Vincent Ko

VK's Blog

SSH Troubleshooting Guide for Passwordless Login

Under normal circumstances, you can achieve password-free login by adding the public key to the ~/.ssh/authorized_keys file based on the key pair.

However, there may be unexpected situations. Recently, I encountered a problem where I still needed to enter a password even after confirming the configuration was correct. Here, I will record the troubleshooting process and sort out all possible situations.

Possible reasons for unable to login without a password#

1. File and directory permission issues#

Check the permissions of the ~/.ssh directory and ~/.ssh/authorized_keys file for the user user. Improper permission configuration may be rejected by the SSH service.

Therefore, here, you must set ~/.ssh to 700 and ~/.ssh/authorized_keys to 600.

# Execute on the home directory of the target user on the remote server
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

The ~ symbol points to the current user's home directory. If the root user wants to specify the corresponding configuration file and directory for the user, an absolute path must be used. In general, the absolute path of the user directory is /home/user/. If a data disk is bound, it may also be in /data/home/user, depending on the specific situation.

2. SSH configuration file#

This is a problem that is easily overlooked. In general, there should be no problem with the SSH configuration. However, if you still cannot connect after confirming the above configuration, check the SSH configuration file etc/ssh/sshd_config to ensure that the following settings are enabled:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

These two settings respectively enable public key authentication and specify the location of the public key file. After modifying them, you need to restart the sshd service.

sudo systemctl restart sshd

The restart command may vary depending on the system. If systemctl is not found, you can try sudo service sshd restart.

3. Permission issues with the user's home directory#

If you want to use password-free login for the user, you must ensure that the user's home directory is not open to other users. Because if other users can write to the user's home directory, SSH may refuse to log in because it is considered insecure. Therefore, the home directory should be restricted to only allow the user to write to it.

755 /data/home/user

Log analysis#

If all the above reasons have been checked and you still cannot log in without a password, you can use the SSH service's log file, which may contain information about login failures to help with diagnosis. For systeme systems (including Fedora, Ubuntu, Debian, CentOS/RHEL 7 and higher versions), you can use the following command:

sudo journalctl -u sshd

For example, when I was troubleshooting, I found the following content in the log:

-- Logs begin at Tue 2024-03-19 10:34:54 CST, end at Thu 2024-03-21 10:19:04 CST. --
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=1001, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=5003, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: Authentication refused: bad ownership or modes for directory /data/home/user
Mar 21 10:12:26 VMOS sshd[767031]: DBG|operate_common.h|55|MakeNslcdInteraction|action=80003, interaction ok
Mar 21 10:12:31 VMOS sshd[767031]: pam_tsso(sshd:auth): Authentication failure for user from xx.xx.xx.xx

You can see the sentence "Authentication refused: bad ownership or modes for directory /data/home/user", which means that the modes (permissions) of the user folder are incorrect and SSH access is denied.

Following the third point mentioned above, modifying the permissions of /data/home/user will solve the problem perfectly.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.