There are so many problem that may cause publickey authentication scheme in ssh (or more specific, openssh) to not work properly. Usually, I have never encountered this problem for so long. I have just found this problem again in fresh CentOS 4.4.

The situation is that the system has just been installed. I then created a new user other than root and I logged in successfully without problem. So I created directory ~/.ssh and file authorized_keys in that directory.

cd
mkdir .ssh
vi authorized_keys

Unfortunately, I was not be able to login using publickey scheme. I don't know why since everything seemed to work properly but the publickey. Anyway, after investigating for a few hours, I found something wrong with permission of .ssh and authorized_keys. Below is what I done to fix it.

cd
chmod -R go-w .ssh

This problem caused by the default umask of some Linux distribution, e.g., CentOS 4.4. The default umask is to allow the specified group to write on such object. The reason behide this behavior is a new user usually created with new specific group. For example, below command is to add a new user named testuser.

useradd testuser

It will be assigned to group testuser automatically. So the default umask is still safe for this setting. Anyway, it might lead to security if new user is created with existing group. You should overwrite umask to suit your need in .bashrc. By the way, I found below code in /etc/bashrc.

if [ "`id -gn`" = "`id -un`" -a `id -u` -gt 99 ]; then
    umask 002
else
    umask 022
fi

In summary, it seems umask 002 which is not corrected for publickey only set if user name and group name are identical. Ok, it's my fault. I should notice this and override umask in my .bashrc as follow.

umask 022

Tags: linux, publickey, ssh, openssh