Under normal circumstances, you can achieve password-free login by adding the public key to the ~/.ssh/authorized_keys
file based on the key pair.
However, there may be unexpected situations. Recently, I encountered a problem where I still needed to enter a password even after confirming the configuration was correct. Here, I will record the troubleshooting process and sort out all possible situations.
Possible reasons for unable to login without a password#
1. File and directory permission issues#
Check the permissions of the ~/.ssh
directory and ~/.ssh/authorized_keys
file for the user
user. Improper permission configuration may be rejected by the SSH service.
Therefore, here, you must set ~/.ssh
to 700 and ~/.ssh/authorized_keys
to 600.
# Execute on the home directory of the target user on the remote server
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
The ~
symbol points to the current user's home directory. If the root user wants to specify the corresponding configuration file and directory for the user
, an absolute path must be used. In general, the absolute path of the user
directory is /home/user/
. If a data disk is bound, it may also be in /data/home/user
, depending on the specific situation.
2. SSH configuration file#
This is a problem that is easily overlooked. In general, there should be no problem with the SSH configuration. However, if you still cannot connect after confirming the above configuration, check the SSH configuration file etc/ssh/sshd_config
to ensure that the following settings are enabled:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
These two settings respectively enable public key authentication and specify the location of the public key file. After modifying them, you need to restart the sshd
service.
sudo systemctl restart sshd
The restart command may vary depending on the system. If
systemctl
is not found, you can trysudo service sshd restart
.
3. Permission issues with the user's home directory#
If you want to use password-free login for the user
, you must ensure that the user
's home directory is not open to other users. Because if other users can write to the user
's home directory, SSH may refuse to log in because it is considered insecure. Therefore, the home directory should be restricted to only allow the user to write to it.
755 /data/home/user
Log analysis#
If all the above reasons have been checked and you still cannot log in without a password, you can use the SSH service's log file, which may contain information about login failures to help with diagnosis. For systeme
systems (including Fedora, Ubuntu, Debian, CentOS/RHEL 7 and higher versions), you can use the following command:
sudo journalctl -u sshd
For example, when I was troubleshooting, I found the following content in the log:
-- Logs begin at Tue 2024-03-19 10:34:54 CST, end at Thu 2024-03-21 10:19:04 CST. --
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=1001, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=5003, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: Authentication refused: bad ownership or modes for directory /data/home/user
Mar 21 10:12:26 VMOS sshd[767031]: DBG|operate_common.h|55|MakeNslcdInteraction|action=80003, interaction ok
Mar 21 10:12:31 VMOS sshd[767031]: pam_tsso(sshd:auth): Authentication failure for user from xx.xx.xx.xx
You can see the sentence "Authentication refused: bad ownership or modes for directory /data/home/user", which means that the modes (permissions) of the user
folder are incorrect and SSH access is denied.
Following the third point mentioned above, modifying the permissions of /data/home/user
will solve the problem perfectly.