Posts tagged with “”

When SSH Public Key Authentication Fails

I’m no Sys Admin, but I connect to enough Unix machines often enough that enabling public key authentication is a real time saver. For those that may not know, public key authentication allows a user to login to another machine via SSH without a password. I’ve written a bit more about the technique itself in my archive. The other day, in the course of setting up authentication for several machines at work, I noticed that it worked for most of the machines but failed for a few others. After spending a little over an hour checking and double checking the files in my ~/.ssh directory, I spent another hour comparing files on the machines that weren’t working with the ones that were. Everything was precisely the same.

Except that it wasn’t. Evidently I neglected to read my own earlier post, specifically step 5. I had no idea that permissions were such a hot button, but it makes sense. The permissions on my ~/.ssh/authorized_keys file were 664. The boxes wouldn’t let me login because the file was writeable by someone other than me (at least in principle). As soon as I changed the permissions to 644, I was able to connect just fine.

Of course, I realize that this is by design and a very good thing, but I wasn’t expecting it so I stumbled over it.

API Authentication Model

So I’m in the process of modeling a few applications that will include a fairly rich set of APIs and I had some time to spend really thinking through how I want to design the authentication model. After thinking about it for a while, I decided that, well, I can’t decide. As a result, I thought I’d call on any collective wisdom I can gather and see what others are doing and, perhaps more importantly, why.

First, let me state that these applications are not DoD(Department of Defense)-grade applications. We need something stronger than security through obscurity and something (significantly) less than national security cryptography.

Read More »