I just setup a vanilla ubuntu lucid (10.04) system with openssh-server. I'm trying to setup publickey authentication, and it only works if I first connect using password authentication and leave that session open. All new concurrent sessions will work with publickey.
I've taken all the steps to ensure the correct permissions are in place on my server-side home directory.
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
My client-side RSA 2048 bit public key is appended (one line only) to the authorized_keys files. My RSA keys have blank passphrases also.
I'm baffled as to what might cause this. I know it has to be something with my server configuration. I've heard that if configuration isn't secure "enough" that it will not permit publickey authentication, but I'm confused as to what that could be.
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
The rest is default. PublicKey works, but not for the first session.
Thanks in advance!
Best Answer
If you have an encrypted home directory, the way Ubuntu does it with EcryptFS, then that would explain what you are experiencing. Your ~/.ssh/authorized_keys firsts becomes available after you have made your first passworded login.
One way of allowing direct login by ssh keys is to specific AuthorizedKeysFile outside the home directory. This might be done by using %u (user) instead of %h (home directory) in the path. Another option is to put a copy of ~/.ssh/authorized_keys in your "unmounted" version of your home directory. That is what lays underneath the EcryptFS mount.
Yet, not sure how much good any of these solutions will really do you. You will still (kind of) need to login using your password to be able to access your regular home directory. It is your user password which is used to unwrap the passphrase needed to mount/decrypt your EcryptFS home directory. Yes, you could still mount/decrypt manually, but that almost seems like a different question.