When SSH permissions bite!

Last week I set up several Linux and Solaris hosts to use key based authentication. For some reason two of the hosts continued to prompt me for a password, even though the server and client were configured correctly to used DSA keys (I was using the same config on all of the servers, so I knew it worked). When I traced the sshd daemon on one of the hosts that was misbehaving, I saw the following just before the password prompt was displayed:

$ strace -f -p `pgrep sshd`
<.....>
stat("/home/matty/.ssh/authorized_keys", {st_mode=S_IFREG|0664, st_size=1026, ...}) = 0
open("/home/matty/.ssh/authorized_keys", O_RDONLY) = 4
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/matty", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat("/home/matty/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat("/home/matty/.ssh/authorized_keys", {st_mode=S_IFREG|0664, st_size=1026, ...}) = 0
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/matty", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fstat(4, {st_mode=S_IFREG|0664, st_size=1026, ...}) = 0

The strace output made me realize that $HOME/.ssh might not be set to 0700, or the authorized_keys file might not be set to 0600. It turns out the permissions on both entries were set incorrectly, and after adjusting the permissions (which got borked by an incorrect umask entry in /etc/profile), everything worked as expected. As a side note, I am curious why the SSH daemon doesn’t log the permission errors when run with multiple debug flags. This would make a fantastic RFE! :)

matty on April 12, 2007 | Filed Under OpenSSH

4 Comments

moo  on April 15th, 2007

Hmm. My sshd tells me about perm. problems with .ssh or authorized_keys, with just one debug flag:

# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_4.5p1

debug1: trying public key file /home/moo/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /home/moo/.ssh

Or,

# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_4.5p1

debug1: trying public key file /home/moo/.ssh/authorized_keys
Authentication refused: bad ownership or modes for file /home/moo/.ssh/authorized_keys

matty  on April 16th, 2007

Hi Moo,

Nifty! The version I am using (the version that ships with CentOS 4.4) doesn’t have that option, so I assume the error message has been added in the 4.X series.

Thanks for the feedback!
- Ryan

Dan  on January 15th, 2009

Ryan, notice, he’s running the ssh server, sshd, with that option, not the ssh client. I just tried sshd -d and found my permission problem was on my home directory. Cool.

Daniel  on July 28th, 2011

You can also use ‘ssh -vT’ to get the same information with the client.

-sh-3.2$ ssh -vT
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
[...]
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195

Used that to find out my private key wasn’t in the correct format (didn’t convert from Putty correctly).

Leave a Comment