SSH Passworless Access Maintain Correct Permission For Home Folder

How SSH passwordless key is working.
1) You need to create the public key/private key on the ssh client side.
2) Ssh server-side -> ssh client public/private key should present in the authorized key(/home/username/.ssh/authorized_keys.(it is like client-side key pair and server-side key pair both should match)
3) Should have correct permission /home/username should be 700 and SELinux should be disabled. If there is any permission mismatch key should not have accepted by the ssh server and it won’t work.
Above all the 3 rules matched then ssh passwordless will work without any problem.

NOTE: end of the public key you may have like username@hostname. From which host this key is created that username and hostname will be present. But using this you can do ssh passwordless from any machine to any not only to that specific machine.
 

Test Case: if there is any permission mismatch even though keypair is correct. Then we will get an issue like below. This is ssh -v verbose mode.

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jais/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /home/jais/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/jais/.ssh/id_ecdsa
debug1: Trying private key: /home/jais/.ssh/id_ed25519
debug1: Next authentication method: password
Troubleshooting: This is client/server communication so, before troubleshooting, we need to find whether there is a problem on the server side or the client side.

 While doing ssh passworless access. Home directory .ssh should containt
700 permission it should not open for others like with permission (744).if it is open then we will get
error message
Permissions 0740 for '/home/username/.ssh/id_dsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/username/.ssh/id_dsa

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[kamalr@admin ~]$ ls -l /home | grep jais
drwx------  84 jais         systems      6260 May 25 14:56 jais
[kamalr@admin ~]$ ls -l /home | grep kamalr
drwxrwx---  39 kamalr       salsup       1575 Mar  3 10:22 kamalr

jais user ssh pass-wordless will work.
But for kamalr pass-wordless won't work because home directory it self don't have correct permission.

0 comments: