I recently fired up a CentOS 6 VPS for debugging and testing some remote stuff. However, when I tried using an SSH key to remotely login, I was stopped with the dreaded “Server refused our key” error that we’ve all seen when we mess up an SSH key or use a PuttyGen-created public key rather than copy/pasting the OpenSSH key contents into authorized_keys like we should (don’t act like you’ve never done it).
So I triple-checked everything and even used ssh-keygen on the server to create the keys rather than using PuttyGen, but it still wouldn’t work. As I was Googling around searching for answers, I noticed people using a restorecon command and the “PermitRootLogin without-password” setting in their sshd_config file for enabling root login via passwordless keys. An example post can be found here.
Turns out the restorecon command is what we need to use. I don’t know much about the command but it’s man-page says it “restore file(s) default SELinux security contexts”.
After running this on my server, I was able to login as user adam with a password-less SSH key:
restorecon -R -v /home/adam/.ssh
I’m honestly not sure what the resetorecon command does, but I know its what’s needed to make password-less SSH keys work for user adam. If you want to login as root with a password-less SSH key, then you’d run this command:
restorecon -R -v /root/.ssh
As a note, I’m unsure if this is just CentOS 6 or not, but a friend that uses CentOS 5.x said that he has never had to use the restorecon command to get SSH keys to work, so it might be a new standard feature found in the release notes of CentOS 6.
I was getting this error for awhile when trying to use an authentication key in Putty to connect to an Ubuntu Server machine:
Server refused our key.
Long story short, the problem lies within my home directory being encrypted when I’m not logged in. Read below for further explanation.
The solution is to move the authorized_keys file location outside the home folder so the SSH daemon can access it even when you’re not logged in:
- sudo mkdir /etc/ssh/publicSSHkeys # Create a folder for public SSH keys
- sudo mv ~/.ssh/authorized_keys /etc/ssh/publicSSHkeys/ # Move the authorized_keys file there
- sudo nano /etc/ssh/sshd_config # Modify sshd_config to the new location
change this… “AuthorizedKeysFile %h/.ssh/authorized_keys”
to this… “AuthorizedKeysFile /etc/ssh/publicSSHkeys/authorized_keys”
NOTE: Sometimes the “AuthorizedKeysFile” variable is commented out, so remove the number sign if it is (Thanks to Frank for the tip!).
- sudo service sshd reload # Then you just need to reload the server
- You’ll still need to make sure your public key is in /etc/ssh/publicSSHkeys/authorized_keys, and your SSH client (in my case Putty) is loading your private key. There are numerous SSH key tutorials on the webernets.
Automatic home directory encryption is an option when installing Ubuntu systems (both desktop and server), and I recommend using it. I like knowing that, if I’m not logged in, my home directory is encrypted. However, this means that any server or daemon that requires access to a file or folders in your home directory will fail if you’re not logged in. Keep that in mind.