Last week I set up several Linux and Solaris hosts to use key based authentication. For some reason two of the hosts continued to prompt me for a password, even though the server and client were configured correctly to used DSA keys (I was using the same config on all of the servers, so I knew it worked). When I traced the sshd daemon on one of the hosts that was misbehaving, I saw the following just before the password prompt was displayed:
$ strace -f -p pgrep sshd
<.....>
stat("/home/matty/.ssh/authorized_keys", {st_mode=S_IFREG|0664, st_size=1026, ...}) = 0
open("/home/matty/.ssh/authorized_keys", O_RDONLY) = 4
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/matty", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat("/home/matty/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat("/home/matty/.ssh/authorized_keys", {st_mode=S_IFREG|0664, st_size=1026, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/matty", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fstat(4, {st_mode=S_IFREG|0664, st_size=1026, ...}) = 0
The strace output made me realize that $HOME/.ssh might not be set to 0700, or the authorized_keys file might not be set to 0600. It turns out the permissions on both entries were set incorrectly, and after adjusting the permissions (which got borked by an incorrect umask entry in /etc/profile), everything worked as expected. As a side note, I am curious why the SSH daemon doesn’t log the permission errors when run with multiple debug flags. This would make a fantastic RFE! :)