Home / server / Questions / 286255
Accepted
Kendall
Asked: 2011-07-02 10:54:57 +0800 CST

openssh: public key failure for one user only

  • 772

Client: opensuse 10.3, openssh 4.6 host: opensuse 11.3, openssh 5.4

I have a user that has ssh publickey setup to a host, to enable running some scripts through cron. We migrated the host to a new server, and found that the user can no longer connect to the host. On the client, I removed the RSA public and private keys and known hosts, and on the server I removed the authorized_keys file for the user. After this, I generated new ssh RSA keys using 'ssh-keygen -t rsa' and then copied id_rsa.pub to authorized_keys on the server. Still, I am unable to connect.

For grins, I setup ssh RSA keys for my own user on the same client machine, connecting to the same host. After copying id_rsa.pub to authorized_keys on the server, I was able to successfully login.

I have another user on the client machine who ssh key's to the host also work. So it seems like it is this one account that is causing problems.

The sshd configuration files are identical between the hosts. You can view the configuration: http://pastebin.com/YdLm8iWx

The output of 'ssh -vvv ' is available at: http://pastebin.com/WQqurUZm

With sshd logging set to VERBOSE, the output that occurs when a connection attempt it made is here: http://pastebin.com/i0SEtLU6

I've re-generated the keys several times to no avail, and since I set up two other users today with keys to the same host, I don't think it's simply a key issue. And if it is, I don't understand how, since I followed the same procedure each time.

I now have sshd running with loglvel DEBUG; you can view the logs for an ssh publickey attempt: http://pastebin.com/KAcqWHQh starting on line 22.

Resolution: The cause turned out to be that the user account was locked on the server. I initially looked past this because the user account was locked on the old server as well, but ssh still functioned properly.

I discovered this in part by setting "Use PAM no" in the sshd config. file, restarting sshd and trying to ssh in again. One of the log entries was a message that the "account is locked". After unlocking the account, I was able to successfully connect via ssh using publickey.

Thanks

linux ssh rsa public-key

2 Answers

  1. Check the permissions on the authorized_keys file. It should be owned by the user who owns the account, but more importantly, you shouldn't be able to read it or write to it from another user account:

    $ chown user:group ~user/.ssh/authorized_keys
$ chmod 600 ~user/.ssh/authorized_keys
    • 2
  2. Best Answer

    Just giving a 'proper' answer even though I edited the original question to reflect the resolution...but here goes.

    Resolution: The cause turned out to be that the user account was locked on the server. I initially looked past this because the user account was locked on the old server as well, but ssh still functioned properly.

    I discovered this in part by setting "Use PAM no" in the sshd config. file, restarting sshd and trying to ssh in again. One of the log entries was a message that the "account is locked". After unlocking the account, I was able to successfully connect via ssh using publickey.

    • 1