Troubleshooting SSH Public Key Authentication Failure in RHEL 4: authorized_keys Not Working


2 views

First, verify these critical settings in /etc/ssh/sshd_config:

# Ensure these lines exist and aren't commented out:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

For RHEL 4 specifically, add these legacy settings:

Protocol 2
PermitRootLogin without-password
StrictModes no

RHEL 4 enforces strict permission requirements:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown -R gituser:gituser ~/.ssh

For system-wide troubleshooting, check SELinux contexts:

ls -Z ~/.ssh/authorized_keys
# Should show: user_u:object_r:ssh_home_t

Old SSH implementations often choke on modern key formats. Convert your key:

ssh-keygen -e -f id_rsa.pub > id_rsa_rfc4716.pub

Then append to authorized_keys:

cat id_rsa_rfc4716.pub >> ~/.ssh/authorized_keys

Run SSH with maximum verbosity:

ssh -vvv gituser@host

Server-side debugging (add to sshd_config):

LogLevel DEBUG3

Then check logs:

tail -f /var/log/secure | grep sshd

For RHEL 4 compatibility, generate legacy-format keys:

ssh-keygen -t rsa -b 1024 -m PEM

For Putty users, convert PPK to OpenSSH format:

puttygen key.ppk -O private-openssh -o id_rsa
puttygen key.ppk -L > id_rsa.pub

If all else fails, temporarily enable password auth for testing:

# In sshd_config:
PasswordAuthentication yes
# Then after testing:
service sshd reload

When your SSH server ignores authorized_keys, start with these fundamental verifications:


# Verify permissions (critical on RHEL 4)
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

# Confirm ownership
chown git:git ~/.ssh -R

# Validate key format (especially important when transferring keys between Windows/Linux)
file ~/.ssh/authorized_keys

On RHEL 4, the default SSH configuration often needs explicit adjustments. Check these directives in /etc/ssh/sshd_config:


PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication yes  # Required for older SSH versions
PasswordAuthentication no  # For testing purposes only

Remember to restart the SSH daemon after changes:


service sshd restart

For precise diagnostics, run the client with debug flags:


ssh -vvv git@yourserver.com

Simultaneously check server logs (location varies on RHEL 4):


tail -f /var/log/secure | grep sshd

Older SSH versions have unique requirements:


# For SSH Protocol 1 compatibility (if absolutely necessary)
ssh-keygen -t rsa1 -f /path/to/key

# Key format conversion example (when migrating from PuTTY)
ssh-keygen -i -f id_rsa.ppk > ~/.ssh/authorized_keys

On RHEL systems, SELinux might block key access:


# Check current context
ls -Z ~/.ssh/authorized_keys

# Restore default context if needed
restorecon -R -v ~/.ssh

When standard debugging fails, test with a minimal forced command:


# In authorized_keys
command="echo SSH_KEY_AUTH_SUCCESS" ssh-rsa AAAAB3... user@host

Then attempt connection and check for the echo output.