While configuring a Linode server following their security guide, I encountered an interesting scenario: SSH key authentication continued working flawlessly even after commenting out the AuthorizedKeysFile directive in /etc/ssh/sshd_config.
SSH daemon has built-in defaults that kick in when configuration directives are omitted or commented out. The default value for AuthorizedKeysFile is:
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2This means even when you comment out the line, SSHd falls back to checking these standard locations:
~/.ssh/authorized_keys~/.ssh/authorized_keys2
To see the effective configuration including defaults, run:
sshd -T | grep authorizedkeysfileThis outputs the actual paths being used, which might reveal:
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2While the defaults work, it's better to explicitly configure the authorized keys path:
AuthorizedKeysFile %h/.ssh/authorized_keysThe %h gets expanded to the user's home directory. For added security, you might want to consider:
AuthorizedKeysFile /etc/ssh/authorized_keys/%uThen create the directory and set proper permissions:
sudo mkdir -p /etc/ssh/authorized_keys
sudo chmod 755 /etc/ssh/authorized_keysIf key authentication stops working, check:
sudo tail -f /var/log/auth.logCommon permission requirements:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysWhen modifying SSH configurations:
- Always keep a backup session open when testing changes
- Use
sshd -tto test configuration before restarting - Consider setting
PasswordAuthentication noafter confirming key auth works
While setting up a Linode server following their security guide, I noticed something peculiar about SSH key authentication. Even with the AuthorizedKeysFile directive commented out in /etc/ssh/sshd_config, my key-based authentication continued to work flawlessly.
# This line is commented in my sshd_config
#AuthorizedKeysFile %h/.ssh/authorized_keys
OpenSSH actually has built-in defaults that kick in when certain configurations aren't explicitly set. For the AuthorizedKeysFile parameter, the default value is:
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
This means even when the line is commented out, SSH will still look for authorized keys in the standard locations:
~/.ssh/authorized_keys~/.ssh/authorized_keys2
To see what settings are actually being used by your SSH daemon, you can run:
sshd -T | grep authorizedkeysfile
This will output the effective AuthorizedKeysFile setting being used, whether it's explicitly configured or using defaults.
While the default behavior is convenient, I recommend explicitly setting this value in your sshd_config for several reasons:
AuthorizedKeysFile %h/.ssh/authorized_keys
- Makes your configuration self-documenting
- Prevents potential issues if defaults change in future versions
- Allows for custom key file locations if needed
- Makes your security configuration more transparent
Here's how you might configure a non-standard key file location:
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
This would store all users' authorized keys in a centralized location under /etc/ssh/authorized_keys/ with separate files for each username.
When working with SSH key authentication:
- Ensure
.sshdirectory permissions are 700 - Set
authorized_keysfile permissions to 600 - Consider using
command=restrictions in authorized_keys for limited access - Regularly audit authorized keys files for unexpected entries
Example of restricted key entry:
command="/usr/bin/rrsync /backups/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1... backup-user@host