2

I have a server with Ubuntu 14.04 x64 operation system.

Part of my sshd_config file (entire file):

Port 2202
Protocol 2
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      /etc/ssh/keys/%u/authorized_keys
RhostsRSAAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes
UsePAM yes

In folder /etc/ssh/keys each system user has its own folder with authorized_keys file:

ls -l /etc/ssh/keys
drw------- 2 test.com  test.com   4096 Nov 20 06:53 test.com
drw------- 2 root      root       4096 Nov 20 02:29 root

The permissions of these authorized_keys files are correct:

ls -l /etc/ssh/keys/*
/etc/ssh/keys/test.com:
total 4
-r-------- 1 test.com test.com 960 Nov 20 07:17 authorized_keys

/etc/ssh/keys/root:
total 4
-r-------- 1 root root 395 Nov 20 02:29 authorized_keys

I have the same public id_rsa in root's and test.com's authorized_keys file.
I can login with root through ssh, but with test.com I am prompted for password.

Here is the debug info when trying to connect with test.com user:

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/Ivan/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/Ivan/.ssh/id_dsa
debug1: Next authentication method: password

When I try to login with root I succeed:

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/Ivan/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).

I have Googled a lot of things. Couldn't find anything that solves my problem.

I have a script which creates system users using useradd command and these users are without passwords by default. I've found that system users without password may not login through ssh so I added password to test.com user. Didn't work.

I saw that UsePAM yes may be a problem. I set it to UsePAM no. Didn't work.

And yes, I did service ssh restart after each change to the sshd_config file.

I think I've tried everything and now I am clueless.

Any help will be appreciated!

Ivan Dokov
  • 205
  • You probably want to use PAM. Most everyone does.

    I am a little bit curious about sshd_config where you have your authorized keys. The default is AuthorizedKeysFile .ssh/authorized_keys. Have you made any changes to ssh_config (not sshd_config)?

     – SailorCire Nov 20 '14 at 15:09
  • No. I have changed only sshd_keys. There I changed the location of the keys at AuthorizedKeysFile directive – Ivan Dokov Nov 20 '14 at 15:12
  • What kind of access does Ivan have to /Users/Ivan/.ssh/id_rsa? Could it be that root can read that file but not Ivan? – YoMismo Nov 20 '14 at 15:19
  • Try more debugging msgs. ssh -vvv .... – slm Nov 20 '14 at 15:31
  • and how do you copy your key to the server? vi .ssh/authorized_keys or doing ssh-copy-id root@server? maybe if you do the first one you made a typo – maniat1k Nov 20 '14 at 19:42
  • 1
    Check the server logs (I think the right log file is /var/log/auth.log, but check any log file that gets modified by the login attempt). Edit your question and copy-paste the entries that are generated by the login attempt. – Gilles 'SO- stop being evil' Nov 20 '14 at 23:36
  • @YoMismo I am using Ivan as client user (the one that connects to the server) and I just change the ssh user@ip... I use the same key for both users so I have access to this key. @maniat1k I am sure I do not have a typo because I tried to move the content from root/authorized_keys to test.com/authorized_keys, they are identical. @slm I used -vvv and I showed the important output at my question. @Gilles when try to connect nothing is showing in auth.log. When I am prompted for password I cancel the login attempt and I see this result: sshd[9138]: Connection closed by *.*.*.* [preauth] – Ivan Dokov Nov 21 '14 at 07:55
  • There is something that I don't have very clear. Are you using the -i parameter in your ssh command to specify the public key to use? Both root and Ivan are using the same public key (not a copy, the same path /Users/Ivan/.ssh/id_rsa). Does both users have the same private key in their respective ~/.ssh? what are the permissions of Ivan's .ssh/id_rsa or the name of the private key to that public key? – YoMismo Nov 21 '14 at 09:05
  • You really got it wrong. /Users/Ivan/.ssh/id_rsa is my local private key owned by user Ivan (my local user). On the server I have the public key of Ivan user for both users root and test.com with proper permissions. I can login with root, I cannot login with test.com (prompted for password) – Ivan Dokov Nov 21 '14 at 09:15
  • Could you try with 700 permissions to both /etc/ssh/keys/test.com and /etc/ssh/keys/test.com/authorized_keys? – YoMismo Nov 21 '14 at 09:47
  • Nothing changed. Again prompted for password. – Ivan Dokov Nov 21 '14 at 09:50
  • Could you backup /etc/ssh/keys/test.com/authorized_keys and copy /etc/ssh/keys/root/authorized_keys to /etc/ssh/keys/test.com, modify user to test.com and see what happens? – YoMismo Nov 21 '14 at 10:56
  • I have already tried this. It doesn't work – Ivan Dokov Nov 21 '14 at 11:11
  • You indicate "I have the same public id_rsa in root's and test.com's authorized_keys file.", yet the authorized_keys files are different sizes. – Deathgrip Aug 21 '17 at 17:23

3 Answers3

0

I had the same issue, and found that SELinux was preventing read access to /usr/bin/sshd when trying to remote in for some users. Typically for users that don't have a home folder under /home/. You can run

cat /var/log/messages | grep -i ssh

on the target server, and you should see a similar line indicating the error:

<Date/Time> <hostname> python: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012
If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012
You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# 
ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -i my-sshd.pp#012`

You can edit the SELinux permissions to allow ssh connections or simply turn it off (less secure) to get around this.

Max
  • 11
  • System in question is Ubuntu, which by default doesn't use SELinux. – sebasth Aug 21 '17 at 16:00
  • I had been happy to reformat your post, but I couldn't decide in the middle, where is a new line starting... if you want to show a fixed font, prefix the line with four spaces. Could you please make it good? – peterh Aug 21 '17 at 16:04
  • That is because the error in the log is a single line. Not multiple lines. – Max Aug 21 '17 at 16:21
0

sshd is very picky when it comes to permissions!

It seems that the directory permissions of /etc/ssh/keys/test.com/ are wrong! Currently the directory is read/write but may not be entered. chmod u+x /etc/ssh/keys/test.com/ && chmod o+rx /etc/ssh/keys should solve your issue. While root may enter the directory, I assume that sshd checks the octal permissions to be 0700 or 0755 + 0600 for the authorized_keys file itself. Especially, when StrictMode yes.

Without access permission to the directory, and proper permissions the authorized_keys file cannot be read or is being ignored by sshd out of security concerns.

Reiner Rottmann
  • 161
0
ls -l /etc/ssh/keys
drw------- 2 test.com  test.com   4096 Nov 20 06:53 test.com
drw------- 2 root      root       4096 Nov 20 02:29 root

No x permission to the directory = no permission to actually use anything inside the directory. With these permissions, sshd would be able to get the directory listing of /etc/ssh/keys/test.com/ but not able to access the contents of /etc/ssh/keys/test.com/authorized_keys.

For root, it works because root can access anything.

telcoM
  • 96,466