[NBLUG/talk] SSH not letting me login

Dave Sisley dsisley at arczip.com
Wed Nov 3 06:29:41 PST 2004


On Tue, Nov 02, 2004 at 10:07:47PM -0800, Micxz wrote:
> For some reason I can't login to my server at home via SSH with my usual 
> user name.
> Other users seems to work OK.
> 
> I don't think I could typed my password wrong six times. I also tried 
> changing it. I know it's correct because I login locally with this 
> user/pass. I tried publickey but no go.
> 
> Anything special anyone think I should look for? I tried playing around 
> with sshd_config and don't see anything suspicious in the logs.

<snip>

Hey, Micxz:

Now that I'm an expert at ssh, maybe I can help.
<smiley face with sarcastic, 'yeah, right' look>

Seriously, I had a very similar problem just yesterday that took me a 
while to track down.  I finally found a clue when I looked in 
/var/log/secure and saw a bunch of these:

Nov  2 11:24:44 jupiter sshd[3395]: Authentication refused: bad ownership or modes for directory /home/<my home directory>

I googled that and found that the permissions on my home directory need 
to be set so that they are *NOT* group or world writable.  I chmod'd my
home directory, and the problem went away.  I realize that this is probably
a good idea aside from ssh issues.

(I'm not sure why my permissions were set this way in the first place.  I'm
using a fresh Slackware 10.0 install on the remote machine, and I'm learning
about all the quirks and funny differences in Slack vs Fedora vs Suse vs Debian.
I think my permissions were changed when I was struggling to get a remote 
filesystem mounted in my home dir via NFS - but that's another post...)

I invite any TRUE experts out there to explain why the permissions need 
to be set this way.  Why should ssh care who can write to my home partition?
I'd understand if ssh was worried about protecting the .ssh subdirectory 
inside my homedir.  Shouldn't ssh mind it's own business?

My ssh setup is probably a little different from yours, in that I don't 
allow any passwords anymore, and I allow logins to my account only.  I 
use dsa keys for authentication. 

I hope this helps!

-dave.

-- 
Dave Sisley
dsisley at arczip.com
roth-sisley.net




More information about the talk mailing list