Password requested when connecting via SSH key
Symptoms
When trying to connect to a server via SSH with an SSH key, the connection is interrupted by a password request.
Causes
- Incorrect sshd configuration
- Incorrect SSH key format
- Incorrect permissions for the
authorized_keys
file access
Solution
Sshd configuration check
Check the SSH settings on the server in the /etc/ssh/sshd_config
file. Make sure the following lines are uncommented and set to the desired values:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Next, restart the sshd service:
sudo systemctl restart sshd
In case the service is configured incorrectly, restarting the sshd service may cause loss of access to the server.
Before restarting the service, make sure you have an alternative way of accessing the server, for example, via the interface on the hosting provider side.
SSH key format check
Make sure your public key in the file at ~/.ssh/authorized_keys
matches one of the formats below.
The key may contain additional prefixes!
SSH-RSA
The SSH-RSA key format looks like this:
ssh-rsa AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESS
One of the most common key formats, is based on the RSA algorithm. Such keys can be from 2048 to 4096 bits long.
SSH-DSS
The SSH-DSS key format looks like this:
ssh-dss AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESS
The format is based on the DSA algorithm and due to limitations on the key length (up to 1024 bits) and security issues, its use has become less common.
ECDSA-SHA2-NISTP
The ECDSA-SHA2-NISTP format key looks like this:
ecdsa-sha2-nistp256 AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESS
The ECDSA-SHA2-NISTP256, ECDSA-SHA2-NISTP384, and ECDSA-SHA2-NISTP512 formats use the ECDSA algorithm and provide high security with a smaller key size compared to RSA.
Authorized_keys file permissions check
Make sure the file at ~/.ssh/authorized_keys
has permissions 600
:
ls -lah ~/.ssh/authorized_keys
-rw------- 1 root root 2.4K Nov 27 18:00 /root/.ssh/authorized_keys
If the permissions are incorrect, change them with the following command:
chmod 600 ~/.ssh/authorized_keys
Also check the permissions on the ~/.ssh/
directory, it should have permissions 700
:
ls -lah ~/.ssh
drwx------ 2 root root 4.0K Nov 27 18:00
If the permissions are incorrect, change them with the command:
chmod 700 ~/.ssh