Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Fix broken SSH Public Key Authentication UNIX
Ever since I learned of SSH, I have wanted to set it up so that I could automatically run remote commands (like rsync) on the other Macs on our home network. The proper way to do this, of course, is with passphrase-free public key authentication. But try as I might, I simply could not convince SSH to use public key authentication! Eventually I discovered the reason in an obscure mailing list: If permissions are set incorrectly on the home directory, SSH will refuse perfectly good authentication keys.

The solution: Open Terminal and type chmod g-w ~/.

SSH is now entirely happy to authenticate using keys.

[robg adds: Running Disk Utility's permissions repair should also fix home folder permissions, though I'm not 100% positive about that.]
    •    
  • Currently 2.75 / 5
  You rated: 3 / 5 (8 votes cast)
 
[19,625 views]  

Fix broken SSH Public Key Authentication | 10 comments | Create New Account
Click here to return to the 'Fix broken SSH Public Key Authentication' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Fix broken SSH Public Key Authentication
Authored by: Coumerelli on Sep 25, '07 08:00:57AM

Robg, as the great Yogi Berra once said, "In theory, theory and practice are the same. In practice, they are not." ;)

And Sesquipedalian, thanks for the link to Stocksy.

---
"The best way to accelerate a PC is 9.8 m/s2"



[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: vykor on Sep 25, '07 08:28:10AM
In StrictMode configuration, SSH imposes permission requirements on the home directory, ~/.ssh, as well as the key file itself. None of these directories should be set to writeable by anyone except owner. The reason is that if any of these is writeable, someone else can simply blow away the enclosing directory, re-establish the directory structure, and put his own key in ~/.ssh/authorized_keys.

[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: dbs on Sep 25, '07 08:33:01AM

You'll also see a warning that this is the problem if you check the ssh log. I'm not sure exactly where OS X keeps this, though. On linux machines it's /var/log/security. On OS X it may be in the system log visible with the Console application.



[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: ejensen on Sep 25, '07 09:41:37AM

I had a similar issue with one of my Macs and discovered eventually that dsa passkey authentication was disabled since in sshd_config a setting was:
DSAAuthentication no

This needed to be set to 'yes'. As was pointed out to me in the forums, using the -v (verbose) switch with ssh gives some useful information.



[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: jmcollis on Sep 25, '07 03:10:09PM
Actually, having a passphraseless key based authentication is not secure. Anyone who can get access (read steal) your private key can get access to all the machines you have put the public key on. The best way is to use a passphrase on your Private key and then use a Keyagent when you are logged in. For Mac OS X one of the best utilities to help with this is SSHKeychain http://www.sshkeychain.org as it integrates a key agent and leverages the OS X keychain subsystem to help store your passphrase securely.

[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: amusingfool on Sep 25, '07 08:12:19PM

Not only must the directory only be writable by you, but the private keys also need to be able to be read only by you.

I'd also echo what was said about passphrase-less keys. That's a bad way to go. Look into ssh-agent(1), and use that so that you only need to type it in once when you login.



[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: matt.simerson on Sep 25, '07 09:25:42PM
Simply doing a chmod g-w will only fix one type of permssion problem that sshd may have. Since nobody has posted the correct permissions and how to set them, that information is as follows:

chmod 755 ~
chmod 700 ~/.ssh

Should you encounter sshd issues in the future, a much easier solution to discovering why sshd isn't playing nice is to watch the log file:

sudo tail -F /var/log/secure.log

and then attempt to log in. If there's a problem, sshd will tell you what it is.

Finally, using ssh keys without passwords is a poor practice. If someone is able to get your private key, they now have access to all the systems you have installed the public key on. There are several good ways to use ssh-agent on your mac, which relieves the burden of typing your password in every time you authenticate. I've even got a ssh-agent startup script for Mac OS that makes it quite painless.

[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: Sesquipedalian on Sep 25, '07 10:00:20PM

Ah, thanks for the tip, matt!

Your script looks useful. I may try it to ease using ssh from work to home. Thanks again.



[ Reply to This | # ]
Fix broken SSH Public Key Authentication
Authored by: Sesquipedalian on Sep 25, '07 09:48:26PM
While ssh-agent and sshkeychain are helpful in reducing the amount of user interaction substantially, the fact that they still require user interaction limits their usefulness for automated tasks such as mine. Instead, I use a combination of IP based and command-restriction based methods to ensure that only only specific tasks run by specific users on specific machines can happen without a passphrase. First, to quote stocksy's page, one can specify specific users and IP addresses in sshd_config:
Alternatively, you could format the line like this if you know the IPs that require remote access: AllowUsers tom@194.202.218.1 dick@stocksy.is-a-geek.com harry@18.51.1.222
And then, as shown on Mike Bombich's page on this, one can modify the authorized_keys file to only allow specific commands to execute with a given key by adding the following to the beginning of the line that contains that given public key:
command="/path/to/allowed/command"
Since I am running this only within my home network, which is secured against the outside, I can completely control which IP addresses are allowed. Thus, any would-be attacker would need to be logged into either my or my wife's account (which means they already have access to our files) on one of our home computers (which means they are mostly likely in our house, and I have larger problems to worry about), and have devised an attack that can work through rsync (since that is the permitted command). By the time all those conditions are fulfilled, having ssh keys without passphrases is a moot point.

[ Reply to This | # ]
Debugging broken SSH Public Key Authentication
Authored by: kholburn on Sep 26, '07 12:23:26PM
The simplest way is to log in like this:

ssh -vvvv <user>@<host.domain>
You should get lots of error messages.

You should put a password on your key then use an agent. It is not secure to have a key without a password.

The best agent I have found for MacOS X is SSHKeychain http://www.sshkeychain.org which acts like a unix sshagent but uses the MacOS Keychain and also turns off when the screen saver cuts in and turns back on when the screen saver is off.



[ Reply to This | # ]