How to Configure SSH Public Key Authentication for Non-Root Users on CentOS


7 views

Many administrators encounter issues when implementing public key authentication for non-root users, especially on CentOS systems with encrypted home directories. While root SSH access works flawlessly, regular users often get locked out despite seemingly correct configurations.

The key components that need verification:

# /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysFile /etc/ssh/user/%u/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

For centralized key storage outside home directories:

sudo mkdir -p /etc/ssh/user/username
sudo chmod 755 /etc/ssh/user
sudo chmod 700 /etc/ssh/user/username
sudo chown username:username /etc/ssh/user/username
sudo chmod 600 /etc/ssh/user/username/authorized_keys

Essential for CentOS systems:

sudo semanage fcontext -a -t ssh_home_t "/etc/ssh/user/.*"
sudo restorecon -Rv /etc/ssh/user

Run SSH in verbose mode for troubleshooting:

ssh -vvv username@server.example.com

Check auth logs for detailed errors:

sudo tail -f /var/log/secure

For user "devuser":

# Create directory structure
sudo mkdir -p /etc/ssh/user/devuser
sudo cp ~devuser/.ssh/authorized_keys /etc/ssh/user/devuser/
sudo chown -R devuser:devuser /etc/ssh/user/devuser
sudo chmod 700 /etc/ssh/user/devuser
sudo chmod 600 /etc/ssh/user/devuser/authorized_keys

# Set SELinux context
sudo semanage fcontext -a -t ssh_home_t "/etc/ssh/user/devuser(/.*)?"
sudo restorecon -Rv /etc/ssh/user/devuser

# Restart SSH service
sudo systemctl restart sshd
  • Incorrect permissions on authorized_keys (must be 600)
  • Wrong ownership of parent directories
  • SELinux restrictions not properly addressed
  • SSHD not restarted after config changes
  • Mismatched key formats in authorized_keys file

When setting up SSH key authentication for non-root users in CentOS, several configuration elements must align perfectly. The primary distinction from root user setup lies in permissions and path resolution.


# Correct directory structure example:
/etc/ssh/
└── user/
    ├── authorized_keys
    └── authorized_keys.d/

Your sshd_config shows a non-standard AuthorizedKeysFile location. While this approach works for root, non-root users require additional considerations:


# Required permissions for non-root user access:
chmod 700 /etc/ssh/user
chmod 600 /etc/ssh/user/authorized_keys
chown -R username:username /etc/ssh/user

Use these diagnostic commands to verify your setup:


# Check SSH authentication attempts:
sudo tail -f /var/log/secure

# Verify key file accessibility:
sudo -u username test -r /etc/ssh/user/authorized_keys && echo "OK"

# Test SSH connection with verbose output:
ssh -vvv username@server.example.com

For better maintainability, consider using AuthorizedKeysCommand instead of relocating the authorized_keys file:


# In /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

# Or custom script example:
#!/bin/bash
user=$1
cat /etc/ssh/users/$user/keys

CentOS's SELinux often blocks non-standard key file locations. Apply proper context:


semanage fcontext -a -t ssh_home_t "/etc/ssh/user(/.*)?"
restorecon -Rv /etc/ssh/user