Troubleshooting SSH connections
This page gives some advice about troubleshooting SSH connections. But first,
Do you understand enough about how SSH works?
First, make sure you understand everything explained in Overview of SSH. If you don't then you are going to find it very difficult to fix problems.
SSH connections to the Lab machines are failing from machines outside the Lab
Whatever operating system you are using on the machine you are connecting from you must check the following on your Lab unix account (i.e. the machine you are connecting to.)
Is your home directory or your .ssh/ directory group or world-writable?
It shouldn't be. Type
$ ls -ld ~ ~/.ssh drwx------ 218 ig206 ig206 77824 2006-10-06 13:17 /home/ig206 drwx------ 2 ig206 ig206 4096 2006-09-29 13:34 /home/ig206/.ssh
You should see something like the above output. Note the absence of w in the 6th and 9th columns of the mode string at the start of each line. This indicates that 'group' and 'others' do not have write access the directories.
If you have the group or other write bits set then clear them with the command
$ chmod go-w ~ ~/.ssh
Have you set up the ~/.ssh/authorized_keys file correctly?
Note that the spelling is the American form authorized_keys with a z.
Make sure the file is not group or world writable:
$ ls -l ~/.ssh/authorized_keys -rw------- 1 ig206 ig206 6924 2006-08-11 15:33 /home/ig206/.ssh/authorized_keys
If you have the group or other write bits set then clear them with the command
$ chmod go-w ~ ~/.ssh/authorized_keys
Have you set up the public key line(s) in the ~/.ssh/authorized_keys file correctly?
The from option on each line should be a comma-separated list of fully qualified domain names in double quotes. The names are the names of hosts which can log in using that key. The names can include the * character as a wildcard.
The OpenSSH public key is a single string of ASCII letters and numbers (with no linefeeds or carriage-returns) followed by a key identifier, perhaps of the form login@host but it is not important exactly what this is.)
To check, type this
grep '^from' ~/.ssh/authorized_keys
This should produce one or more lines, each looking something like this:
from="*.cl.cam.ac.uk" ssh-rsa KKKKKKKK XXXXX
Here KKKKKKKK is the public key string and XXXXX is the key identifier.
Is the public key in the ~/.ssh/authorized_keys file in the correct format?
The public key listed in ~/.ssh/authorized_keys must be in the OpenSSH format. If the key is an SSH2 key then it will look like this
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "test key [2048-bit dsa]" AAAAB3NzaC1kc3MAAAEBAJLL7cNNAwOXcOWqUBlr6fEw7opLOgL8XNfmxLll1zkmH85Erm X2podpuSJUyipom36iYdBJqk8/QvjhFmbAqcnwdh5aQj7tYTs0bqrqHDUiqti9yUmoICYF NdqEOiwUHNZvRtxqVmLEMUD+8tH/PCRIMHlrKip+DMr1gAkwp4atEUb3fXp+CuA6+sH3x9 sMMcwdyDsZJ4irWUbtR6Hyopmlx+T5+quUTlU+jPYx7MQctnpmsOVGjORIGfl0j+xfFget zS/9eDOjlNOFO+yL4nPYvG0eoxIyHBsY0eTC1iLWtYp+8EBcPZC1MoH4YfhHHkxVt2wLKz YXccMPSBW5sJ0AAAAVAIzBCkkOo5iPng85ubIvfF1CT6f1AAABAFH6Emp1VcGeD5PEknYW aFSHeT+ppVLfK40PukCzTsvEmwDIgh7SyYd1eELjCh1cBOu9+Y+HQzRnR9nGND2mRpNckO UQEbSDQLU+VWqHbDUqRmu42XqszY5heZLZP1aNxNEVgtBYsk5ZDIGM/06QisPe2kxhFCQh ivHXBqBtHMOYWILQXgvKji8mDd5Lw5g5iF2Ds9EAIoWq/5RWxaSwdS2zsfe1r2e1nr7MZ6 YcY3ofIvle7CLGUQIqcExC87sg/MxnFX3F3USni/YdjOxnRSeYVs5jRUt5KfdsJi3HMuFA jmbxhsPm9IjvYxh07CzTlAJBOEmDmOpR7wNY713zIK0AAAEAQ/ciBjHmEjkyOUYzFYuJEn GgfUP4Qalnm5p6GF5P5Dnb0vOiC6gQo9IwmkHPQlWcZTZgh9k4ZkmzPY62B6BHm5iuaw31 RV0OGWhDQCVoEm9pTIeP1SYzuNO78WJgnwA1afjX9szS97JpblCPZlXutnGYkpfOgrNWMM 4ChtAOS/EamXs/MviHSnV1J5S+POrFXpBb2muc7a0GnUWX/0sVaWV9hvOXGveA9rH+nniR jSyNJx9Ln6/uQOWjlKqaH8hu+O+DQ6fJ+eqF0I+mRw9fDt+3V8UJvn7PVrMjjtPCI0q9LK mQSBSA6rPLrFpVSZmIio6HcebCXoSMLA0ZYKE98Q== ---- END SSH2 PUBLIC KEY ----
This is wrong. You need convert such a key using the command
ssh-keygen -i -f public-key-file
Where public-key-file is the name of the file containing the SSH2 format public key. This will output the OpenSSH format key on stdout. You can pipe the key directly into your authorized_keys file using some commands like this
echo -n 'from="*.some.network.or.other"' >> ~/.ssh/authorized_keys echo $(ssh-keygen -i -f public-key-file) >> ~/.ssh/authorized_keys
Where *.some.network.or.other and public-key-file are your host address(es) and public key file-name.