tech-lists
2018-May-24 11:09 UTC
trying to get sftp-only logins to work with a public keys
Hello list, I'm trying to get (chrooted) sftp login working with public keys. I made a sftp-only user which works fine, and is chrooted. I created a .ssh directory with 770 perms (root:user) and put their public key in there with 600 perms (user:user) however when trying pubkey auth it always falls back to keyboard-interactive (which will succeed when the password is applied). I don't know why in key exchange it says it sent a packet then didn't. Can anyone help please? Context is recent freebsd-11-stable, both client and server. I have this in /etc/ssh/sshd_config: Subsystem sftp internal-sftp Match User testsftp ChrootDirectory /usr/home/testsftp PubkeyAuthentication yes X11Forwarding no AllowTcpForwarding no AuthorizedKeysFile /usr/home/testsftp/.ssh/authorized_keys ForceCommand internal-sftp permissions in the test users .ssh dir are like this: drwxrwx--- 2 root testsftp 512B May 24 10:51 . drwxr-xr-x 5 root testsftp 512B May 24 10:35 .. -rw------- 1 testsftp testsftp 105B May 24 11:49 authorized_keys here is the -v -v debug output from ssh client: debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key: /home/REDACTED/.ssh/id_rsa (0x0) debug2: key: /home/REDACTED/.ssh/id_dsa (0x0) debug2: key: /home/REDACTED/.ssh/id_ecdsa (0x0) debug2: key: /home/REDACTED/.ssh/id_ed25519 (0x802015240) debug1: SSH2_MSG_EXT_INFO received debug1: Fssh_kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/REDACTED/.ssh/id_rsa debug1: Trying private key: /home/REDACTED/.ssh/id_dsa debug1: Trying private key: /home/REDACTED/.ssh/id_ecdsa debug1: Offering ED25519 public key: /home/REDACTED/.ssh/id_ed25519 debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password for testsftp at REDACTED: thanks, -- J.
tech-lists
2018-May-24 11:47 UTC
trying to get sftp-only logins to work with a public keys
On 24/05/2018 12:09, tech-lists wrote:> Hello list, > > I'm trying to get (chrooted) sftp login working with public keys. I made > a sftp-only user which works fine, and is chrooted. I created a .ssh > directory with 770 perms (root:user) and put their public key in there > with 600 perms (user:user) however when trying pubkey auth it always > falls back to keyboard-interactive (which will succeed when the password > is applied). I don't know why in key exchange it says it sent a packet > then didn't. Can anyone help please? > > Context is recent freebsd-11-stable, both client and server. > > I have this in /etc/ssh/sshd_config: > > Subsystem sftp internal-sftp > > Match User testsftp > ChrootDirectory /usr/home/testsftp > PubkeyAuthentication yes > X11Forwarding no > AllowTcpForwarding no > AuthorizedKeysFile /usr/home/testsftp/.ssh/authorized_keys > ForceCommand internal-sftpSolved this by setting perms on .ssh dir to be root:user 750 (and not 760 or 770) didn't see this documented anywhere so posting in the hope this helps others. -- J.
rainer at ultra-secure.de
2018-May-24 12:36 UTC
trying to get sftp-only logins to work with a public keys
Am 2018-05-24 13:09, schrieb tech-lists:> Hello list, > > I'm trying to get (chrooted) sftp login working with public keys. I > made a sftp-only user which works fine, and is chrooted. I created a > .ssh directory with 770 perms (root:user) and put their public key in > there with 600 perms (user:user) however when trying pubkey auth it > always falls back to keyboard-interactive (which will succeed when the > password is applied). I don't know why in key exchange it says it sent > a packet then didn't. Can anyone help please?Have you tried chown'ing -R .ssh to the user and the group of the user and chmoding -R to 700? I think these days, ssh is pretty picky about these permissions and ownership.