Analysis and Solutions for SSH Public Key Authentication Failures

Keywords: SSH authentication | Public key configuration | Permission issues

Abstract: This paper provides an in-depth analysis of common permission configuration issues in SSH public key authentication processes. Through detailed debug log parsing and comprehensive permission setting guidance, it helps users resolve the problem where password input is still required after configuring the authorized_keys file. The article combines specific case studies to offer complete permission checking and repair procedures, ensuring proper functioning of SSH public key authentication.

Problem Background and Symptoms

When configuring SSH public key authentication, users often encounter situations where the system still prompts for a password when executing the ssh localhost command, even after correctly adding the public key to the ~/.ssh/authorized_keys file. This phenomenon is typically related to improper file permission configurations rather than issues with the public key itself.

Debug Log Analysis

Detailed debugging information can be obtained through the ssh -v localhost command. From the provided logs, the authentication process goes through the following key steps:

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/john/.ssh/identity
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>

The logs indicate that the server accepts the public key authentication method, but encounters a PEM_read_PrivateKey failed error when reading the private key. This suggests that the issue might lie with the private key file's permissions or format, but more commonly, it's caused by overly permissive permission settings on the authorized_keys file or its parent directories.

Permission Configuration Requirements

SSH services have strict security requirements for file and directory permissions. If permission settings are inappropriate, the SSH service will refuse to use public key authentication for security reasons.

The correct permission configurations are as follows:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

These commands set the .ssh directory to be readable, writable, and executable only by the owner (700), and set the authorized_keys file to be readable and writable only by the owner (600).

Extended Permission Checks

In addition to the .ssh directory and authorized_keys file, the permissions of the user's home directory also need to be checked. If the home directory has write permissions open to groups or other users, the SSH service will similarly refuse public key authentication.

The command to fix home directory permissions:

chmod go-w ~

This command removes write permissions for groups and other users from the home directory, ensuring that only the file owner can modify directory contents.

Complete Solution

Based on practical case experience, the complete permission repair process should include:

Check and fix home directory permissions: chmod go-w ~
Check and fix .ssh directory permissions: chmod 700 ~/.ssh
Check and fix authorized_keys file permissions: chmod 600 ~/.ssh/authorized_keys
Verify private key file permissions (if present): chmod 600 ~/.ssh/id_rsa (or other private key files)
Retest SSH connection: ssh localhost

Technical Principle Analysis

The strict permission requirements of SSH services stem from security considerations. Overly permissive permissions may allow other users to modify authentication files, thereby gaining unauthorized access. Specifically:

If .ssh directory permissions are too permissive, other users might be able to add or delete files within it
If the authorized_keys file is writable by other users, attackers can add their own public keys
If the home directory is writable by other users, attackers might be able to replace the entire .ssh directory

Therefore, when the SSH service detects insecure permission configurations, it will force a fallback to password authentication or directly refuse the connection.

Common Error Troubleshooting

When configuring SSH public key authentication, in addition to permission issues, attention should be paid to the following common errors:

Public key format errors: Ensure the public key is in single-line format without extra spaces or line breaks
Incorrect file ownership: Ensure all relevant files have the correct user as owner
SSH service configuration: Check the AuthorizedKeysFile configuration in /etc/ssh/sshd_config
SELinux or AppArmor restrictions: In some systems, security modules may restrict file access

Conclusion

SSH public key authentication failures are typically caused by improper file permission configurations. Through systematic permission checking and repair, most authentication issues can be resolved. Proper permission configuration is not only a functional requirement but also an important security practice. It is recommended to use the ssh -v command for verification after each SSH public key authentication configuration to ensure the authentication process works as expected.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.