Ray Ray - 6 months ago 14
Linux Question

ssh via public keys failing for account on CentOS 6 with user id below 500

I converted a non-login user

jenkins
, created by the jenkins CI server installation, to allow log in by doing the following:


  1. Adding a home dir and shell in the /etc/passwd file for the jenkins user

  2. Creating a home directory



I then created a public an private key pair by


  1. Added public & private keys in the .ssh directory in the new home space

  2. Created and authorized_keys file

  3. Set the correct permissions for the .ssh directory and contents.



Now, on the machine, as root I can
su - jenkins
and become the jenkins user. However, on a remote machine I cannot ssh with public key to this machine (as the jenkins user with the respective keys).

I created a new user on the machine via useradd, copied the jenkins ssh keys over to this account and was able to log in as this user using the keys.

I'm completely stumped with what is special about the jenkins user that could be blocking ssh public key access. The only thing that sticks out in my mind is the jenkins user was
created with User ID of 498. Is there something blocking 'system' user from allowing ssh?

The end of the ssh command with
-v
enabled for failing login as user jenkins looks like this:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).


The successfull login as user foo (with the same keys):

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to jenkins.internal.nara.me ([54.83.203.146]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8

Answer

you are likely missing something among this :

  • permission on the home directory of your jenkins user are not right (like not owned by user, or world or group-writable√†
  • ssh not allowing key-based authentication for some users
  • having an unexpected carrigae-return in the authorized_keys file

to debug this, reload your sshd with

LogLevel VERBOSE

in /etc/ssh/sshd_config

and look at /var/log/auth.log (or centos equivalent) for information on why this key is not accepted. In verbose mode, sshd always says why ;)