Linux

/
/
Password requested when connecting via SSH key

Password requested when connecting via SSH key

Symptoms

When trying to connect to a server via SSH with an SSH key, the connection is interrupted by a password request.

Causes

  • Incorrect sshd configuration
  • Incorrect SSH key format
  • Incorrect permissions for the authorized_keys file access

Solution

Sshd configuration check

Check the SSH settings on the server in the /etc/ssh/sshd_config file. Make sure the following lines are uncommented and set to the desired values:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Next, restart the sshd service:

sudo systemctl restart sshd
Important!

In case the service is configured incorrectly, restarting the sshd service may cause loss of access to the server.

Before restarting the service, make sure you have an alternative way of accessing the server, for example, via the interface on the hosting provider side.

SSH key format check

Make sure your public key in the file at ~/.ssh/authorized_keys matches one of the formats below.

Please note!

The key may contain additional prefixes!

SSH-RSA

The SSH-RSA key format looks like this:

ssh-rsa AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESS

One of the most common key formats, is based on the RSA algorithm. Such keys can be from 2048 to 4096 bits long.

SSH-DSS

The SSH-DSS key format looks like this:

ssh-dss AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESS

The format is based on the DSA algorithm and due to limitations on the key length (up to 1024 bits) and security issues, its use has become less common.

ECDSA-SHA2-NISTP

The ECDSA-SHA2-NISTP format key looks like this:

ecdsa-sha2-nistp256 AAAAB3NzaC1yc...2EAAAABIwAAAQEAr USERNAME@SERVER_ADDRESS

The ECDSA-SHA2-NISTP256, ECDSA-SHA2-NISTP384, and ECDSA-SHA2-NISTP512 formats use the ECDSA algorithm and provide high security with a smaller key size compared to RSA.

Authorized_keys file permissions check

Make sure the file at ~/.ssh/authorized_keys has permissions 600:

ls -lah ~/.ssh/authorized_keys 
-rw------- 1 root root 2.4K Nov 27 18:00 /root/.ssh/authorized_keys

If the permissions are incorrect, change them with the following command:

chmod 600 ~/.ssh/authorized_keys

Also check the permissions on the ~/.ssh/ directory, it should have permissions 700:

ls -lah ~/.ssh
drwx------  2 root root 4.0K Nov 27 18:00

If the permissions are incorrect, change them with the command:

chmod 700 ~/.ssh

In this article