SSH public key authentication does not work

Created:

2016-11-16 12:55:20 UTC

Modified:

2017-08-08 13:17:19 UTC

0

Was this article helpful?


Have more questions?

Submit a request

SSH public key authentication does not work

Applicable to:

  • Plesk

Symptoms

Providing a system user with an ability to log in to a server using SSH public key does not work.

Cause

The home directory of each SSH user in Plesk is write-protected.

OR

Permissions of the file authorized_keys are incorrect.

Resolution

Since Plesk 12.0.18 and above such functionality can be managed with SSH Keys Manager extension. Go to Home > Extensions > Extenstions Catalog and install SSH Keys Manage.

Note: Make sure that the file authorized_keys has correct permissions. It should be accessible only by the owner:

$ ls -l ~/.ssh/authorized_keys
-rw------- 1 ftpuser psacln 399 Jul 15  2016 /var/www/vhosts/example.com/.ssh/authorized_keys

Alternatively, use the following workaround:

  1. As root, edit /etc/ssh/sshd_config. Add this line or change an existing one to the following:

    # cat /etc/ssh/sshd_config | grep AuthorizedKeysFile
    AuthorizedKeysFile .ssh/authorized_keys %h/private/.ssh/authorized_keys

    This will make SSH search for .ssh directory in another directory named private for each user, not only for the root home directory.

  2. Save the file and restart the sshd:

    # service sshd restart

To use SSH public key customer has to add it in authorized_keys file. It should be done as follows:

  1. Log into customer account under provided SSH user and run these commands:

    $ cd private
    $ mkdir .ssh
    $ echo "insert your SSH key here" > .ssh/authorized_keys $ chmod -R og-xrw .ssh
  2. Make sure the owner and group are correct:
    $ chown -R ftpuser.psacln .ssh
Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    Faris Raouf

    This is very helpful.

    But it needs to be made clear that when using the manual method (create .ssh and authorized keys in subscription's private directory), it is necessary to chown both .ssh and authorized_keys to ftpuser.root [or possibly ftpuser.psacln], where ftpuser = the ftp username shown on the page where you enable or disable ssh access for the subscription.

    If this is not done, the authorized_keys file is not readable and an ssh key-based login will not be possible.

    It would also be nice if it was made clear that you need to chmod og-xrw authorized_keys although this is hinted at right at the start, it is not as clear as some users might need it to be.

     

     

     

  • 0
    Avatar
    Pavel Mikhaylov

    Hi Faris,

    Thank you for your input.

    The article has been modified considering your recommendation.

Please sign in to leave a comment.