Password requested when connecting via SSH key
Symptoms
When trying to connect to a server via SSH with an SSH key, the connection is interrupted by a password request.
Causes
- Incorrect sshd configuration
- Incorrect SSH key format
- Incorrect permissions for the
authorized_keysfile access
Solution
Sshd configuration check
Check the SSH settings on the server in the /etc/ssh/sshd_config file. Make sure the following lines are uncommented and set to the desired values:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keysNext, restart the sshd service:
sudo systemctl restart sshdIn case the service is configured incorrectly, restarting the sshd service may cause loss of access to the server.
Before restarting the service, make sure you have an alternative way of accessing the server, for example, via the interface on the hosting provider side.
SSH key format check
Make sure your public key in the file at ~/.ssh/authorized_keys matches one of the formats below.
The key may contain additional prefixes!
SSH-RSA
The SSH-RSA key format looks like this:
ssh-rsa AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESSOne of the most common key formats, is based on the RSA algorithm. Such keys can be from 2048 to 4096 bits long.
SSH-DSS
The SSH-DSS key format looks like this:
ssh-dss AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESSThe format is based on the DSA algorithm and due to limitations on the key length (up to 1024 bits) and security issues, its use has become less common.
ECDSA-SHA2-NISTP
The ECDSA-SHA2-NISTP format key looks like this:
ecdsa-sha2-nistp256 AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESSThe ECDSA-SHA2-NISTP256, ECDSA-SHA2-NISTP384, and ECDSA-SHA2-NISTP512 formats use the ECDSA algorithm and provide high security with a smaller key size compared to RSA.
Authorized_keys file permissions check
Make sure the file at ~/.ssh/authorized_keys has permissions 600:
ls -lah ~/.ssh/authorized_keys
-rw------- 1 root root 2.4K Nov 27 18:00 /root/.ssh/authorized_keysIf the permissions are incorrect, change them with the following command:
chmod 600 ~/.ssh/authorized_keysAlso check the permissions on the ~/.ssh/ directory, it should have permissions 700:
ls -lah ~/.ssh
drwx------ 2 root root 4.0K Nov 27 18:00If the permissions are incorrect, change them with the command:
chmod 700 ~/.ssh