Error message when attempting to ssh to a server
user@host: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Check /var/log/secure
Authentication refused: bad ownership or modes for file /home/user/.ssh/authorized_keys
Check permissions on ~/.ssh/authorized_keys and ~/.ssh
$ stat -c "%n %a" .ssh
.ssh 775
$ stat -c "%n %a" .ssh/authorized_keys
.ssh/authorized_keys 664
Check man sshd
- ~/.ssh/
- This directory is the default location for all user-specific configuration and authentication information. There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others.
- ~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described above. The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.
Check /etc/ssd/sshd_config
Defaults are commented out. StrictModes is commented out and by default 'yes'
Recommendations: .ssh is 700 .ssh/authorized_keys is 600 or 644 is other OS users need to read but not write (possible use cases exist)
- To fix:
- chmod 700 ~/.ssh
Do not use the recursive switch! The permissions of the private/public/authorized_keys files may be different.
Discussion: