loading...
Cover image for Key-based Authentication Not Working After ssh-copy-id

Key-based Authentication Not Working After ssh-copy-id

msarit profile image Arit Amana ใƒป2 min read

I recently provisioned an Ubuntu virtual private server (VPS) on Vultr. I'm partial to CentOS myself, but the task I was working on recommended Ubuntu. To set up key-based authentication from my laptop to the server, I generated a new SSH keypair (named "ubuntu") on my Mac using the command: ssh-keygen -t rsa -b 4096. Next I used the ssh-copy-id utility to copy my public key over to the authorized_keys file on my Vultr VPS:

ssh-copy-id -i .ssh/ubuntu aritdev@123.456.789.000

As I expected, the utility asked for my VPS password in order to complete the public key transfer. When all was done, I attempted to login to my VPS. It should have let me through without requiring a password:

ssh -i .ssh/ubuntu aritdev@123.456.789.000

But I kept getting prompted for a password ๐Ÿคจ I checked my authorized_keys file over on the VPS to make sure my public key had been copied over correctly. Check. I made sure that the file was read-write only for myself and none others. Check. I made sure that the following options were enabled in /etc/ssh/sshd_config:

PubkeyAuthentication  yes
AuthorizedKeysFile .ssh/authorized_keys

Still, I kept getting prompted for a password upon login from my laptop. After a few minutes on StackOverflow, I learned about Encrypted Home Directories, which are default in some environments, including Ubuntu. Encrypted home directories aren't decrypted until the initial login is successful; however, my authorized_keys file is stored in my home directory. Therefore, my first connection attempt will require a password. Subsequent connections will succeed without a password, since the SSH service will then be able to read my authorized_keys file in my decrypted home directory.

To get around this, I created a directory named after my username aritdev outside of my home directory (I chose /etc/), and gave it full permissions for myself, but read-execute permissions for everyone else. Next, I moved my authorized_keys file into aritdev. Then, I updated the AuthorizedKeysFile parameter in /etc/ssh/sshd_config:

AuthorizedKeysFile /etc/%u/authorized_keys

Finally, I restarted the SSH service. To test, I logged out of my VPS, then attempted to log back in. BOOM - it worked! ๐Ÿ’ƒ๐Ÿพ

What issues related to server authentication have you experienced? How did you solve them? Please share below! ๐Ÿ‘๐Ÿพ

Posted on Dec 6 '18 by:

msarit profile

Arit Amana

@msarit

Former Public Health Analyst. Coding Bootcamp Grad. Mentor to women (especially moms) who are transitioning to tech careers.

Discussion

markdown guide
 

I had the experience a couple years ago when I was learning about ssh. I was attempting to access a server from a different laptop. I had the keys that I knew worked, which I had copied. Spent a couple of hours trying to figure out why the ssh connection was failing.

chmod 600 ~/.ssh/id_rsa; chmod 600 ~/.ssh/id_rsa.pub

I did not know about the permissions on the private key need to be accessible only by the current user trying to use ssh.