Under normal circumstances, you can achieve passwordless login by using key pairs and adding the public key to the ~/.ssh/authorized_keys file on the server.
However, there may be unexpected situations. Recently, I encountered a problem where I still needed to enter a password even after confirming that the configuration was correct. Here, I will record the troubleshooting process and organize all possible situations.
Possible reasons for unable to login without a password#
1. File and directory permission issues#
Check the permissions of the ~/.ssh directory and the ~/.ssh/authorized_keys file for the user user. Improper permission settings may be rejected by the SSH service.
Therefore, you must set ~/.ssh to 700 and ~/.ssh/authorized_keys to 600.
# Execute on the home directory of the target user on the remote server
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
The ~ symbol refers to the home directory of the current user. If the root user wants to specify the corresponding configuration file and directory for the user, an absolute path must be used. In general, the absolute path of the user directory is /home/user/. If a data disk is bound, it may also be /data/home/user, depending on the specific situation.
2. SSH configuration file#
This is a problem that is easily overlooked. In general, there should be no problem with the SSH configuration. However, if you still cannot connect after confirming the above configuration, check the SSH configuration file etc/ssh/sshd_config to ensure that the following settings are enabled:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
These two settings respectively enable public key authentication and specify the location of the public key file. After modifying them, you need to restart the sshd service.
sudo systemctl restart sshd
The restart command may vary depending on the system. If
systemctlis not found, you can trysudo service sshd restart.
3. Permission issues with the user's home directory#
If you want to use passwordless login for the user, you must ensure that the home directory of the user is not open to other users. Because if other users can write to the user's home directory, SSH may refuse to log in because it is considered insecure. Therefore, the home directory should be restricted to only allow the user to write to it.
755 /data/home/user
Log analysis#
If all the above reasons have been checked and you still cannot login without a password, you can use the SSH service's log file, which may contain information about login failures to help with diagnosis. For systemd systems (including Fedora, Ubuntu, Debian, CentOS/RHEL 7 and higher versions), you can use the following command:
sudo journalctl -u sshd
For example, when I was troubleshooting, I found the following content in the log:
-- Logs begin at Tue 2024-03-19 10:34:54 CST, end at Thu 2024-03-21 10:19:04 CST. --
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=1001, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: DBG|operate_common.h|55|MakeNslcdInteraction|action=5003, interaction ok
Mar 21 10:12:26 VMOS sshd[767024]: Authentication refused: bad ownership or modes for directory /data/home/user
Mar 21 10:12:26 VMOS sshd[767031]: DBG|operate_common.h|55|MakeNslcdInteraction|action=80003, interaction ok
Mar 21 10:12:31 VMOS sshd[767031]: pam_tsso(sshd:auth): Authentication failure for user from xx.xx.xx.xx
You can see the sentence "Authentication refused: bad ownership or modes for directory /data/home/user", which means that the modes (permissions) of the user folder are incorrect and SSH access is denied.
Following the instructions in the third item above, modifying the permissions of /data/home/user will solve the problem perfectly.