SSH Public Key Authentication Fails When UsePAM=no: Debugging and Fixing Permission Issues


1 views

When hardening SSH server security by disabling password authentication, many admins encounter an unexpected side effect: public key authentication stops working when UsePAM is disabled. This behavior occurs because certain Linux distributions (particularly Ubuntu/Debian) implement critical authentication components through PAM modules.

# Typical secure configuration that breaks key auth
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

The root cause lies in how Ubuntu's SSH package integrates with Pluggable Authentication Modules (PAM). Even though public key auth theoretically shouldn't require PAM, Ubuntu's implementation uses PAM for:

  • Account verification (checking account status/lock status)
  • Environment variable setup
  • Session management hooks

The client-side debug output shows the authentication progression:

debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /Users/user/.ssh/deploy
debug1: Authentications that can continue: publickey

Server-side logs (typically /var/log/auth.log) would show more details about the rejection reason when UsePAM=no.

For Ubuntu/Debian systems, you have several approaches:

Option 1: Keep UsePAM enabled

# Minimal working config
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication no

Option 2: Custom PAM Configuration

Create a minimal PAM config for SSH that only handles account verification:

# /etc/pam.d/sshd
account required pam_nologin.so
account required pam_permit.so

Option 3: Recompile SSHD

Advanced users can recompile OpenSSH with different PAM integration:

./configure --with-pam --without-pam-account
make
sudo make install

After making changes, always verify:

sudo sshd -t  # Test config syntax
sudo service ssh restart
ssh -v -i ~/.ssh/key user@host

The debug output should now show successful authentication when presenting valid keys.

Many admins disable PAM (Pluggable Authentication Modules) in SSH for security hardening, but discover key-based auth mysteriously breaks. Here's why:

# Typical hardening config that causes the issue:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no  # <- This is the culprit

In Ubuntu/Debian systems, PAM handles critical authentication components through /etc/pam.d/sshd:

# Relevant PAM module in /etc/pam.d/sshd
@include common-auth  # Handles authorized_keys processing

When UsePAM no is set:

  • The authorized_keys file isn't processed through PAM's stack
  • Key verification falls back to direct filesystem checks with stricter permissions
  • Ubuntu's default sshd_config has implicit PAM dependencies

For key-only auth without PAM:

# /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
UsePAM yes  # Required for proper key processing
PasswordAuthentication no
ChallengeResponseAuthentication no

If you must disable PAM, verify these:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown -R user:user ~/.ssh

Check auth attempts in real-time:

# On the server:
sudo tail -f /var/log/auth.log

# Client debug (show exact failure point):
ssh -vvv user@host -i /path/to/key

For PAM-less systems, consider:

# /etc/ssh/sshd_config
Match User deploy
    AuthenticationMethods publickey
    PubkeyAuthentication yes
    AuthorizedKeysFile /etc/ssh/authorized_keys/%u

Then store keys in /etc/ssh/authorized_keys/deploy with root:root ownership and 644 permissions.