Linux – Enabling DSA key authentification for SFTP while still keeping password login as optional (Ubuntu 12.04)

authenticationdsalinuxsftpubuntu-12.04

I have a server running Ubuntu 12.04 Server. I want to be able to use SFTP on the command line with a DSA key, so I don't have to type the password into the terminal. Is this possible to do on the same server… i.e I want to SFTP to localhost (to test some PHP code before running it live). But I still want to allow password login by other clients if they want to. I don't want the certificate to be forced, but I don't want it to ask for the password if the certificate is passed or whatever.

I have the following options enabled in ssh_config:

RSAAuthentication yes
PasswordAuthentication yes
PubkeyAuthentication yes
IdentityFile ~/.ssh/id_dsa

The following files with shown permissions are in /root/.ssh/

-rw-r--r--  1 root root  668 Apr 10 11:06 authorized_keys
-rw-------  1 root root  668 Apr 10 11:03 id_dsa
-rw-r--r--  1 root root  608 Apr 10 11:03 id_dsa.pub

I copied the key into authorized keys with:

cat /root/.ssh/id_dsa.pub >> /root/.ssh/authorized_keys

And when I cat authorized keys, it has added the key.

So, when I try to connect to sftp with sftp -v root@testserver (just locally, again, for testing some code but that's irrelevant), I still get the password prompt. Here's a section of the verbose output:

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering DSA public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
root@testserver's password:

Have I missed something obvious? Or will it not work connecting locally?

Thanks

Best Answer

The permissions in the /root/.ssh directory are wrong if StrictModes yes is set in /etc/ssh/sshd_config. You can check if this is the case by enabling LogLevel DEBUG, restarting the server and watching the logs (/var/log/auth.log for Ubuntu, if you have not changed the stock syslog configuration)

Correct them issuing:

chmod -R go= /root/.ssh

and try again.

Having both PubKeyAuthentication and PasswordAuthentication allows to do what you want, i.e. for those users who present a public key, their access will be passwordless (provided their public key exists in the authorized_keys file); and those who don't, will be prompted for a password.

And RSAAuthentication is used only with version 1 of the protocol, which, hopefully, you are not using, as it is insecure.

Don't forget to read the SSHD_CONFIG(5) manpage.

Related Solutions

Linux – How to allow SSH host keys on Linux (Fedora 10 & CentOS 5.2)

Looks like you have the basics correct.

The most common reason I've seen for this to fail is the permissions on the remote authorized_keys file and the directories above it. Before allowing key-based auth, sshd performs a permissions check; if it doesn't like the results, it disallows authentication. I generally set ~/.ssh to 0700 and ~/.ssh/authorized_keys to 0600. I believe the actual $HOME cannot have group or world write either, although reading is fine.

If that still doesn't fix it, the next step is to do some debugging on the server side:

server$ /usr/sbin/sshd -d -p 2222

Then connect to the "debug" server from your client:

client$ ssh -v user@host  -p 2222

You will get copious debugging informtation on stderr on the server. I have yet to encounter an auth problem I couldn't track down from there.

Linux – SSH accepts publickey authetication but won’t connect with an identify file

If you haven't done yet, add the public part of your key to ~/.ssh/authorized_keys on the remote side.

You can also check the content of /var/log/auth.log on the remote side for more details.

Best Answer

Related Solutions

Linux – How to allow SSH host keys on Linux (Fedora 10 & CentOS 5.2)

Linux – SSH accepts publickey authetication but won’t connect with an identify file

Related Topic