I want to embed a ‘ssh userxy@mydietpiraspi somecmd’ in a script on a remote machine.
For arguments sake lets assume on the remote machine the username is bob.
So on my remote machine I created id_rsa in /home/bob/.ssh/ with ssh-keygen -t rsa
and on my mydietpiraspi edited /etc/ssh/sshd_config lines:
43 PubkeyAuthentication yes
44 AuthorizedKeysFile .ssh/authorized_keys
Then copied public key over with
ssh-copy-id -i /home/bob/.ssh/id_rsa.pub userxy@mydietpiraspi
prompt came for userxy passwd and I logged in successfully.
After that ssh userxy@mydietpiraspi should not prompt for a password.
But it does.
I checked for bob’s public key in userxy .ssh/authorized_keys and it is in there.
If I do the same for root@mydietpiraspi it works.
ssh-copy-id -i /home/bob/.ssh/id_rsa.pub root@mydietpiraspi
Passwd prompt for root shows up, logged in successfully.
Now bob can login as root@mydietpiraspi without being prompted for a passwd.
Some time passed since May but I’m experiencing the same problem on my quite fresh install on a Raspi 4 and the latest dietpi image.
I gave the publickey during installation (dietpi.txt) and found it correctly formatted in the authorized_keys file in root’s and dietpi’s home directory. Despite having configured sshd correspondingly I could still only login with password, not with publickey.
(Btw.: I’m speaking of openssh-server here, not dropbear!)
After I searched a lot after a reason for that I’m continuously receiving Could not open user 'dietpi' authorized keys '.ssh/authorized_keys': Permission denied with debug3 in journalctl and permisson denied at the client. After checking permissions, reading about SELINUX, copying the file in /etc/ssh/keys/dietpi/ with root as owner but still without succes. I now read this post, tried to login with root et voilá! I’m in.
So that’s a workaround as I can now sudo -su dietpi into the less privileged user but of course I don’t want to allow root to ssh forever.
One aspect I had under suspicion was that I encrypted my /home/dietpi with gocryptfs. But as I have my .ssh in $HOME both when it’s mounted and when unmounted - and ssh fails both times that doesn’t seem to be the problem.
I also thought that sshd needed chown root:root to /home/dietpi/.ssh/* but a) can’t I access /home/dietpi as root and b) did I try that with /etc/ssh/keys/authorized_keys and that still didn’t worked.
Would be nice if s.o. with more expertise could take a look at this as I am afraid I fired all my guns now
hmm I tried on various systems and on all of them I’m able to login as user dietpi using ssh keys
Jan 11 21:57:04 DietPi sshd[552]: Accepted publickey for dietpi from 192.168.0.93 port 51935 ssh2: RSA SHA256:z.kzI
Jan 11 21:57:04 DietPi sshd[552]: pam_unix(sshd:session): session opened for user dietpi(uid=1000) by (uid=0)
furthermore I create a stupid dummy user named demouser
root@DietPi: adduser demouser
Adding user `demouser' ...
Adding new group `demouser' (1001) ...
Adding new user `demouser' (1001) with group `demouser (1001)' ...
Creating home directory `/home/demouser' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for demouser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
Adding new user `demouser' to supplemental / extra groups `users' ...
Adding user `demouser' to group `users' ...
root@DietPi:
Afterwards I simply sored my authorized_keys file within home directory of this user
root@DietPi:~# ls -la /home/demouser/.ssh/
total 12
drwxr-xr-x 2 root root 4096 Jan 11 22:03 .
drwx------ 3 demouser demouser 4096 Jan 11 22:03 ..
-rw-r--r-- 1 root root 393 Jan 15 2022 authorized_keys
root@DietPi:~#
As well it seems permissions doesn’t matter. I simply created the file with root user.
And it’s working ootb.
Jan 11 22:03:25 DietPi sshd[646]: Accepted publickey for demouser from 192.168.0.93 port 52157 ssh2: RSA SHA256:z.I
Jan 11 22:03:25 DietPi sshd[646]: pam_unix(sshd:session): session opened for user demouser(uid=1001) by (uid=0)
Question: did you guys used a new key or is it an older one. On Debian Bookworm, some old keys are not accepted anymore.
Mine is not fresh. It’s a reuse of the one I use on my current server. But … wait! It works with root and the same key - so that’s not the reason I would assume.
Thanks to you, I have checked that bloody log.
No idea why I didn’t do that before.
Interesting that ssh refuses to login to an open directory because keys could have been compromised by anybody.
But logical.