- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Getting pubkey authentication to work with Ope...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2009 06:00 PM
тАО05-06-2009 06:00 PM
Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
sshd_config has the following:
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
The home directory the user has access to is /home/%u/home with /etc/passwd containing just "/home"
For the life of me, I can't get public key authentication to work .. I tried setting up authorized_keys in /home/%u/.ssh and /home/%u/home/.ssh
Am I going nuts? or just missing something .. Everything else works fine .. except for this. Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2009 09:47 PM
тАО05-06-2009 09:47 PM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
output can be more helpful than vague
descriptions.
If this Forum had a "search" feature, you
might have been able to find many SSH- and
SFTP-related threads, almost any of which
suggest adding "-v" to the ssh or sftp
command. Some of them also suggest looking
at the system log files.
> [...] I tried setting up [...]
If my psychic powers were stronger, I might
be able to guess what files are in this
"~/.ssh" directory, their ownership, and
their permissions. If they were
exceptionally strong, I might even be able to
guess what's in those files.
> Am I going nuts? [...]
Not enough evidence here for a decision on
that, either.
> [...] Everything else works fine [...]
You've tried _everything_ else?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 03:58 AM
тАО05-07-2009 03:58 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
My questions are really related to the following:
Should Public key authentication work in a SFTP chroot jail when utilizing the SSH ChrootDirectory option. Password authentication works fine
Where does the .ssh directory go in this configuration .. within the ChrootDirectoy (/home/%u) or the home directory (/home/%u/home)
Just to play it safe, I placed the .ssh directory in both locations .. Following are the contents permissions and ownership of .home.%u/home/.ssh .. The same exists in /home/%u/,ssh .. id_rsa.pub exists in the receiving userid's authorized_keys.
/etc/passwd entry:
ibirisc:*:152:20:897:/home:/bin/false
/home/ibirisc/home> ls -al .ssh
total 160
drwx------ 2 ibirisc users 8192 May 7 07:40 ./
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:40 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:40 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:40 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:40 prng_seed
sftp -vv ibirisc@mtep124
Connecting to mtep124...
OpenSSH_4.3p2, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.
debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to mtep124 [192.168.164.18] port 22.
debug1: Connection established.
debug1: identity file /home/rross/.ssh/id_rsa type 1
debug1: identity file /home/rross/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1
debug1: match: OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 507/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mtep124' is known and matches the RSA host key.
debug1: Found key in /home/rross/.ssh/known_hosts:192
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/rross/.ssh/id_rsa (2002e798)
debug2: key: /home/rross/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/rross/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/rross/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 04:51 AM
тАО05-07-2009 04:51 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
please make sure for the rights of the following directories/files:
- chmod 700 ~/.ssh
- chmod 600 ~/.ssh/authorized_keys
- chmod go-w $HOME
Regards,
Cedrick Gaillard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 05:03 AM
тАО05-07-2009 05:03 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
ls -alR
total 128
drwxr-xr-x 4 root root 8192 May 7 07:39 ./
drwxr-xr-x 78 root root 8192 May 6 21:12 ../
-r--r--r-- 1 ibirisc users 832 Apr 29 10:56 .cshrc
-r--r--r-- 1 ibirisc users 347 Apr 29 10:56 .exrc
-r--r--r-- 1 ibirisc users 334 Apr 29 10:56 .login
-r--r--r-- 1 ibirisc users 439 Apr 29 10:56 .profile
drwx------ 2 ibirisc users 8192 May 7 07:39 .ssh/
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 home/
./.ssh:
total 160
drwx------ 2 ibirisc users 8192 May 7 07:39 ./
drwxr-xr-x 4 root root 8192 May 7 07:39 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:39 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:39 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:39 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:39 prng_seed
./home:
total 63472
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ./
drwxr-xr-x 4 root root 8192 May 7 07:39 ../
drwx------ 2 ibirisc users 8192 May 7 07:40 .ssh/
./home/.ssh:
total 160
drwx------ 2 ibirisc users 8192 May 7 07:40 ./
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:40 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:40 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:40 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:40 prng_seed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 05:12 AM
тАО05-07-2009 05:12 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
Should Public key authentication work in a SFTP chroot jail when utilizing the SSH ChrootDirectory option. Password authentication works fine
Yes.
Check this doc as a reference.
http://www.hpux.ws/?p=10
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 05:31 AM
тАО05-07-2009 05:31 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 06:38 AM
тАО05-07-2009 06:38 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
"2"? (Am I hopelessly out of date with my
plain-old "authorized_keys"?)
I know nothing about chroot() with SSH, but
it would seem that both your keys are being
rejected:
> [...]
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/rross/.ssh/id_rsa
> [...]
> debug1: Trying private key: /home/rross/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: keyboard-interactive
> Public Key Authentication works fine [...]
Do these key files work for a different,
non-chroot() user?
Anything interesting in the logs files on the
server side?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 06:53 AM
тАО05-07-2009 06:53 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
1. What is the platform (& o/s level) of the server you are trying to sftp with? The other server probably dropped the public key in the wrong place.
* And how did you transfer that public key to the other server? - it could have gotten corrupted *
2. SSH version 5.0 has issues with chroot, for that matter ver 5.1 had known issues with chroot. The fix was slated to come out on the March 09 CD's last I heard.
To make a long story short...basically files you would need to have chroot run right on those 5.x versions have a link to a library file that would be outside the chroot-ed environment. Had alot of fun working through the problem with HP and got a corrected version of the ssh_chroot_setup.sh script.
/rcw
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2009 07:45 AM
тАО05-07-2009 07:45 AM
Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory
These keys do work for my userid .. I just cp the .ssh directory from my userid to this user and changed ownership ..
"ForceCommand internal-sftp" allows you not to build a true chrooted environment .. Which makes this a simpler solution .. If PubKey Auth would work ;-) ..