1

SSH key based login not working since installing Fedora 11.

view story
linux-howto

http://forums.fedoraforum.org – I'm migrating my file server from Fedora 9 to Fedora 11 (clean install), and I'm having a horrendous time trying to get key based SSH logins working. I've set it up before, and I can't figure out why it won't work now. I copied my public key into ~/.ssh/authorized_keys2 and set the folder permissions for 700 and the file permissions for 600. Then I restarted sshd. Now unless I remember wrong I thought that's all you have to do. It didn't work. So I rebooted just for good measure. Still didn't work. So I made sure that my client was still sane. I can log into my OpenBSD machine just fine. I compared the sshd_config from OpenBSD to the Fedora one, and the options seem pretty close. At that point I had nothing to lose and just started messing with the Fedora sshd_config. I also noticed in the config that the commented AuthorizedKeys file had dropped the 2 off the end, so I tried changing that as well. Still nothing. Password based logins work, but I really don't want to go that route. Now I can only think of two possibilties. One, some sshd_config setting is wrong and I don't know what it is. Two, there's some package that's required for key based logins that I accidentally unchecked during the install process. That's about all I can come up with. Here's my sshd_config, I tried to just set everything back to default. Code: #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::    # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1                                            Protocol 2                                                            # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key  # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h                          #ServerKeyBits 1024                                  # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH                    SyslogFacility AUTHPRIV                LogLevel INFO                          # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes    #MaxAuthTries 6    #MaxSessions 10    #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile    .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no                                                # similar for protocol version 2                                          #HostbasedAuthentication no                                                # Change to yes if you don't trust ~/.ssh/known_hosts for                  # RhostsRSAAuthentication and HostbasedAuthentication                      #IgnoreUserKnownHosts no                                                  # Don't read the user's ~/.rhosts and ~/.shosts files                      #IgnoreRhosts yes                                                          # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes                                  #PermitEmptyPasswords no                                      PasswordAuthentication yes                                    # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes    ChallengeResponseAuthentication yes      # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no  # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and          # PasswordAuthentication.  Depending on your PAM configuration,      # PAM authentication via ChallengeResponseAuthentication may bypass  # the setting of "PermitRootLogin without-password".                  # If you just want the PAM account and session checks to run without  # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'.                        #UsePAM no                                                            UsePAM yes                                                            # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT            AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE                                  #AllowAgentForwarding yes #AllowTcpForwarding yes  #GatewayPorts no        #X11Forwarding no        X11Forwarding yes        #X11DisplayOffset 10    #X11UseLocalhost yes    #PrintMotd yes          #PrintLastLog yes        #TCPKeepAlive yes        #UseLogin no            #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem      sftp    /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs #      X11Forwarding no #      AllowTcpForwarding no #      ForceCommand cvs server Thoughts? (HowTos)