Bastion host - Source Client host - Destination
Scenario 1: Same user present on Bastion and Client hosts
On Bastion host – I’ve created “test” user useradd -u 54321 -s /bin/bash -m -d /home/test -c “Test User” test and SSH keypair for the same.
Now lets check the folder and files created.. Make a note of “.ssh” folder permission (700) and also files inside. “id_rsa.pub” is the public key which can be shared and “id_rsa” (600) is the private key. Data encrypted using public key only decrypted with private key.
For the key based authentication to work we need to share the public key “id_rsa.pub”.
On Client host – create test user – create “.ssh” directory – update folder permission to 700 – create file “authorized_keys” – copy the “id_rsa.pub” to authorized_keys file – update file permission to 600.
Giving the right permissions is always important
Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.
In this case, it can be solved by executing the following on the server.
$ chmod go-w $HOME $HOME/.ssh
$ chmod 600 $HOME/.ssh/authorized_keys
$ chown `whoami` $HOME/.ssh/authorized_keys
Lets try connecting from Bastion host to Client now..
Scenario 2: Different users on Bastion and Client hosts
Lets create one more user “test2” on Client host and place the public key..
Try connecting from “test” user to “test2” on Client..
Scenario 3: From regular user on Bastion to root user on Client ( which is not advisable but will give it a go ).
I’ve added the public key to “authorized_keys” under root user on Client host.
But when I try to connect as root..”permission denied”.
On Client host “PermitRootLogin” in sshd_config is not allowed which is stopping the connections as root even after adding the public key to the root authorized_keys file.
Updated sshd_config to permit root login and restarted sshd process.
Now connecting as root from Bastion to Client worked this time.
Special Note: Today I have seen an issue on RedHat server where the configuration is fine but key based authentication still not working – surprisingly I have found that it is because of SELinux ( Enforcing ). User home directory and the files inside context is ‘home_root_t’ but the correct context is ‘user_home_dir_t’. Restoring context solved the problem.