• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Fix SSH Certificate Authentication in Linux

Fix SSH Certificate Authentication in Linux

November 3, 2020 - by Zsolt Agoston - last edited on November 3, 2020

So you want to us SSH certificate authentication as opposed to password authentication. You add the client's SSH public key in the authorized_keys file on the server (as this guide shows), but when trying to connect you are still prompted for the password?

Fix SSH Certificate Authentication in Linux

It's likely there is an ownership or permission issue with the authorized_keys file. Ideally the owner should be the user who's account is going to be accessed, but most importantly the permissions on the file should be lower than 777.

Example

We want to log into a CentOS linux machine called COS using a local user account on the server with the name of Zsolt. Here are the basic troubleshooting steps that likely will sort our issues:

 1. Check the client's SSH public key we use

On our client open the hidden .ssh directory in your user profile (it's present even on Windows machines), and open the id_rsa.pub file:

Client public key:

za@OpenTechTips ~$ cat ~/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0+FccsKiWF4gPO4ZB9MQeRH/j5sOCdkFn+b+C9FRO2D86HYhlPhHJFjWasUrPo7O6PVSGxetG36kJ1REdtmmSzues1gKvl9YJxRkiCe2ML53f3l1Amg9BjYpDD45b/V4lZbxaspA5uF0IxmfrWy6uWKQ9nCdeFbgj1iXU/rGkyYv6bTkjNA3eBLjpdJqDnZ8FmYBp9Koxg4mQG8W8Sf3cqjklCbDzH0E9PZiBBLBl2qrJtO6VTum/ym8YF72rANkItz0c7L1s4hWmosWoH5AWWpy/NUffyxtBbkywn0EiCupAeXRU7bMNHltlkE2Iin+HU1jC3OspPlSuBMszpuLN zsoltagoston@Zsolts-MacBook-Pro.local

Check if it is present in the authorized_keys file in the user profile we are attempting to log in:

[root@COS ~]# cat /home/zsolt/.ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0+FccsKiWF4gPO4ZB9MQeRH/j5sOCdkFn+b+C9FRO2D86HYhlPhHJFjWasUrPo7O6PVSGxetG36kJ1REdtmmSzues1gKvl9YJxRkiCe2ML53f3l1Amg9BjYpDD45b/V4lZbxaspA5uF0IxmfrWy6uWKQ9nCdeFbgj1iXU/rGkyYv6bTkjNA3eBLjpdJqDnZ8FmYBp9Koxg4mQG8W8Sf3cqjklCbDzH0E9PZiBBLBl2qrJtO6VTum/ym8YF72rANkItz0c7L1s4hWmosWoH5AWWpy/NUffyxtBbkywn0EiCupAeXRU7bMNHltlkE2Iin+HU1jC3OspPlSuBMszpuLN zsoltagoston@Zsolts-MacBook-Pro.local

If it's not there, simply add the whole key to the end of the authorized_keys file, save it and try to log in. If it still doesn't work, proceed to step 2.

2. Check the owner of /home/zsolt /.ssh/authorized_keys

[root@COS .ssh]# ll
total 12
-rw-r--r--. 1 root  root   419 Nov  1 17:07 authorized_keys
-rw-------. 1 zsolt zsolt 2590 Nov  1 17:00 id_rsa
-rw-r--r--. 1 zsolt zsolt  563 Nov  1 17:00 id_rsa.pub

If it's not owned by the actual user (like here it's owner by root), change the owner to the right user

[root@COS .ssh]# chown zsolt:zsolt authorized_keys

[root@COS .ssh]# ll
total 12
-rw-------. 1 zsolt zsolt  419 Nov  1 17:07 authorized_keys
-rw-------. 1 zsolt zsolt 2590 Nov  1 17:00 id_rsa
-rw-r--r--. 1 zsolt zsolt  563 Nov  1 17:00 id_rsa.pub

3. Check permissions of authorized_keys on the server

The permissions on the  authorized_keys file cannot be 777 (rwxrwxrwx)! This is an example of a poorly set up SSH profile:

[root@COS .ssh]# ll
total 12
-rwxrwxrwx. 1 zsolt zsolt  419 Nov  1 17:07 authorized_keys
-rw-------. 1 zsolt zsolt 2590 Nov  1 17:00 id_rsa
-rw-r--r--. 1 zsolt zsolt  563 Nov  1 17:00 id_rsa.pub

The Group, or the Other users cannot have write permissions. Set the perms on the file to maximum 755 (rwxr-xr-x). Preferably 644 (rw-r--r--) or 600 (rw-------).

Hint: Use 644 if the owner is root or some other user, use 600 if the owner of the file matches the profile owner (here it's zsolt)

[root@COS .ssh]# chmod 600 authorized_keys 
[root@COS .ssh]# ll
total 12
-rw-------. 1 zsolt zsolt  419 Nov  1 17:07 authorized_keys
-rw-------. 1 zsolt zsolt 2590 Nov  1 17:00 id_rsa
-rw-r--r--. 1 zsolt zsolt  563 Nov  1 17:00 id_rsa.pub

4. Verify it's working

Fix SSH Certificate Authentication in Linux

Enjoy!

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Example
  •  1. Check the client’s SSH public key we use
  • 2. Check the owner of /home/zsolt /.ssh/authorized_keys
  • 3. Check permissions of authorized_keys on the server
  • 4. Verify it’s working

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}