Can't connect with ssh and sshd complains about permissions on authorized_keys files

I was recently trying to connect to a CentOS box from Windows and had the following error in /var/log/secure (after enabling DEBUG3 level logging in /etc/ssh/sshd_config):

Dec 19 18:01:05 hostname sshd[25119]: debug1: trying public key file /root/.ssh/authorized_keys
Dec 19 18:01:05 hostname sshd[25119]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': Permission denied

It's an SELinux problem, and I don't quite understand it, but here's the one-liner that fixes it:

restorecon -FRvv ~/.ssh

Found on stackoverflow: "SSHD Gives error could not open Authorized Keys, although permissions seem correct"


Securing ssh

I finally secured my ssh server after I got hacked twice. The first time was because I had a user named vmware with the password "vmware". The second time was because I had a user named test with the password "test". Yeah I know, not smart. Luckily both those users were not in the wheel group so they were fairly isolated. It looks like the just wanted my box to do port scans and cracking of other machines.

Here are a few things to add to your /etc/ssh/sshd_config file to make it more secure (in addition to the standard defaults):

#Change your port to something other than 22 (security by obscurity).
Port 22
#Limit which users can log on
AllowUsers david
#Not sure what this does but it is "turned on for security"
UsePrivilegeSeparation yes
#Enable key authentication
PubkeyAuthentication yes
#Fairly obvious
PermitEmptyPasswords no
#Disable passwords (force key authentication)
PasswordAuthentication no
ChallengeResponseAuthentication no

A couple other things I did was to install libpam_cracklib and set a better password for myself. Secondly I installed denyhosts which dynamically adds bad behaving clients to the /etc/hosts/deny list. Beware that it will add svn-over-ssh clients to this list (because svn often makes multiple ssh logins in succession) so you'll need to add the host that you're using svn from to the /etc/hosts.allow list.


Copy ssh Public key to Server in one line

Update (2011/02/06): you don't really need any of the commands below, you can just use the ssh-copy-id program that comes with ssh.

Here it is:

cat ~/.ssh/ | ssh <a href="mailto:user@hostname">user@hostname</a> "cat - >> ~/.ssh/authorized_keys"

Apparently some people don't like this one that much. :-)

Here's an alternative:

ssh <a href="mailto:user@hostname">user@hostname</a> "echo `cat ~/.ssh/` >> ~/.ssh/authorized_keys"

It doesn't require the first cat or the pipe.


Subscribe to RSS - ssh