Passwordless Logins suddenly failing


#1

For about a week, ssh/scps from home machines previously “registered” with authorized_keys have been requesting passwords. I have re-created !~/.ssh/authorized_keys by the usual method (even deleting and recreating .ssh/ as well). Still no go.

What has changed?


#2

What is the permission of the authorized_keys file?


#3

authorized_keys was fine. the protection on the homedir was too permissive. seems group write is wrong there. 751 on the homedir (thanks Justin!) made it work again. Can’t figure how the permissions got changed in the first place, though. oh well.


#4

I was having the same problem using password-less login on the personal backup server. I used sftp to chmod the backup user’s home directory to 751. I had to specify the full path.

sftp bXXXXX@hanjin.dreamhost.com
Connecting to hanjin.dreamhost.com...
bXXXXX@hanjin.dreamhost.com's password: 
sftp> chmod 751 ~
Couldn't stat remote file: No such file or directory
Changing mode on /vol/shelf6/customized/bXXXXX/~
Couldn't setstat on "/vol/shelf6/customized/bXXXXX/~": No such file or directory
sftp> chmod 751 /vol/shelf6/customized/bXXXXX
Changing mode on /vol/shelf6/customized/bXXXXX
sftp> quit

I figured out the full path from the error output.


#5

The backup server directory changed permissions on me again and I lost password-less login. It changed to 775 instead of 751 as is apparently needed for password-less sftp and rsync to work.

I had been working with it when it happened so I suspected it was something I did. It turns out the kludgy rsync command we are forced to use to delete directories recursively is changing the . directory permissions.

Here is the command that I use to delete full directories on the personal backup server.

The empty source directory I was using to force the deletion had the 775 permission that were being replicated to the backup server. I changed it to 751 and I am no longer losing the password-less ssh permissions.

Why can’t we have ssh into the backup server with a limited command set (mv, rm, cp, chmod, chgrp, etc…) and no outbound network access? Life would be so much simpler…


#6

If you set your bXXXXX directory to 775, then anyone with a DH backup can login and look/transfer your files.