Troubleshooting Guide for SSH Password-less Login

Under normal circumstances, by following the key pair, and adding the public key to the remote server's ~/.ssh/authorized_keys, you can achieve password-less login.

However, there may be unexpected situations. Recently, I encountered an issue where even after confirming that the configuration was correct, a password was still required. Here, I will record the troubleshooting process and go through all possible cases.

Possible Reasons for Failed Password-less Login

1. File and Directory Permissions

Check the permissions of the user's ~/.ssh directory and ~/.ssh/authorized_keys file. Unreasonable permission configurations may cause the SSH service to reject them.

Therefore, you must set ~/.ssh to 700 and ~/.ssh/authorized_keys to 600.

# On the remote server's target user's home (~ points to the home directory)
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

~ will point to the current user's home directory. If you are the root user and want to specify the configuration files and directories for user, you need to use the absolute path. Generally, the absolute path for the user directory is /home/user/; if a data disk is mounted, it may also be /data/home/user, depending on the specific situation.

2. SSH Configuration File

This could be an easily overlooked issue. Generally, the SSH configuration should not cause problems, but if the above configurations are confirmed to be correct and the connection still fails, you should check the SSH configuration file etc/ssh/sshd_config and ensure that the following settings are enabled:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

These two lines enable public key authentication and specify the location of the public key file, respectively. After making changes, you need to restart the sshd service.

sudo systemctl restart sshd

Depending on your system, the restart command may differ. If systemctl is not found, try sudo service sshd restart.

3. User home Directory Permissions

To use password-less login for user, you must ensure that the user's home directory is not open to other users. If other users can write to user's home directory, SSH may refuse the login, as it considers this an insecure situation. Therefore, the home directory should be restricted so that only the user can write to it.

chmod 755 /data/home/user

Log Analysis

If all of the above reasons have been checked and password-less login still fails, you can use the SSH service's log file, which may contain useful information about login failures to help with diagnosis. For systemd systems (including Fedora, Ubuntu, Debian, CentOS/RHEL 7 and higher versions), you can use the following command:

sudo journalctl -u sshd

For example, during my troubleshooting, I found the following log content:

-- Logs begin at Tue 2024-03-19 10:34:54 CST, end at Thu 2024-03-21 10:19:04 CST. --
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=1001, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=5003, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: Authentication refused: bad ownership or modes for directory /data/home/user
Mar 21 10:12:26 VMOS sshd[767031]: DBG|operate_common.h|55|MakeNslcdInteraction|action=80003, interaction ok
Mar 21 10:12:31 VMOS sshd[767031]: pam_tsso(sshd:auth): Authentication failure for user from xx.xx.xx.xx

You can see this line: Authentication refused: bad ownership or modes for directory /data/home/user, which means that the modes (permissions) of the user folder were incorrect, and SSH access was denied.

By modifying the permissions of /data/home/user as shown in the third point above, the issue can be perfectly resolved.