I have a server running Ubuntu 12.04 Server. I want to be able to use SFTP on the command line with a DSA key, so I don't have to type the password into the terminal. Is this possible to do on the same server… i.e I want to SFTP to localhost (to test some PHP code before running it live). But I still want to allow password login by other clients if they want to. I don't want the certificate to be forced, but I don't want it to ask for the password if the certificate is passed or whatever.
I have the following options enabled in ssh_config:
RSAAuthentication yes
PasswordAuthentication yes
PubkeyAuthentication yes
IdentityFile ~/.ssh/id_dsa
The following files with shown permissions are in /root/.ssh/
-rw-r--r-- 1 root root 668 Apr 10 11:06 authorized_keys
-rw------- 1 root root 668 Apr 10 11:03 id_dsa
-rw-r--r-- 1 root root 608 Apr 10 11:03 id_dsa.pub
I copied the key into authorized keys with:
cat /root/.ssh/id_dsa.pub >> /root/.ssh/authorized_keys
And when I cat authorized keys, it has added the key.
So, when I try to connect to sftp with sftp -v root@testserver
(just locally, again, for testing some code but that's irrelevant), I still get the password prompt. Here's a section of the verbose output:
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
root@testserver's password:
Have I missed something obvious? Or will it not work connecting locally?
Thanks
Best Answer
The permissions in the
/root/.ssh
directory are wrong ifStrictModes yes
is set in/etc/ssh/sshd_config
. You can check if this is the case by enablingLogLevel DEBUG
, restarting the server and watching the logs (/var/log/auth.log
for Ubuntu, if you have not changed the stock syslog configuration)Correct them issuing:
chmod -R go= /root/.ssh
and try again.
Having both
PubKeyAuthentication
andPasswordAuthentication
allows to do what you want, i.e. for those users who present a public key, their access will be passwordless (provided their public key exists in theauthorized_keys
file); and those who don't, will be prompted for a password.And
RSAAuthentication
is used only with version 1 of the protocol, which, hopefully, you are not using, as it is insecure.Don't forget to read the
SSHD_CONFIG(5)
manpage.