Skip to content

Troubleshooting Public Key Authentication

The Problem: Public key authentication is configured, but client users are unable to connect using public key authentication.

Check the client configuration

  1. Confirm that there is a private/public key pair on the client and note the name and location of the private key.

  2. Open the client configuration file. (If the user has a user-specific file, check both the global and user file.)

    • Confirm that AllowedAuthentications includes 'publickey.'

    • Check the IdentificationFile setting. Note the name and location of the file. (The default is ~/.ssh2/identification).

  3. Open the identification file

    • Confirm that this file includes a line that identifies the client's private key. For example:

      IdKey /home/joe/mykey

    • Confirm that the key name exactly matches the private key of the key pair. (For example, if your private key has a file extension, this extension needs to be included.)

    • If no path is specified, confirm that the keys are located in the Secure Shell user directory (~/.ssh2/)

  4. Check file and directory permissions. (The second and third bullet items are required if StrictModes is enabled on the client, which is the default.)

    • Is the private key readable only by the owner (600)?

    • Is the identification file configured to allow write-access only to the user (600 or 644)?

    • Are the user directory and all parent directories configured to allow write access only to the user (755 or less)?

Check the server configuration

  1. Confirm that there's a copy of the user's public key in the user-specific configuration directory on the server. The default location is ~/.ssh2.

  2. Open the server configuration file.

    • Confirm that AllowedAuthentications includes 'publickey.'

    • Check the AuthorizationFile setting. Note the name and location of the file. (The default is ~/.ssh2/authorization.)

  3. Open the authorization file.

    • Confirm that this file includes a line that identifies the server's copy of the client's public key. For example:

      Key /home/joe/mykey.pub

    • Confirm that the key name exactly matches the public key, including the file extension.

    • If no path is specified, confirm that the key is located in the Secure Shell user directory. (The default is ~/.ssh2/. This is configurable on the server with the UserConfigDirectory keyword.)

  4. Check file and directory permissions. (The second bullet item is required if StrictModes is enabled on the server, which is the default.)

    • Is the authorization file configured to allow write-access only to the user (600 or 644)?

    • Are the user directory and all parent directories configured to allow write access only to the user (755 or less)?

More information