sshd Authentication refused

Rick Sewill rsewill at gmail.com
Tue Jul 13 19:08:36 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/13/2010 01:43 PM, Kevin Fenzi wrote:
> On Tue, 13 Jul 2010 11:16:46 -0700 (PDT)
> David Highley <dhighley at highley-recommended.com> wrote:
> 
>> New install of Fedora 13 we get the following /var/log/secure entry
>> when we ssh from a Fedora 12 system to the Fedora 13 system:
>> Authentication refused: bad ownership or modes for
>> file /home/dhighley/.ssh/authorized_keys
>>
>> We have checked and tried different modes until we are blue in the
>> face. Have read the upates notes for openssh and Fedora 13 release.
>> Googled the net for know issues and bugzilla.redhat.com. We did check
>> for selinux blocks and found none.
>>
>> User home directory is auto NFS mounted and we use NIS. This works
>> Fedora 12 to Fedora 12.
> 
> You may want to use 'ssh-copy-id' to copy the key over to the f13
> system. That will setup the right permissions and such automatically
> for you. 
> 
> Also, you will want to see if there are any selinux alerts on the f13
> machine. 'ausearch -m avc -ts today' can list the ones from today. 
> 
> kevin
> 

I cannot explain how f12 <--> f12 works, but f12 <--> f13 does not.
I can only guess there is something different for the NFS mount -or-
something different regarding NIS.

=====

One possibility, which I consider very, very remote is the following.

I may be wrong but I think the ownership and modes for all the parent
directories from your /home/dhighley/.ssh directory also matter.

I assume you made sure /home/dhighley/.ssh is mode 700.
What is the mode of /home/dhlighley?  Is it 755 (I think that's okay).
I think any write mode for group or other would be bad.
I assume /home/dhlighley is owned by you, the user.

What about /home?  Who owns it?  What is it's mode?
I think root must own it.
I think only root should have write access to it.

I actually assume the ownership and modes are all correct...the
possibility of this being the problem seems exceedingly rare to me, but
please check.

=====

Another possibility, which I also consider remote, but is worth asking.
On the f13 machine, when you log in as dhlighley, is the user name only
found in NIS?  On occasion, if one is testing something new, one might
put in a local account in the /etc/passwd file, and forget it is there.
Depending on your /etc/nsswitch.conf file, the local file is probably
checked before NIS.

Sorry, can't think of anything else.  Others have already mentioned selinux.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkw8ubMACgkQyc8Kn0p/AZSC9wCePd3r5B52EBYAQ7mQtRsPWeql
99AAn2UBA4uvL7lvX9zBF2mm82OYObu9
=xTPl
-----END PGP SIGNATURE-----

More information about the users mailing list