System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Richard Ross
Regular Advisor

Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

I setup a sftponly access via A.05.00.012 HP-UX Secure Shell.

sshd_config has the following:

Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no

The home directory the user has access to is /home/%u/home with /etc/passwd containing just "/home"

For the life of me, I can't get public key authentication to work .. I tried setting up authorized_keys in /home/%u/.ssh and /home/%u/home/.ssh

Am I going nuts? or just missing something .. Everything else works fine .. except for this. Thanks in advance
13 REPLIES
Steven Schweda
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Showing actual commands with their actual
output can be more helpful than vague
descriptions.

If this Forum had a "search" feature, you
might have been able to find many SSH- and
SFTP-related threads, almost any of which
suggest adding "-v" to the ssh or sftp
command. Some of them also suggest looking
at the system log files.

> [...] I tried setting up [...]

If my psychic powers were stronger, I might
be able to guess what files are in this
"~/.ssh" directory, their ownership, and
their permissions. If they were
exceptionally strong, I might even be able to
guess what's in those files.

> Am I going nuts? [...]

Not enough evidence here for a decision on
that, either.

> [...] Everything else works fine [...]

You've tried _everything_ else?
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Steven .. Thanks for your early morning response ..

My questions are really related to the following:

Should Public key authentication work in a SFTP chroot jail when utilizing the SSH ChrootDirectory option. Password authentication works fine

Where does the .ssh directory go in this configuration .. within the ChrootDirectoy (/home/%u) or the home directory (/home/%u/home)

Just to play it safe, I placed the .ssh directory in both locations .. Following are the contents permissions and ownership of .home.%u/home/.ssh .. The same exists in /home/%u/,ssh .. id_rsa.pub exists in the receiving userid's authorized_keys.

/etc/passwd entry:
ibirisc:*:152:20:897:/home:/bin/false

/home/ibirisc/home> ls -al .ssh
total 160
drwx------ 2 ibirisc users 8192 May 7 07:40 ./
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:40 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:40 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:40 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:40 prng_seed

sftp -vv ibirisc@mtep124
Connecting to mtep124...
OpenSSH_4.3p2, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to mtep124 [192.168.164.18] port 22.
debug1: Connection established.
debug1: identity file /home/rross/.ssh/id_rsa type 1
debug1: identity file /home/rross/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1
debug1: match: OpenSSH_5.0p1+sftpfilecontrol-v1.2-hpn13v1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 507/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mtep124' is known and matches the RSA host key.
debug1: Found key in /home/rross/.ssh/known_hosts:192
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/rross/.ssh/id_rsa (2002e798)
debug2: key: /home/rross/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/rross/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/rross/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
mobidyc
Trusted Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Hello,

please make sure for the rights of the following directories/files:
- chmod 700 ~/.ssh
- chmod 600 ~/.ssh/authorized_keys
- chmod go-w $HOME

Regards,
Cedrick Gaillard
Best regards, Cedrick Gaillard
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Cedrick .. Thanks, but I believe my permissions are fine

ls -alR
total 128
drwxr-xr-x 4 root root 8192 May 7 07:39 ./
drwxr-xr-x 78 root root 8192 May 6 21:12 ../
-r--r--r-- 1 ibirisc users 832 Apr 29 10:56 .cshrc
-r--r--r-- 1 ibirisc users 347 Apr 29 10:56 .exrc
-r--r--r-- 1 ibirisc users 334 Apr 29 10:56 .login
-r--r--r-- 1 ibirisc users 439 Apr 29 10:56 .profile
drwx------ 2 ibirisc users 8192 May 7 07:39 .ssh/
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 home/

./.ssh:
total 160
drwx------ 2 ibirisc users 8192 May 7 07:39 ./
drwxr-xr-x 4 root root 8192 May 7 07:39 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:39 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:39 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:39 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:39 prng_seed

./home:
total 63472
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ./
drwxr-xr-x 4 root root 8192 May 7 07:39 ../
drwx------ 2 ibirisc users 8192 May 7 07:40 .ssh/

./home/.ssh:
total 160
drwx------ 2 ibirisc users 8192 May 7 07:40 ./
drwxr-xr-x 5 ibirisc agencyrisc 8192 May 7 07:40 ../
-rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2
-rw------- 1 ibirisc users 887 May 7 07:40 id_rsa
-rw------- 1 ibirisc users 222 May 7 07:40 id_rsa.pub
-rw------- 1 ibirisc users 13336 May 7 07:40 known_hosts
-rw------- 1 ibirisc users 1024 May 7 07:40 prng_seed
Steven E. Protter
Exalted Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Shalom,

Should Public key authentication work in a SFTP chroot jail when utilizing the SSH ChrootDirectory option. Password authentication works fine

Yes.

Check this doc as a reference.

http://www.hpux.ws/?p=10

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Steven .. Thanks .. I read through the PPT, but still confused on setting up the environment in a ChrootDirectory configuration .. Public Key Authentication works fine outside of this environment (Normal user)
Steven Schweda
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

> -rw------- 1 ibirisc users 403 May 7 07:40 authorized_keys2

"2"? (Am I hopelessly out of date with my
plain-old "authorized_keys"?)

I know nothing about chroot() with SSH, but
it would seem that both your keys are being
rejected:

> [...]
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/rross/.ssh/id_rsa
> [...]
> debug1: Trying private key: /home/rross/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: keyboard-interactive

> Public Key Authentication works fine [...]

Do these key files work for a different,
non-chroot() user?

Anything interesting in the logs files on the
server side?
Rita C Workman
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Well a couple things....

1. What is the platform (& o/s level) of the server you are trying to sftp with? The other server probably dropped the public key in the wrong place.
* And how did you transfer that public key to the other server? - it could have gotten corrupted *

2. SSH version 5.0 has issues with chroot, for that matter ver 5.1 had known issues with chroot. The fix was slated to come out on the March 09 CD's last I heard.
To make a long story short...basically files you would need to have chroot run right on those 5.x versions have a link to a library file that would be outside the chroot-ed environment. Had alot of fun working through the problem with HP and got a corrected version of the ssh_chroot_setup.sh script.


/rcw
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

Thanks guys ..

These keys do work for my userid .. I just cp the .ssh directory from my userid to this user and changed ownership ..

"ForceCommand internal-sftp" allows you not to build a true chrooted environment .. Which makes this a simpler solution .. If PubKey Auth would work ;-) ..
OldSchool
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

just a couple of possiblities:

the entry in /etc/password doesn't look correct for a chroot'ed user. it says HOME is /home, while ssh is set to /home/%u???

also

debug1: identity file /home/rross/.ssh/id_rsa type 1
debug1: identity file /home/rross/.ssh/id_dsa type -1

are you rross attempting to connect as the restricted sftp user? i'd have thought this would have been ibiris.

also see this thread where they talk about the "Match" clause in the config file being required:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1262739


and this one where "ForceCommand" causes login issues:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1295372
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

OldSchool .. Thanks .. Yes, I initiated the sftp from my userid (rross).

Please understand that I'm not running a full chrooted environment where one uses ssh_chroot_setup.sh to setup. This setup is not required when utilizing 'ForceCommand internal-sftp'. Also, it's my understanding that the home directory as specified in /etc/passwd reflects the directoy once SSH successfully authenticates your login and cd's into the chrootdirectory of /home/%u.

Also .. This environment works great IF you supply the password .. The only thing I can't get to work is the PubKey Authentication
OldSchool
Honored Contributor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

right...by my point was this quote in one of the posts:

"Don't do a ForceComand sftp yet, as the loggin will not work. There's a bugzilla entry for this, and it has been fixed. We need to wait for HP-UX Secure Shell to sync with openSSH.
Richard Ross
Regular Advisor

Re: Getting pubkey authentication to work with OpenSSH 5 with ChrootDirectory

OldSchool .. Thanks for pointing that out .. Unfortunately .. Same deal .. Being prompted for the password

Subsystem sftp internal-sftp -l VERBOSE
SftpUmask 027

Match Group sftponly
ChrootDirectory /home/%u
# ForceCommand internal-sftp
AllowTcpForwarding no

Nothing in syslog except for the password login

May 7 21:34:22 mtep124 sshd[20478]: Accepted keyboard-interactive/pam for ibirisc from xxx.xx.xxx.xx port 59503 ssh2