SSH setup – Key based authentication

Bastion host - Source
Client host - Destination

Scenario 1: Same user present on Bastion and Client hosts

On Bastion host – I’ve created “test” user useradd -u 54321 -s /bin/bash -m -d /home/test -c “Test User” test and SSH keypair for the same.


Now lets check the folder and files created.. Make a note of “.ssh” folder permission (700) and also files inside. “” is the public key which can be shared and “id_rsa” (600) is the private key. Data encrypted using public key only decrypted with private key.


For the key based authentication to work we need to share the public key “”.


On Client host – create test user – create “.ssh” directory – update folder permission to 700 – create file “authorized_keys” – copy the “” to authorized_keys file – update file permission to 600.


Giving the right permissions is always important

3.14 – I copied my public key to authorized_keys but public-key authentication still doesn’t work.

Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.

In this case, it can be solved by executing the following on the server.

chmod go-w $HOME $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys
chown `whoami` $HOME/.ssh/authorized_keys

Lets try connecting from Bastion host to Client now..


Scenario 2: Different users on Bastion and Client hosts

Lets create one more user “test2” on Client host and place the public key..


Try connecting from “test” user to “test2” on Client..


Scenario 3: From regular user on Bastion to root user on Client ( which is not advisable but will give it a go ).

I’ve added the public key to “authorized_keys” under root user on Client host.


But when I try to connect as root..”permission denied”.


On Client host “PermitRootLogin” in sshd_config is not allowed which is stopping the connections as root even after adding the public key to the root authorized_keys file.


Updated sshd_config to permit root login and restarted sshd process.


Now connecting as root from Bastion to Client worked this time.


Special Note:  Today I have seen an issue on RedHat server where the configuration is fine but key based authentication still not working – surprisingly I have found that it is because of SELinux ( Enforcing ).  User home directory and the files inside context is ‘home_root_t’ but the correct context is ‘user_home_dir_t’. Restoring context solved the problem.

#ls -aZ .
drwxr-xr-x. root     root     system_u:object_r:home_root_t:s0 .
dr-xr-xr-x. root     root     system_u:object_r:root_t:s0      ..
drwx——. axess    axess    unconfined_u:object_r:home_root_t:s0 axess
# restorecon -Rv axess

restorecon reset /home/axess context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0
restorecon reset /home/axess/.ssh context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/axess/.ssh/authorized_keys context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:ssh_home_t:s0
restorecon reset /home/axess/.bash_history context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/axess/.viminfo context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0



One thought on “SSH setup – Key based authentication

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s