[BlueOnyx:14036] Re: key-based auth for ssh user?

Brian M toomanyhandles at gmail.com
Fri Nov 15 17:11:27 -05 2013 

Thanks James.  I am actually a bit concerned about opening the vsite up to
vulnerabilities by changing any perms.  In part as I have webapps deployed
on the site, and who know where that could go awry...

Interestingly, I have issues with connectivity even if I just useradd -m
and make the account in /home.  However, in the secure log, I just see an
open/close connect, nothing verbose, for that test.



On Fri, Nov 15, 2013 at 5:00 PM, James <james at slor.net> wrote:

> Brian – for what it’s worth, I ran into this a while back myself.  I
> adjusted the offending parent dir permissions, and I haven’t had any issues
> resulting from it in 5108R.  Key-based authorization is the only method I
> use now for SSH.
>
>
>
> *From:* blueonyx-bounces at mail.blueonyx.it [mailto:
> blueonyx-bounces at mail.blueonyx.it] *On Behalf Of *Brian M
> *Sent:* Friday, November 15, 2013 4:33 PM
> *To:* BlueOnyx General Mailing List
> *Subject:* [BlueOnyx:14034] Re: key-based auth for ssh user?
>
>
>
> Hi Michael-
>
>
>
> I think I'm running into some issue specific to BOnyx permissions.  I have
> this working on other distros.   Key placed in the authorized_keys file is
> rsa 2048
>
>
>
> I am hesitant to change some of the perms on this dir tree as it will
> affect actual vsite accesses.
>
>
>
> thanks for thoughts!
>
>
>
> Brian.
>
> -----------------------------------
>
> Nov 15 15:33:17 www sshd[13150]: Authentication refused: bad ownership or
> modes for directory /home/.sites/106/site3/.users/14/theuser
>
>
>
> drwxr-xr-x  14 root root  4096 Nov 15 15:27 home
>
>
>
> drwxrwxr-x  6 root  root    4096 Feb  6  2010 .sites
>
>
>
> drwxrwxr-x  3 root  root  4096 Feb  6  2010 106
>
>
>
> drwxrwsr-x 7 nobody site3 4096 Feb  7  2010 site3
>
>
>
> drwxr-sr-x 4 root       site3  4096 Nov  7 13:51 .users
>
>
>
> drwxr-sr-x 3 root   site3 4096 Nov 15 15:28 14
>
>
>
> drwxrws--x 6 theuser site3 4096 Nov 15 15:30 theuser
>
>
>
> drwx------ 2 theuser site3 4096 Nov 15 15:30 .ssh
>
>
>
> -rw------- 1 theuser site3  381 Nov 15 15:30 authorized_keys
>
>
>
>
>
> On Thu, Nov 7, 2013 at 5:17 PM, Michael Stauber <mstauber at blueonyx.it>
> wrote:
>
> Hi Brian,
>
>
> > I have a need for to add key-based auth for one user.
> >
> > I have edited /etc/ssh/sshd-config and enabled pubkey auth and the path
> for
> > the keyfile.
> >
> > if I create the user via useradd -m their directory gets created in /home
> > but adding a key to the keyfile I specified does not allow access.
>
> That's one way to do it, but it's neither necessary to edit the SSHd
> config, nor should you create users manually with the "useradd" command.
>
> If you manually add users with "useradd", then the users will not show
> up in the GUI and they cannot be CMU-migrated either.
>
> All you need to do for key based SSH authentication is this:
>
> Create the user in question via the GUI. Enable shell access for the
> user. Login by SSH as that user.
>
> Now create an SSH key for that user by running this command as that user
> from SSH:
>
> ssh-keygen -t rsa
>
> It'll ask a few questions. Simply press return on any question to accept
> the defaults. This will create a 2048 bit private and public SSH key
> (without password) for that user in ~username/.ssh/
>
> Next create the file ~username/.ssh/authorized_keys and into that paste
> the SSH public key that this user is using to SSH into the box.
>
> If he's logging in from another Linux box, then that's his
> ~username/.ssh/id_rsa.pub on that other Linux box, provided the key was
> also generated there with "ssh-keygen -t rsa" and standard parameters.
>
> That public key will look roughly like this, although the part in the
> middle is a lot longer:
>
> ssh-rsa [Lots-of-weird-text] username at workstation.home
>
> Save the changes.
>
> Once that's one this user can login by SSH using key based
> authentication. If his SSH session sends the key that's stored in
> ~username/.ssh/authorized_keys, he will be allowed to log in.
>
> If no key is sent (or the key doesn't match), he'll be asked for the
> account password instead.
>
> That's all there is to do.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20131115/24e57ea4/attachment.html>

More information about the Blueonyx mailing list