[BlueOnyx:14035] Re: key-based auth for ssh user?

James james at slor.net
Fri Nov 15 17:00:18 -05 2013 

Brian - for what it's worth, I ran into this a while back myself.  I
adjusted the offending parent dir permissions, and I haven't had any issues
resulting from it in 5108R.  Key-based authorization is the only method I
use now for SSH.

 

From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Brian M
Sent: Friday, November 15, 2013 4:33 PM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:14034] Re: key-based auth for ssh user?

 

Hi Michael-

 

I think I'm running into some issue specific to BOnyx permissions.  I have
this working on other distros.   Key placed in the authorized_keys file is
rsa 2048

 

I am hesitant to change some of the perms on this dir tree as it will affect
actual vsite accesses.

 

thanks for thoughts!

 

Brian.

-----------------------------------

Nov 15 15:33:17 www sshd[13150]: Authentication refused: bad ownership or
modes for directory /home/.sites/106/site3/.users/14/theuser

 

drwxr-xr-x  14 root root  4096 Nov 15 15:27 home

 

drwxrwxr-x  6 root  root    4096 Feb  6  2010 .sites

 

drwxrwxr-x  3 root  root  4096 Feb  6  2010 106

 

drwxrwsr-x 7 nobody site3 4096 Feb  7  2010 site3

 

drwxr-sr-x 4 root       site3  4096 Nov  7 13:51 .users

 

drwxr-sr-x 3 root   site3 4096 Nov 15 15:28 14

 

drwxrws--x 6 theuser site3 4096 Nov 15 15:30 theuser

 

drwx------ 2 theuser site3 4096 Nov 15 15:30 .ssh

 

-rw------- 1 theuser site3  381 Nov 15 15:30 authorized_keys

 

 

On Thu, Nov 7, 2013 at 5:17 PM, Michael Stauber <mstauber at blueonyx.it>
wrote:

Hi Brian,


> I have a need for to add key-based auth for one user.
>
> I have edited /etc/ssh/sshd-config and enabled pubkey auth and the path
for
> the keyfile.
>
> if I create the user via useradd -m their directory gets created in /home
> but adding a key to the keyfile I specified does not allow access.

That's one way to do it, but it's neither necessary to edit the SSHd
config, nor should you create users manually with the "useradd" command.

If you manually add users with "useradd", then the users will not show
up in the GUI and they cannot be CMU-migrated either.

All you need to do for key based SSH authentication is this:

Create the user in question via the GUI. Enable shell access for the
user. Login by SSH as that user.

Now create an SSH key for that user by running this command as that user
from SSH:

ssh-keygen -t rsa

It'll ask a few questions. Simply press return on any question to accept
the defaults. This will create a 2048 bit private and public SSH key
(without password) for that user in ~username/.ssh/

Next create the file ~username/.ssh/authorized_keys and into that paste
the SSH public key that this user is using to SSH into the box.

If he's logging in from another Linux box, then that's his
~username/.ssh/id_rsa.pub on that other Linux box, provided the key was
also generated there with "ssh-keygen -t rsa" and standard parameters.

That public key will look roughly like this, although the part in the
middle is a lot longer:

ssh-rsa [Lots-of-weird-text] username at workstation.home

Save the changes.

Once that's one this user can login by SSH using key based
authentication. If his SSH session sends the key that's stored in
~username/.ssh/authorized_keys, he will be allowed to log in.

If no key is sent (or the key doesn't match), he'll be asked for the
account password instead.

That's all there is to do.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20131115/809b6e9c/attachment.html>

More information about the Blueonyx mailing list