5

It seems as if similar questions have been asked before, but the issue that I am having hasn't been raised or answered as a part of the answers provided to the other questions. So...

I'm using an Amazon EC2 instance that is running Ubuntu, and I've already figured out how to gain SSH access with PuTTY with the "ubuntu" login. I figured I could simply do a few useradds, and in each of the home folders of the other users, add ".ssh/authorized_keys" as it was in the "ubuntu" home folder, and then SSH in using the other usernames (but the same private key) would run smoothly - this didn't happen (I got the "Server refused our key" message).

There seems to be something that I'm unaware of as to how SSH key-pairing works... any ideas?

Quick summary:

  • SSH access with PuTTY using "ubuntu" as username - works fine.
  • Creating other users, copying ".ssh/authorized_keys" from "ubuntu" home folder to other user home folders, and SSH with same private key (login with different username) - doesn't work. Receiving "Server refused our key" message.

UPDATE: I've edited the file '/etc/ssh/sshd_config' to uncomment the line:

AuthorizedKeysFile %h/.ssh/authorized_keys

(which I didn't realize was commented by default), but still no luck. Just thought I'd mention it if that was going to be a suggestion...

UPDATE2-IMPORTANT: Thanks to Nikolay's answer, I realized I had overlooked the permissions of the file. Although the permissions were not quite the issue (I think), it turns out that when I used sudo to copy '.ssh/authorized_keys' to the other added user folders, the owner of the newly created folder and file was actually root. The question seems to be now - how can I change the owner of the folder/file (as a non-root user most likely wouldn't be able to check a key that is owned by root)? I'll do a search to see if that comes up with the answer...

UPDATE3-IMPORTANT: I've changed the permission for both '.ssh' and 'authorized_keys' as well as the owner and the group from root to otheruser, yet when using username otheruser when trying to SSH, I still receive the "Server refused our key" message. Sorry I prematurely added the answered section... the answer provided seemed (and still seems) like the correct answer, logically speaking, so I said it was answered before I tested...

UPDATE4-IMPORTANT: Nickolay's answer is indeed correct (which I said wasn't in UPDATE3). My issue (after I followed Nickolay's answer) was not actually related to any SSH caveats. When I created the otheruser account, I accidentally specified the shell as /bin/bash/ instead of /bin/bash (notice the extra /). I came upon this because all work I had done was from the "ubuntu" account, and after getting frustrated I tried to just log into otheruser after SSHing in with ubuntu - which returned the error "Cannot execute /bin/bash/: Not a directory". After changing the shell with chsh -s /bin/bash otheruser, I was able to log in to otheruser from ubuntu, but more interestingly this allowed me to SSH using otheruser as the user without receiving the "Server refused our key" message. So... the inability to instantiate a shell to use somehow returned as a refused key message. Is there somewhere I should maybe call attention to this...? In any case, thanks again to Nickolay.

ANSWERED: Nickolay's answer covers what needs to be done in this situation, including using the chown command to change the ownership of the folder/file as is mentioned provided link under his answer. (I also used the chgrp command as the group was also root)

Here are the steps I used (you may have to preface these commands with sudo):

  • chmod go-w otheruser otheruser/.ssh
  • chmod 600 otheruser/.ssh/authorized_keys
  • chown 'otheruser' otheruser/.ssh
  • chown 'otheruser' otheruser/.ssh/authorized_keys
  • chgrp 'otheruser' otheruser/.ssh
  • chgrp 'otheruser' otheruser/.ssh/authorized_keys

NOTE: The last two commands are for changing the group the '.ssh/' folder and 'authorized_keys' file are associated with. You may want them to be something else, but I wanted to keep them consistent with the other files/folders in that user's home folder.

Improve this question
2
  • I think I need to do something in /etc/ssh/ but I'm not very familiar with tinkering with these settings...
    – MandM
    Commented Jan 16, 2013 at 18:30
  • I requested that his answer be edited and I also tried editing his answer to be more descriptive (i.e. include steps and reference the link he provided in the comment), but neither have happened. I'll go ahead and except the answer, but I'm going to explain it in the question.
    – MandM
    Commented Jan 17, 2013 at 14:36

1 Answer 1

Reset to default
1

You should also set correct permissions for .ssh folder and authorized_keys: chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys Also, owner of these files should be the same as user trying to login.

Improve this answer
5
  • Thanks for the response Nickolay. I did a direct copy from 'ubuntu/.ssh/authorized_keys' to 'otheruser/.ssh/authorized_keys' however because I was in a different user's folder, I was denied the ability to do the copy as I was "ubuntu" not "otheruser". I used sudo in order to do so, so the owner of both the ".ssh/" folder and the "authroized_keys" file is actually root. Assuming one would need root privileges to request the authorized_keys file owned by root, how could one go about changing the ownership of the file...?
    – MandM
    Commented Jan 16, 2013 at 18:55
  • See this FAQ: openssh.org/faq.html#3.14 authorized_keys for each user should be owned by this user plus file should have corresponding permissions. Also you can check the log to see if there are 'authentication refused' messages from sshd.
    – Nickolay O.
    Commented Jan 16, 2013 at 19:03
  • Thanks Nickolay, if you want to edit your response to make sure that the user owning the file is important (especially if the ownership has changed to root during a sudo cp ... command, I'll go ahead and consider this the answer.
    – MandM
    Commented Jan 16, 2013 at 19:06
  • Nickolay - thank you for your answer again, however but I may have jumped the gun in accepting your answer. The steps provided don't seem to have fixed the issue. I changed the permissions and owner (and the group) associated with '.ssh/' and 'authorized_keys' to otheruser from root, but using SSH with another username still returns with the "Server refused our key" message.
    – MandM
    Commented Jan 16, 2013 at 19:53
  • Nickolay, turns out your answer did indeed work. But, WOW - the issue on my end is hard to believe. When I created the otheruser account, I specified bash as the shell to use. Obviously, I copied the '.ssh' and 'authorized_keys' with the sudo command, but I had never tried actually logging into those accounts. I eventually tried this and I got the error "Cannot execute /bin/bash/: Not a directory" when logging into otheruser. I realized I had specified "/bin/bash/" instead of "/bin/bash" as the shell. Removing the "/" allowed me to log into the account AS WELL AS finally SSH into the account
    – MandM
    Commented Jan 16, 2013 at 20:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .