RedHat 6/Oracle Linux 6 is not allowing key authentication via ssh

Asked 16/3, 2012 at 17:9 Answered 24/6, 2015 at 10:5

Solved redhat selinux sshd oracle-enterprise-linux

Keys are properly deployed in ~/.ssh/authorized_keys

Yet ssh keeps on prompting for a password.

Velasco answered 16/3, 2012 at 17:9 Comment(2)

Check /var/log/secure it will have information if the public key failed for auth. Most likely file(s) have the wrong read/write permission in ~/.ssh. – Ianiana 16/3, 2012 at 17:12

In my case perms were fine. it was SELinux related, see below – Velasco 16/3, 2012 at 18:18

Several issues, mostly privileges - but also related to SELinux on RedHat 6

The following script should fix them all, please replace <user>:<group> with your matching userid and group

chown -R <user>:<group> ~/.ssh
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
restorecon -R -v ~/.ssh

Velasco answered 16/3, 2012 at 17:10 Comment(5)

you should not change the file permissions to be world readable even if they are inside a protected directory restorecon -R -v $HOME/.ssh is what did the trick for me – Xerophilous 1/4, 2013 at 22:47

Yes, it should be owner access only. In my rhel6 box still works with 600 – Xerophilous 2/4, 2013 at 17:23

You mean my suggestion was bad? because I see that you edited your response with 600 for the files. – Xerophilous 11/4, 2013 at 16:5

forgot to update my comment, I had the file ownership wrong (note the chown addition). so your suggestion was fine. – Velasco 12/4, 2013 at 13:54

Note that this only works for standard home directories. If you are applying this change to a service account, or some other user whose home directory is not in /home, then you need to add the following command before restorecon (or rerun restorecon after running this command, replace path/to/service/home with the FULL home path): semanage fcontext -a -t ssh_home_t "/path/to/service/home/\.ssh(/.*)?" – Huss 7/7, 2015 at 16:16

I'd agree with the changes above working on most linux variants in the root account. I have had a problem with RedHat 6.3 with trying to get a postgres user account to use DSA auth. (6.3 running in VirtualBox)

The issue can be that the basic selinux permissions are wrong. Restorecon wont help in this case.

(After restorecon)
drwx------. postgres postgres unconfined_u:object_r:var_lib_t:s0 .ssh

I have fixed this with :

chcon -R -t ssh_home_t .ssh

This resolved this instance of the problem.

Doubledecker answered 5/2, 2014 at 9:20 Comment(3)

I have been searching for three days for this answer! It wasn't until I ran stat on the authorized keys file that I noticed an SELinux context on the file. I compared it to an authorized keys file for a different user and noticed the difference! Thank you, Greg! – Huss 7/7, 2015 at 15:2

One additional point I discovered: If you subsequently run restorecon on this .ssh directory, you will lose the changes you made with the chcon command. You need to also add a policy that will reapply the context properly upon a filesystem relabel. I did this with the following command: semanage fcontext -a -t ssh_home_t "/path/to/service/home/.ssh(/.*)?". (Be sure to use the full path.) – Huss 7/7, 2015 at 15:43

Corrected command: semanage fcontext -a -t ssh_home_t "/path/to/service/home/\.ssh(/.*)?" – Huss 7/7, 2015 at 16:13

I had also this same issue, the proposed solution above did not solve the case for me. To summarise instructions abowe together:

Check following logfile on target system for possible details of errors: /var/log/secure
Permission of files in users ~/.ssh directory should be 600 and files should be owned By "user:group"
Permission of ~/.ssh directory should be 700 and owned By "user:group"
Permission of home directory of user ie. "~" (="~/.ssh/..") should be 755. If permissions are f.ex 775, ssh key autenthication failed in my system.

br bruno

Flywheel answered 24/6, 2015 at 10:5 Comment(1)

Did this instruction solve the case for you? Or is it just a compilation? – Yarmouth 24/6, 2015 at 10:44

The above answer is quite good, I have an addition & a suggestion. The addition is in line 2 below, as home directory permissions not be more permissive than rwxr-x--- for ssh key authentication.

cd ~
chmod g-w,o-rwx .
chmod 700 .ssh
cd .ssh
chmod 600 *
chmod 644 authorized_keys
chmod 644 known_hosts
chmod 644 config
restorecon -R -v ../.ssh

The suggestion is to make use of the -vv option when testing.

Calvinism answered 2/4, 2012 at 16:46 Comment(2)

You probably mean o-rwx, not u-rwx :) – Panorama 3/10, 2012 at 6:17

Good catch! I have a recurring mnemonic issue with 'u' and 'o' in the chmod/chown commands. 'o' is 'other', not 'owner'! – Calvinism 17/7, 2014 at 22:12

Recommended topics

Hot tags