When SSH Public Key Authentication Fails

Posted on Tuesday, February 10th, 2009 at 3:07pm by Rob Wilkerson

I’m no Sys Admin, but I connect to enough Unix machines often enough that enabling public key authentication is a real time saver. For those that may not know, public key authentication allows a user to login to another machine via SSH without a password. I’ve written a bit more about the technique itself in my archive. The other day, in the course of setting up authentication for several machines at work, I noticed that it worked for most of the machines but failed for a few others. After spending a little over an hour checking and double checking the files in my ~/.ssh directory, I spent another hour comparing files on the machines that weren’t working with the ones that were. Everything was precisely the same.

Except that it wasn’t. Evidently I neglected to read my own earlier post, specifically step 5. I had no idea that permissions were such a hot button, but it makes sense. The permissions on my ~/.ssh/authorized_keys file were 664. The boxes wouldn’t let me login because the file was writeable by someone other than me (at least in principle). As soon as I changed the permissions to 644, I was able to connect just fine.

Of course, I realize that this is by design and a very good thing, but I wasn’t expecting it so I stumbled over it.

, , , , 4 Comments

Subscribe4 Comments on When SSH Public Key Authentication...

  1. Felix Geisendörfer said...

    When I first started with SSH keys I ran into this one as well. Unfortunately I couldn’t figure it out for months as I had nothing to compare to and there were just so many reasons SSH could be failing on Google ; ).

    ...on
  2. Rob Wilkerson said...

    Yep. I’d never bumped into it, but I recently changed my umask so that my Unix machines and Macs were the same (which I did to keep git from constantly complaining about diffs). Before then, it had always just worked so I never gave it a second thought. :-)

    ...on
  3. Travis Dixon said...

    You might consider going one step further and adding the “from=“ option to the key stored on the server. This will add a little bit of security by making the now-bearer-instrument key only work form the known source(s). Doesn’t work for mobile use of course, but useful for static hosts.

    ...on
  4. Rob Wilkerson said...

    I’ve never used that option. I’m not so sure that I need that much security in this case, but it’s worth knowing. Thanks.

    ...on