SSH Authentication and Directory Permissions

Posted on by

Running sshd in the foreground can be an effective way to debug ssh problems. In the following example, a user was unable to access a remote system using ssh keys. Running sshd in debug mode provided a quick resolution. Both source and target systems were Solaris, but the same method applies equally to Linux.

The user had set up an ssh key pair to allow passwordless login. However he could not ssh into the target without being asked for a password, even though his ssh files were all in order.

Using ssh -vvv on the source machine showed the public key was being offered but did not authenticate. It just continues to try other methods of authentication, eventually asking for the user’s unix password.

$ ssh -vvv pluto
...
debug1: Offering public key: /home/fred/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
...

Leaving production system “pluto” well alone, I found a spare server for testing, killed sshd and restarted it in the foreground with much debug turned on:

# svcadm disable svc:/network/ossh:default
# /usr/local/sbin/sshd -ddd

Warning: Care should be taken with killing the sshd service, as it is easy to lock yourself out of a system. Existing ssh sessions will continue to run without sshd, but opening new ones is not possible.

Attempted to ssh in as the user and the problem was revealed. ssh does not like it if the permissions on your home directory are too loose.

debug1: trying public key file /home/fred/.ssh/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug3: secure_filename: checking '/home/fred/.ssh'
debug3: secure_filename: checking '/home/fred'
Authentication refused: bad ownership or modes for directory /home/fred
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 10484/1080 (e=0/0)
debug1: trying public key file /home/fred/.ssh/authorized_keys
debug1: fd 5 clearing O_NONBLOCK
debug3: secure_filename: checking '/home/fred/.ssh'
debug3: secure_filename: checking '/home/fred'
Authentication refused: bad ownership or modes for directory /home/fred
debug1: restore_uid: 0/0
Failed publickey for fred from 123.123.123.123 port 33808 ssh2

I changed the user’s home directory permissions from 775 to 755 to fix the problem:

pluto# chmod 755 /home/fred

Done.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.