Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: ssh public key authentication only works when already logged in

  1. #1
    Join Date
    Jun 2006
    Location
    Planet yeah!
    Beans
    6
    Distro
    Ubuntu 10.04 Lucid Lynx

    Unhappy ssh public key authentication only works when already logged in

    Hi!

    I have an ssh (OpenSSH_5.1p1 Debian-6ubuntu2) client A and a server B set up for public key authentication as described in https://help.ubuntu.com/community/SSH/OpenSSH/Keys.

    The problem is the following: ssh asks for a password when connecting from A to B without any other ssh session going on between A and B; but if I connect from A to B whenever there is another ssh session between A and B, either I get prompted for the passphrase I used to encrypt the private key or I get logged automatically.

    I already checked permissions on B: .ssh is 700 and authorized_keys is 600. I already tried "StrictModes no" in sshd_config. Printing debug information using DEBUG3 does not any useful insight. Moreover, there is no /var/log/secure (is it supposed to be there?)

    Right now the computer is far far away from my reach, but when I configured the system I noted that whenever I was locally logged to B and then ssh'ed from A to B, I was logged in without any problem; whenever I was not logged in locally I was asked for a password. Note that at that time I was using a different public/private key pair whose private part had no passphrase.

    Any help will be greatly appreciated.

    P.S. Can anyone tell me how to know exactly what cipher is ssh/sshd using for a particular session? Is there a way to know any statistics for a given session (something like the ~s option in section 5 of http://www.thegeekstuff.com/2008/05/...mmands/#more-3)?

    P.S. 2: does the following mean that ssh is using protocol 2.0 or something different than protocol 2.0?

    (..........) sshd[2606]: debug1: Enabling compatibility mode for protocol 2.0

    Many thanks.
    Last edited by mrrusof; January 7th, 2010 at 02:30 PM. Reason: missing question mark

  2. #2
    Join Date
    Sep 2006
    Beans
    8,292
    Distro
    Ubuntu 14.04 Trusty Tahr

    encrypted home directories

    If the target machine is using an encrypted home directory, then the authorized keys will have to be kept somewhere else.

  3. #3
    Join Date
    Jun 2006
    Location
    Planet yeah!
    Beans
    6
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: ssh public key authentication only works when already logged in

    Indeed. Will confirm as soon as I fix it.

  4. #4
    Join Date
    Sep 2006
    Beans
    8,292
    Distro
    Ubuntu 14.04 Trusty Tahr

    changing the default location for authorized_keys

    The default is for sshd to look for %h/.ssh/authorized_keys, where %h is converted to the user's home directory. But that file won't be available until a successful login makes the encrypted directory available, and that is not possible until the authorized_keys file is read and used for login. The user's login name can be abbreviated in sshd_config using %u.

    In sshd_config:

    Code:
    AuthorizedKeysFile	/var/openssh/%u/.ssh/authorized_keys
    One way to prep the new locations below. It might be a good idea to leave a note in the usual default location pointing to the new location, just as a form of insurance in case people forget where to put their keys.

    Code:
    # 
    sudo mkdir -m 0700 -p /var/openssh/fred/.ssh/
    
    #
    sudo touch /var/openssh/fred/.ssh/authorized_keys
    
    #
    sudo chmod 0600 /var/openssh/fred/.ssh/authorized_keys
    
    #
    sudo chown -R fred:fred /var/openssh/fred/

  5. #5
    Join Date
    Jun 2006
    Location
    Planet yeah!
    Beans
    6
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: ssh public key authentication only works when already logged in

    I just

    1) copied /home/myuser/.ssh/authorized_keys to /etc/ssh/myuser/authorized_keys, the owner of /etc/ssh/myuser/ and /etc/ssh/myuser/authorized_keys being root and set permissions to 755 and 644 respectively.

    2) set in sshd_config AuthorizedKeysFile to /etc/ssh/%u/authorized_keys

    Does this sound good?

  6. #6
    Join Date
    Jun 2006
    Location
    Planet yeah!
    Beans
    6
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: ssh public key authentication only works when already logged in

    I mean, it works, but do you see any bad practice involved?

  7. #7
    Join Date
    Jun 2006
    Location
    Planet yeah!
    Beans
    6
    Distro
    Ubuntu 10.04 Lucid Lynx

    Angry Re: ssh public key authentication only works when already logged in

    I have a new problem:

    After setting "PasswordAuthentication" to "no" in sshd_config and rebooting the server I can log in with my private key, but my home folder does not get mounted properly.

  8. #8
    Join Date
    Sep 2006
    Beans
    8,292
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: ssh public key authentication only works when already logged in


  9. #9
    Join Date
    Jul 2007
    Location
    South San Francisco, CA
    Beans
    400
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: changing the default location for authorized_keys

    Quote Originally Posted by Lars Noodén View Post
    The default is for sshd to look for %h/.ssh/authorized_keys, where %h is converted to the user's home directory. But that file won't be available until a successful login makes the encrypted directory available, and that is not possible until the authorized_keys file is read and used for login. The user's login name can be abbreviated in sshd_config using %u.

    In sshd_config:

    Code:
    AuthorizedKeysFile	/var/openssh/%u/.ssh/authorized_keys
    One way to prep the new locations below. It might be a good idea to leave a note in the usual default location pointing to the new location, just as a form of insurance in case people forget where to put their keys.

    Code:
    # 
    sudo mkdir -m 0700 -p /var/openssh/fred/.ssh/
    
    #
    sudo touch /var/openssh/fred/.ssh/authorized_keys
    
    #
    sudo chmod 0600 /var/openssh/fred/.ssh/authorized_keys
    
    #
    sudo chown -R fred:fred /var/openssh/fred/
    +1 I just discovered this by accident. Obviously it makes sense, that in order to read the public key, first the encrypted directory containing the public key must be decrypted.


    Thanks for the solution.
    Laptop: CPU: Intel i5 430m RAM: 4gb DDR3 GPU: Ethernet: Broadcom BCM57780 WiFi: Atheros AR928X
    Desktop:

  10. #10
    Join Date
    Feb 2007
    Location
    The Netherlands
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: ssh public key authentication only works when already logged in

    I realize these hints are over a year old, so I was wondering what changed?

    I am having this problem, but after the changes, "Server refused our key" all the time.

    One change I noticed is that the config file is relocated to:
    /etc/ssh/sshd_config

    Code:
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys
    # RED 2011-08-17 Relocate a_keys for encrypted homes
    AuthorizedKeysFile      /var/openssh/%h/.ssh/authorized_keys
    .ssh is 700 and authorized_keys is 600, but no dice.

    Anything new I need to know about to fix this?
    Note that the original %h/.ssh/authorized_keys entry was commented out by default (on Ubuntu 10.04 LTS), but it's the correct path to the file used by default.
    Last edited by Redsandro; August 17th, 2011 at 05:04 PM.
    Windows 7 for Media Production, Ubuntu 12.04/Cinnamon for other work.
    Xubuntu 12.04 as Media Center, CentOS 5.6 as server.
    Linux Mint on my casual laptop, Maemo 5 on my Nokia N900.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •