Monday, August 18, 2014

RHEL7 sshd Ignores authorized_keys2

I found out the hard way that my authorized_keys2 files is ignored in Redhat Enterprise Linux 7.  My ssh client would submit the key file and then prompt me for my password.

The line "#AuthorizedKeysFile .ssh/authorized_keys" from sshd_config was uncommented, which changed the default behavior of reading both authorized_keys and authorized_keys2.

Unfortunately, I don't find any announcement of this change.  And, the sshd man page still reads
"AuthorizedKeysFile specifies the files containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2."

Renaming the authorized_keys2 file to authorized_keys will fix the problem.  Be sure to merge these files if authorized_keys also exists.

I've submitted product feedback to Redhat asking that they announce the change and fix the man page.  FWIW, we've been warned in the past, starting in 2001 with the release of openssh version 3, that this authorized_keys2 is deprecated.  It just seems like an explicit "your stuff will now break" announcement is warranted.
AuthorizedKeysFile specifies the files containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.
AuthorizedKeysFile specifies the files containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.
AuthorizedKeysFile specifies the files containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.
AuthorizedKeysFile specifies the files containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.

No comments:

Post a Comment