by Arit Amana
What to do when key-based authentication isn’t working after ssh-copy-id
I recently provisioned a Ubuntu virtual private server (VPS) on Vultr. I’m partial to CentOS myself, but the task I was working on recommended Ubuntu.
To set up key-based authentication from my laptop to the server,
- I generated a new SSH keypair (named “ubuntu”) on my Mac using the command:
ssh-keygen -t rsa -b 4096
- I then used the
ssh-copy-idutility to copy my public key over to the
authorized_keysfile on my Vultr VPS:
ssh-copy-id -i .ssh/ubuntu [email protected]
As I expected, the utility asked for my VPS password in order to complete the public key transfer. When all was done, I attempted to login to my VPS.
It should have let me through without requiring a password:
ssh -i .ssh/ubuntu [email protected]
But I kept getting prompted for a password. 🤨
- I checked my
authorized_keysfile over on the VPS to make sure my public key had been copied over correctly. Check. 👍🏾
- I made sure that the file was read-write only for myself and none others. Check. 👍🏾
- I made sure that the following options were enabled in
AuthorizedKeysFile .ssh/authorized_keys. Check. 👍🏾
Still, I kept getting prompted for a password upon login from my laptop.
After a few minutes on StackOverflow, I learned about Encrypted Home Directories, which are default in some environments, including Ubuntu.
Encrypted home directories aren’t decrypted until the initial login is successful. However, my
authorized_keys file is stored in my home directory.
Therefore, my first connection attempt will require a password. Subsequent connections will succeed without a password, since the SSH service will then be able to read my
authorized_keys file in my decrypted home directory.
To get around this, I created a directory named after my username
aritdev outside of my home directory (I chose
/etc/), and gave it full permissions for myself, but read-execute permissions for everyone else. Next, I moved my
authorized_keys file into
/etc/aritdev/. Then, I updated the
AuthorizedKeysFile parameter in
Finally, I restarted the SSH service. To test, I logged out of my VPS, then attempted to log back in. BOOM - it worked! 💃🏾
What issues related to server authentication have you experienced? How did you solve them? Please share below! 👍🏾