Cannot setup ssh autorized_key for normal user. But for root

Maybe I just have block…

I want to embed a ‘ssh userxy@mydietpiraspi somecmd’ in a script on a remote machine.
For arguments sake lets assume on the remote machine the username is bob.

So on my remote machine I created id_rsa in /home/bob/.ssh/ with ssh-keygen -t rsa
and on my mydietpiraspi edited /etc/ssh/sshd_config lines:
43 PubkeyAuthentication yes
44 AuthorizedKeysFile .ssh/authorized_keys

Then copied public key over with
ssh-copy-id -i /home/bob/.ssh/id_rsa.pub userxy@mydietpiraspi
prompt came for userxy passwd and I logged in successfully.

After that ssh userxy@mydietpiraspi should not prompt for a password.
But it does.
I checked for bob’s public key in userxy .ssh/authorized_keys and it is in there.

If I do the same for root@mydietpiraspi it works.
ssh-copy-id -i /home/bob/.ssh/id_rsa.pub root@mydietpiraspi
Passwd prompt for root shows up, logged in successfully.
Now bob can login as root@mydietpiraspi without being prompted for a passwd.

Why?

was there an issue to fill the troubleshooting template? You are running Dropbear or OpenSSH

We already had some cases where ssh-copy-id was not working correctly. Dropbear Public Key Authentication - #16 by MichaIng

That would be OpenSSH_8.4 on the pi.
On the remote machine where I used ssh-copy-id OpenSSH_7.9

did you check permission on files and filder for /home/userxy/.ssh if they set correctly?

They are as they should be.
the dir is owned by userxy 700
files inside too.
authorized_keys 600
known_hosts 644

can you check format of your public key [SOLVED] SSH PubkeyAuthentication not working - #5 by zenzip

it is fine, a oneliner.
And as said, it works with root, for any user on the remote machine.

Some time passed since May but I’m experiencing the same problem on my quite fresh install on a Raspi 4 and the latest dietpi image.

I gave the publickey during installation (dietpi.txt) and found it correctly formatted in the authorized_keys file in root’s and dietpi’s home directory. Despite having configured sshd correspondingly I could still only login with password, not with publickey.
(Btw.: I’m speaking of openssh-server here, not dropbear!)

After I searched a lot after a reason for that I’m continuously receiving Could not open user 'dietpi' authorized keys '.ssh/authorized_keys': Permission denied with debug3 in journalctl and permisson denied at the client. After checking permissions, reading about SELINUX, copying the file in /etc/ssh/keys/dietpi/ with root as owner but still without succes. I now read this post, tried to login with root et voilá! I’m in.

So that’s a workaround as I can now sudo -su dietpi into the less privileged user but of course I don’t want to allow root to ssh forever.

One aspect I had under suspicion was that I encrypted my /home/dietpi with gocryptfs. But as I have my .ssh in $HOME both when it’s mounted and when unmounted - and ssh fails both times that doesn’t seem to be the problem.

I also thought that sshd needed chown root:root to /home/dietpi/.ssh/* but a) can’t I access /home/dietpi as root and b) did I try that with /etc/ssh/keys/authorized_keys and that still didn’t worked.

Would be nice if s.o. with more expertise could take a look at this as I am afraid I fired all my guns now :person_shrugging:

can you share following

/home/dietpi/.ssh

You mean ls -la /home/dietpi/.ssh?

I made .ssh 700 and authorized_keys 600. Both belong to dietpi:dietpi. There’s nothing else in /home/dietpi/.ssh

(Sorry, would have c/p command’s output but I don’t have acces to the machine right now)

It is funny, I just checked and my problem still persists. If I want auto-login I have to login as root since I can’t get it to work for userxy

-rw-------  1 userxy userxy 567 Jan 11 13:42 authorized_keys
-rw-------  1 userxy userxy 2602 Jun  8  2023 id_rsa
-rw-r--r--  1 userxy userxy 566 Jun  8  2023 id_rsa.pub

Interesstingly I should say that I have a second Pi setup that works as expected but I still cant find the difference.

hmm I tried on various systems and on all of them I’m able to login as user dietpi using ssh keys

Jan 11 21:57:04 DietPi sshd[552]: Accepted publickey for dietpi from 192.168.0.93 port 51935 ssh2: RSA SHA256:z.kzI
Jan 11 21:57:04 DietPi sshd[552]: pam_unix(sshd:session): session opened for user dietpi(uid=1000) by (uid=0)

furthermore I create a stupid dummy user named demouser

root@DietPi: adduser demouser
Adding user `demouser' ...
Adding new group `demouser' (1001) ...
Adding new user `demouser' (1001) with group `demouser (1001)' ...
Creating home directory `/home/demouser' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for demouser
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
Adding new user `demouser' to supplemental / extra groups `users' ...
Adding user `demouser' to group `users' ...
root@DietPi:

Afterwards I simply sored my authorized_keys file within home directory of this user

root@DietPi:~# ls -la /home/demouser/.ssh/
total 12
drwxr-xr-x 2 root     root     4096 Jan 11 22:03 .
drwx------ 3 demouser demouser 4096 Jan 11 22:03 ..
-rw-r--r-- 1 root     root      393 Jan 15  2022 authorized_keys
root@DietPi:~#

As well it seems permissions doesn’t matter. I simply created the file with root user.

And it’s working ootb.

Jan 11 22:03:25 DietPi sshd[646]: Accepted publickey for demouser from 192.168.0.93 port 52157 ssh2: RSA SHA256:z.I
Jan 11 22:03:25 DietPi sshd[646]: pam_unix(sshd:session): session opened for user demouser(uid=1001) by (uid=0)

Question: did you guys used a new key or is it an older one. On Debian Bookworm, some old keys are not accepted anymore.

Mine is not fresh. It’s a reuse of the one I use on my current server. But … wait! It works with root and the same key - so that’s not the reason I would assume.

for testing you could create a new pair. Did you already checked ssh server logs while trying to connect?

I created a new key which is present in remote hosts authorized keys file.

-rw-------  1 userxy userxy 2602 11. Jan 13:56 id_rsa
-rw-r--r--  1 userxy userxy 565 11. Jan 13:56 id_rsa.pub

and did you already checked logs on server side while trying to connect?

Interesting, the message is: Authentication refused: bad ownership or modes for directory /home/userxy

Ownership seems ok though.

how does it looks

ls -la /home/userxy

and can you share more system details

Required

  • DietPi version | cat /boot/dietpi/.version
  • Distro version | echo $G_DISTRO_NAME $G_RASPBIAN
  • Kernel version | uname -a
  • Architecture | dpkg --print-architecture
  • SBC model | echo $G_HW_MODEL_NAME or (EG: RPi3)

I found it.
/home/userxy was 777 instead of 755

Thanks to you, I have checked that bloody log.
No idea why I didn’t do that before.
Interesting that ssh refuses to login to an open directory because keys could have been compromised by anybody.
But logical.

Have a nice weekend :slight_smile: