Amazon Ad

Featured Post

Tuesday, December 25, 2018

Some notes on making keyless SSH work and troubleshooting

1. In your home directory, make sure the .ssh directory has the following permissions:
0700/rwx------
If not, run:

chmod 700 .ssh

2. Inside the .ssh directory, all the public key files (*.pub) should have the following permissions:
0644/rw-r--r--
If not, run:

chmod 644 .ssh/*.pub

3. All other files in the .ssh directory should have the following permissions:
0600/rw-------
To change, run:

chmod 600 .ssh/

To debug a failed ssh session, run:
ssh -vvv

For example, in the following ssh -vvv output you can see that the public key was sent, but not accepted. The root cause was incorrect permissions in the destination's host .ssh/* files:

debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Skipping ssh-dss key /Users/john/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: Will attempt key: /Users/john/.ssh/id_rsa RSA SHA256:Zjk3dXmAUc9bS01ItANovYD4usebPibGxM0r5JHtmP4
debug1: Will attempt key: /Users/john/.ssh/id_ecdsa ECDSA SHA256:U1Lkgb+30LAOIwE4OLgGuFffkYRW5WGW12YSOMb+ByI
debug1: Will attempt key: /Users/john/.ssh/id_ed25519
debug1: Will attempt key: /Users/john/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/john/.ssh/id_rsa RSA SHA256:Zjk3dXmAUc9bS01ItANovYD4usebPibGxM0r5JHtmP4
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

No comments: