a-zA-Z/+=]
). PuTTYGen can generate two forms of keys: PuTTY and OpenSSH compatible. The OpenSSH compatible will be one long line in the above format. If it's in PuTTY format, you can import it back into PuTTYGen and save as OpenSSH.
Unlock the account and give the user a complex password as @Skaperen suggests.
Edit /etc/ssh/sshd_config
and ensure you have:
PasswordAuthentication no
Check that the line isn't commented (#
at the start) and save the file. Finally, restart the sshd
service.
Before you do this, ensure that your public key authentication is working first.
If you need to do this for only one (or a small number) of users, leave PasswordAuthentication
enabled and instead use Match User
:
Match User miro, alice, bob
PasswordAuthentication no
Place at the bottom of the file as it is valid until the next Match
command or EOF.
You can also use Match Group <group name>
or a negation Match User !bloggs
As you mention in the comments, you can also reverse it so that Password Authentication is disabled in the main part of the config and use Match
statements to enable it for a few users:
PasswordAuthentication no
.
.
.
Match <lame user>
PasswordAuthentication yes
Best Answer
Start with creating a user:
Create a key pair from the client which you will use to
ssh
from:Copy the public key
/home/username/.ssh/id_dsa.pub
onto the RedHat host into/home/username/.ssh/authorized_keys
Set correct permissions on the files on the RedHat host:
Ensure that Public Key authentication is enabled on the RedHat host:
If not, change that directive to yes and restart the
sshd
service on the RedHat host.From the client start an
ssh
connection:It should automatically look for the key
id_dsa
in~/.ssh/
. You can also specify an identity file using: