SSH suddenly asking for password
General problem
I have my computer (Mac OSX 10.9.4) and a remote server (Ubuntu 14.04.1 LTS). I used ssh-keygen
to create an ssh key (with no passphrase), added the public key to the server's .ssh/authorized_keys
, and all was good in the world. Then, earlier today, ssh
started asking me for a password again.
What might have caused it
I'm really not sure what caused this - these are my best guesses:
rm
'd them). From what I can tell from my command history, there aren't ssh-relevant files that I removed, just .git, .gitignore, and various *.sw? files leftover from vim. ssh-keygen -l -f ~/.ssh/authorized_keys
on the remote server to see the fingerprints of (I think) the keys in that file. Relevant logs
When I run ssh -v -i ~/.ssh/mykey_rsa user@serverip
, I get this:
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/myusername/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 50: Applying options for *
debug1: Connecting to {ip address} [{ip address}] port 22.
debug1: Connection established.
debug1: identity file .ssh/mykey_rsa type 1
debug1: identity file .ssh/mykey_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
debug1: Miscellaneous failure (see text)
No credentials cache file found
debug1: An invalid name was supplied
unknown mech-code 0 for mech 1 2 752 43 14 2
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 5 14
debug1: Miscellaneous failure (see text)
unknown mech-code 2 for mech 1 3 6 1 4 1 311 2 2 10
debug1: An unsupported mechanism was requested
unknown mech-code 0 for mech 1 3 5 1 5 2 7
debug1: Miscellaneous failure (see text)
unknown mech-code 0 for mech 1 3 6 1 5 2 5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA {fingerprint}
debug1: Host '{ip address}' is known and matches the RSA host key.
debug1: Found key in /Users/myusername/.ssh/known_hosts:16
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: .ssh/otherkey_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: .ssh/mykey_rsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
user@serverip's password:
I find it kind of strange that it tried a different ssh key (otherkey_rsa) before the one I told it to use (mykey_rsa), but I don't know enough about ssh to parse this well.
Meanwhile, the remote server's /var/log/auth.log
helpfully says
Aug 12 02:04:19 servername sshd[22147]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Aug 12 02:04:19 servername sshd[22147]: Authentication refused: bad ownership or modes for directory /root
Permissions
Local/on my computer:
~/ drwxr-xr-x+ 105 myusername staff 3570 Aug 11 23:14
~/.ssh/ drwx------ 13 myusername staff 442 Aug 11 23:14
~/.ssh/mykey_rsa.pub -rw-r--r-- 1 myusername staff 397 Aug 5 20:52
~/.ssh/mykey_rsa -rw------- 1 myusername staff 1675 Aug 5 20:52
Remotely/on the server:
~/ drwxr-xr-x 8 501 staff 4096 Aug 12 02:16
~/.ssh/ drwx------ 2 remoteuser root 4096 Aug 12 01:49
~/.ssh/authorized_keys -rw------- 1 remoteuser root 794 Aug 12 01:44
I'm really stumped on this and would really appreciate help! Thank you!
As aecolley pointed out on superuser, the answer was staring me in the face. The problem was with permissions, and the reason was that the user with uid 501 owned my home directory. Why, you ask? Because I'd (kind of accidentally) used rsync
to copy a bunch of files there from my laptop, and rsync
appears to have used my laptop's user id (501, the default on OS X) for the job.
chown root .
from my home directory on the server fixed the problem.
Maybe it could be useful for someone.
I had the same issue on Ubuntu: one day I tried to push to the git repo and got the password prompt. The issue in my case was in the wrong permissions (root was the fileowner) for the ~/.ssh/config file.
To fix the issue I had to change file owner and then re-login.
I just spent a half hour ripping my hair out at this issue on Yosemite. All my permissions were correct, the key was in the right place, config was correct, etc.
What happened was this: I used Migration Assistant to transfer some files from this machine to another, which caused the interactive user session to log out but did not actually reboot the machine, so when I logged back in and started tmux
it reattached to a surviving session. Apparently, this caused it to lose some sort of security permission to access Keychain, where my key passwords are stored, and it wouldn't re-prompt me. Simply restarting tmux solved the issue!
上一篇: 我可以更改C#中的当前堆栈跟踪吗?
下一篇: SSH突然要求输入密码