Re: ssh/dsa strange issue
On Thu, 2011-10-20 at 23:40 -0600, Bob Proulx wrote: Joao Ferreira Gmail wrote: a) user jane on one system transfers her public DSA key to account john at a given remote host. it works. jane accesses john's account without typing a password. b) now the same user jane transfers her public DSA key to account mary at the _same_ remote host. it does not work. she get's prompted for a passord (she get's access by typing mary's password) my guess is that there must be some difference between john and mary accounts. I can not realise what it is (shell is bash on both). Usually people trip over permissions being too open. Assuming you are using /home try this to look at the permissions. $ ls -ld /home /home/mary /home/mary/.ssh /home/mary/.ssh/authorized_keys drwxr-xr-x 9 root root 4096 Feb 28 2011 /home drwxr-xr-x 126 mary mary 16384 Oct 20 23:17 /home/mary drwx-- 2 mary mary 4096 Sep 29 18:31 /home/mary/.ssh -rw-r--r-- 1 mary mary 809 Oct 28 2010 /home/mary/.ssh/authorized_keys :) bull's eye :) /home/mary was 775. changed it to 755 and it immediately worked. Thank you João All of those directories should be writable only by the owner and the owner should be mary. The typical problem is that people will have one of those files to be group writable. In that case sshd refuses the authorized_keys file due to the possibility that another user can write to the file. Please find bellow the output of ssh -vvv for both situations. The verbose output of the sshd would be more helpful. Easiest to run it on another port temporarily. # /usr/sbin/sshd -d -p And then try to log into it on that other port. jane@localhost:~$ ssh -p localhost You might see an error like this one on the sshd server debug side: Authentication refused: bad ownership or modes for directory /home/mary Bob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1319187918.2430.4.ca...@wheejy.critical.pt
Re: ssh/dsa strange issue
On Thu, Oct 20, 2011 at 07:39:16PM BST, Joao Ferreira Gmail wrote: a) user jane on one system transfers her public DSA key to account john at a given remote host. it works. jane accesses john's account without typing a password. Since you got the answer to your problems, the only thing I can add is to suggest you use RSA keys instead of DSA ones[0]. [0] http://www.debian.org/doc/manuals/debian-reference/ch06.en.html#_connecting_without_remote_passwords Regards, Raf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111021123821.gb19...@linuxstuff.pl
Re: ssh/dsa strange issue
Joao Ferreira Gmail wrote: a) user jane on one system transfers her public DSA key to account john at a given remote host. it works. jane accesses john's account without typing a password. b) now the same user jane transfers her public DSA key to account mary at the _same_ remote host. it does not work. she get's prompted for a passord (she get's access by typing mary's password) my guess is that there must be some difference between john and mary accounts. I can not realise what it is (shell is bash on both). Usually people trip over permissions being too open. Assuming you are using /home try this to look at the permissions. $ ls -ld /home /home/mary /home/mary/.ssh /home/mary/.ssh/authorized_keys drwxr-xr-x 9 root root 4096 Feb 28 2011 /home drwxr-xr-x 126 mary mary 16384 Oct 20 23:17 /home/mary drwx-- 2 mary mary 4096 Sep 29 18:31 /home/mary/.ssh -rw-r--r-- 1 mary mary 809 Oct 28 2010 /home/mary/.ssh/authorized_keys All of those directories should be writable only by the owner and the owner should be mary. The typical problem is that people will have one of those files to be group writable. In that case sshd refuses the authorized_keys file due to the possibility that another user can write to the file. Please find bellow the output of ssh -vvv for both situations. The verbose output of the sshd would be more helpful. Easiest to run it on another port temporarily. # /usr/sbin/sshd -d -p And then try to log into it on that other port. jane@localhost:~$ ssh -p localhost You might see an error like this one on the sshd server debug side: Authentication refused: bad ownership or modes for directory /home/mary Bob signature.asc Description: Digital signature