Computer Laboratory

Troubleshooting SSH connections

This page gives some advice about troubleshooting SSH connections. But first,

Do you understand enough about how SSH works?

First, make sure you understand everything explained in Overview of SSH. If you don't then you are going to find it very difficult to fix problems.

SSH connections to the Lab machines are failing from machines outside the Lab

Whatever operating system you are using on the machine you are connecting from you must check the following on your Lab unix account (i.e. the machine you are connecting to.)

Is your home directory or your .ssh/ directory group or world-writable?

It shouldn't be. Type

$ ls -ld ~ ~/.ssh
drwx------ 218 ig206 ig206 77824 2006-10-06 13:17 /home/ig206
drwx------   2 ig206 ig206  4096 2006-09-29 13:34 /home/ig206/.ssh

You should see something like the above output. Note the absence of w in the 6th and 9th columns of the mode string at the start of each line. This indicates that 'group' and 'others' do not have write access the directories.

If you have the group or other write bits set then clear them with the command

$ chmod go-w ~ ~/.ssh

Have you set up the ~/.ssh/authorized_keys file correctly?

Note that the spelling is the American form authorized_keys with a z.

Make sure the file is not group or world writable:

$ ls -l ~/.ssh/authorized_keys
-rw------- 1 ig206 ig206 6924 2006-08-11 15:33 /home/ig206/.ssh/authorized_keys

If you have the group or other write bits set then clear them with the command

$ chmod go-w ~ ~/.ssh/authorized_keys

Have you set up the public key line(s) in the ~/.ssh/authorized_keys file correctly?

The from option on each line should be a comma-separated list of fully qualified domain names in double quotes. The names are the names of hosts which can log in using that key. The names can include the * character as a wildcard.

The OpenSSH public key is a single string of ASCII letters and numbers (with no linefeeds or carriage-returns) followed by a key identifier, perhaps of the form login@host but it is not important exactly what this is.)

To check, type this

grep '^from' ~/.ssh/authorized_keys

This should produce one or more lines, each looking something like this:

from="*.cl.cam.ac.uk" ssh-rsa KKKKKKKK XXXXX

Here KKKKKKKK is the public key string and XXXXX is the key identifier.

Is the public key in the ~/.ssh/authorized_keys file in the correct format?

The public key listed in ~/.ssh/authorized_keys must be in the OpenSSH format. If the key is an SSH2 key then it will look like this

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "test key [2048-bit dsa]"
AAAAB3NzaC1kc3MAAAEBAJLL7cNNAwOXcOWqUBlr6fEw7opLOgL8XNfmxLll1zkmH85Erm
X2podpuSJUyipom36iYdBJqk8/QvjhFmbAqcnwdh5aQj7tYTs0bqrqHDUiqti9yUmoICYF
NdqEOiwUHNZvRtxqVmLEMUD+8tH/PCRIMHlrKip+DMr1gAkwp4atEUb3fXp+CuA6+sH3x9
sMMcwdyDsZJ4irWUbtR6Hyopmlx+T5+quUTlU+jPYx7MQctnpmsOVGjORIGfl0j+xfFget
zS/9eDOjlNOFO+yL4nPYvG0eoxIyHBsY0eTC1iLWtYp+8EBcPZC1MoH4YfhHHkxVt2wLKz
YXccMPSBW5sJ0AAAAVAIzBCkkOo5iPng85ubIvfF1CT6f1AAABAFH6Emp1VcGeD5PEknYW
aFSHeT+ppVLfK40PukCzTsvEmwDIgh7SyYd1eELjCh1cBOu9+Y+HQzRnR9nGND2mRpNckO
UQEbSDQLU+VWqHbDUqRmu42XqszY5heZLZP1aNxNEVgtBYsk5ZDIGM/06QisPe2kxhFCQh
ivHXBqBtHMOYWILQXgvKji8mDd5Lw5g5iF2Ds9EAIoWq/5RWxaSwdS2zsfe1r2e1nr7MZ6
YcY3ofIvle7CLGUQIqcExC87sg/MxnFX3F3USni/YdjOxnRSeYVs5jRUt5KfdsJi3HMuFA
jmbxhsPm9IjvYxh07CzTlAJBOEmDmOpR7wNY713zIK0AAAEAQ/ciBjHmEjkyOUYzFYuJEn
GgfUP4Qalnm5p6GF5P5Dnb0vOiC6gQo9IwmkHPQlWcZTZgh9k4ZkmzPY62B6BHm5iuaw31
RV0OGWhDQCVoEm9pTIeP1SYzuNO78WJgnwA1afjX9szS97JpblCPZlXutnGYkpfOgrNWMM
4ChtAOS/EamXs/MviHSnV1J5S+POrFXpBb2muc7a0GnUWX/0sVaWV9hvOXGveA9rH+nniR
jSyNJx9Ln6/uQOWjlKqaH8hu+O+DQ6fJ+eqF0I+mRw9fDt+3V8UJvn7PVrMjjtPCI0q9LK
mQSBSA6rPLrFpVSZmIio6HcebCXoSMLA0ZYKE98Q==
---- END SSH2 PUBLIC KEY ----

This is wrong. You need convert such a key using the command

ssh-keygen -i -f public-key-file

Where public-key-file is the name of the file containing the SSH2 format public key. This will output the OpenSSH format key on stdout. You can pipe the key directly into your authorized_keys file using some commands like this

echo -n 'from="*.some.network.or.other"' >> ~/.ssh/authorized_keys
echo $(ssh-keygen -i -f public-key-file) >> ~/.ssh/authorized_keys

Where *.some.network.or.other and public-key-file are your host address(es) and public key file-name.