Operating System - HP-UX
1748201 Members
3085 Online
108759 Solutions
New Discussion юеВ

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

 
Richard Ross
Regular Advisor

Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

I setup a sftponly access via A.05.00.012 HP-UX Secure Shell.

sshd_config has the following:

Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no

The home directory the user has access to is /home/%u/home with /etc/passwd containing just "/home"

For the life of me, I can't get public key authentication to work .. I tried setting up authorized_keys in /home/%u/.ssh and /home/%u/home/.ssh

Am I going nuts? or just missing something .. Everything else works fine .. except for this. Thanks in advance
13 REPLIES 13
Steven Schweda
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Showing actual commands with their actual
output can be more helpful than vague
descriptions.

If this Forum had a "search" feature, you
might have been able to find many SSH- and
SFTP-related threads, almost any of which
suggest adding "-v" to the ssh or sftp
command. Some of them also suggest looking
at the system log files.

> [...] I tried setting up [...]

If my psychic powers were stronger, I might
be able to guess what files are in this
"~/.ssh" directory, their ownership, and
their permissions. If they were
exceptionally strong, I might even be able to
guess what's in those files.

> Am I going nuts? [...]

Not enough evidence here for a decision on
that, either.

> [...] Everything else works fine [...]

You've tried _everything_ else?
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Steven .. Thanks for your early morning response ..

My questions are really related to the following:

Should Public key authentication work in a SFTP chroot jail when utilizing the SSH ChrootDirectory option. Password authentication works fine

Where does the .ssh directory go in this configuration .. within the ChrootDirectoy (/home/%u) or the home directory (/home/%u/home)

Just to play it safe, I placed the .ssh directory in both locations .. Following are the contents permissions and ownership of .home.%u/home/.ssh .. The same exists in /home/%u/,ssh .. id_rsa.pub exists in the receiving userid's authorized_keys.

/etc/passwd entry:
ibirisc:*:152:20:897:/home:/bin/false

/home/ibirisc/home> ls -al .ssh
total 160
drwx------ 2 ibirisc users 8192 May 7 07:40 ./
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:40 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:40 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:40 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:40 prng_seed

sftp -vv ibirisc@mtep124
Connecting to mtep124...
OpenSSH_4.3p2, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to mtep124 [192.168.164.18] port 22.
debug1: Connection established.
debug1: identity file /home/rross/.ssh/id_rsa type 1
debug1: identity file /home/rross/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1
debug1: match: OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 507/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mtep124' is known and matches the RSA host key.
debug1: Found key in /home/rross/.ssh/known_hosts:192
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/rross/.ssh/id_rsa (2002e798)
debug2: key: /home/rross/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/rross/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/rross/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
mobidyc
Trusted Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Hello,

please make sure for the rights of the following directories/files:
- chmod 700 ~/.ssh
- chmod 600 ~/.ssh/authorized_keys
- chmod go-w $HOME

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Cedrick .. Thanks, but I believe my permissions are fine

ls -alR
total 128
drwxr-xr-x 4 root root 8192 May 7 07:39 ./
drwxr-xr-x 78 root root 8192 May 6 21:12 ../
-r--r--r-- 1 ibirisc users 832 Apr 29 10:56 .cshrc
-r--r--r-- 1 ibirisc users 347 Apr 29 10:56 .exrc
-r--r--r-- 1 ibirisc users 334 Apr 29 10:56 .login
-r--r--r-- 1 ibirisc users 439 Apr 29 10:56 .profile
drwx------ 2 ibirisc users 8192 May 7 07:39 .ssh/
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 home/

./.ssh:
total 160
drwx------ 2 ibirisc users 8192 May 7 07:39 ./
drwxr-xr-x 4 root root 8192 May 7 07:39 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:39 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:39 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:39 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:39 prng_seed

./home:
total 63472
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ./
drwxr-xr-x 4 root root 8192 May 7 07:39 ../
drwx------ 2 ibirisc users 8192 May 7 07:40 .ssh/

./home/.ssh:
total 160
drwx------ 2 ibirisc users 8192 May 7 07:40 ./
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:40 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:40 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:40 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:40 prng_seed
Steven E. Protter
Exalted Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Shalom,

Should Public key authentication work in a SFTP chroot jail when utilizing the SSH ChrootDirectory option. Password authentication works fine

Yes.

Check this doc as a reference.

http://www.hpux.ws/?p=10

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Steven .. Thanks .. I read through the PPT, but still confused on setting up the environment in a ChrootDirectory configuration .. Public Key Authentication works fine outside of this environment (Normal user)
Steven Schweda
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

> -rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2

"2"? (Am I hopelessly out of date with my
plain-old "authorized_keys"?)

I know nothing about chroot() with SSH, but
it would seem that both your keys are being
rejected:

> [...]
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/rross/.ssh/id_rsa
> [...]
> debug1: Trying private key: /home/rross/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: keyboard-interactive

> Public Key Authentication works fine [...]

Do these key files work for a different,
non-chroot() user?

Anything interesting in the logs files on the
server side?
Rita C Workman
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Well a couple things....

1. What is the platform (& o/s level) of the server you are trying to sftp with? The other server probably dropped the public key in the wrong place.
* And how did you transfer that public key to the other server? - it could have gotten corrupted *

2. SSH version 5.0 has issues with chroot, for that matter ver 5.1 had known issues with chroot. The fix was slated to come out on the March 09 CD's last I heard.
To make a long story short...basically files you would need to have chroot run right on those 5.x versions have a link to a library file that would be outside the chroot-ed environment. Had alot of fun working through the problem with HP and got a corrected version of the ssh_chroot_setup.sh script.


/rcw
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Thanks guys ..

These keys do work for my userid .. I just cp the .ssh directory from my userid to this user and changed ownership ..

"ForceCommand internal-sftp" allows you not to build a true chrooted environment .. Which makes this a simpler solution .. If PubKey Auth would work ;-) ..