<div dir="ltr">Thanks James. I am actually a bit concerned about opening the vsite up to vulnerabilities by changing any perms. In part as I have webapps deployed on the site, and who know where that could go awry...<div>
<br></div><div>Interestingly, I have issues with connectivity even if I just useradd -m and make the account in /home. However, in the secure log, I just see an open/close connect, nothing verbose, for that test.</div><div>
<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 15, 2013 at 5:00 PM, James <span dir="ltr"><<a href="mailto:james@slor.net" target="_blank">james@slor.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Brian – for what it’s worth, I ran into this a while back myself. I adjusted the offending parent dir permissions, and I haven’t had any issues resulting from it in 5108R. Key-based authorization is the only method I use now for SSH.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:blueonyx-bounces@mail.blueonyx.it" target="_blank">blueonyx-bounces@mail.blueonyx.it</a> [mailto:<a href="mailto:blueonyx-bounces@mail.blueonyx.it" target="_blank">blueonyx-bounces@mail.blueonyx.it</a>] <b>On Behalf Of </b>Brian M<br>
<b>Sent:</b> Friday, November 15, 2013 4:33 PM<br><b>To:</b> BlueOnyx General Mailing List<br><b>Subject:</b> [BlueOnyx:14034] Re: key-based auth for ssh user?<u></u><u></u></span></p></div></div><div><div class="h5"><p class="MsoNormal">
<u></u> <u></u></p><div><p class="MsoNormal">Hi Michael-<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I think I'm running into some issue specific to BOnyx permissions. I have this working on other distros. Key placed in the authorized_keys file is rsa 2048<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I am hesitant to change some of the perms on this dir tree as it will affect actual vsite accesses.<u></u><u></u></p></div><div><p class="MsoNormal">
<u></u> <u></u></p></div><div><p class="MsoNormal">thanks for thoughts!<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Brian.<u></u><u></u></p></div><div><p class="MsoNormal">
-----------------------------------<u></u><u></u></p></div><div><div><p class="MsoNormal">Nov 15 15:33:17 www sshd[13150]: Authentication refused: bad ownership or modes for directory /home/.sites/106/site3/.users/14/theuser<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">drwxr-xr-x 14 root root 4096 Nov 15 15:27 home<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">
drwxrwxr-x 6 root root 4096 Feb 6 2010 .sites<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">drwxrwxr-x 3 root root 4096 Feb 6 2010 106<u></u><u></u></p></div>
<div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">drwxrwsr-x 7 nobody site3 4096 Feb 7 2010 site3<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">
drwxr-sr-x 4 root site3 4096 Nov 7 13:51 .users<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">drwxr-sr-x 3 root site3 4096 Nov 15 15:28 14<u></u><u></u></p></div>
<div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">drwxrws--x 6 theuser site3 4096 Nov 15 15:30 theuser<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">
drwx------ 2 theuser site3 4096 Nov 15 15:30 .ssh<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">-rw------- 1 theuser site3 381 Nov 15 15:30 authorized_keys<u></u><u></u></p>
</div></div><div><p class="MsoNormal"><u></u> <u></u></p></div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On Thu, Nov 7, 2013 at 5:17 PM, Michael Stauber <<a href="mailto:mstauber@blueonyx.it" target="_blank">mstauber@blueonyx.it</a>> wrote:<u></u><u></u></p>
<p class="MsoNormal">Hi Brian,<u></u><u></u></p><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>> I have a need for to add key-based auth for one user.<br>><br>> I have edited /etc/ssh/sshd-config and enabled pubkey auth and the path for<br>
> the keyfile.<br>><br>> if I create the user via useradd -m their directory gets created in /home<br>> but adding a key to the keyfile I specified does not allow access.<u></u><u></u></p></div><p class="MsoNormal">
That's one way to do it, but it's neither necessary to edit the SSHd<br>config, nor should you create users manually with the "useradd" command.<br><br>If you manually add users with "useradd", then the users will not show<br>
up in the GUI and they cannot be CMU-migrated either.<br><br>All you need to do for key based SSH authentication is this:<br><br>Create the user in question via the GUI. Enable shell access for the<br>user. Login by SSH as that user.<br>
<br>Now create an SSH key for that user by running this command as that user<br>from SSH:<br><br>ssh-keygen -t rsa<br><br>It'll ask a few questions. Simply press return on any question to accept<br>the defaults. This will create a 2048 bit private and public SSH key<br>
(without password) for that user in ~username/.ssh/<br><br>Next create the file ~username/.ssh/authorized_keys and into that paste<br>the SSH public key that this user is using to SSH into the box.<br><br>If he's logging in from another Linux box, then that's his<br>
~username/.ssh/id_rsa.pub on that other Linux box, provided the key was<br>also generated there with "ssh-keygen -t rsa" and standard parameters.<br><br>That public key will look roughly like this, although the part in the<br>
middle is a lot longer:<br><br>ssh-rsa [Lots-of-weird-text] <a href="mailto:username@workstation.home" target="_blank">username@workstation.home</a><br><br>Save the changes.<br><br>Once that's one this user can login by SSH using key based<br>
authentication. If his SSH session sends the key that's stored in<br>~username/.ssh/authorized_keys, he will be allowed to log in.<br><br>If no key is sent (or the key doesn't match), he'll be asked for the<br>
account password instead.<br><br>That's all there is to do.<br><span style="color:#888888"><br><span>--</span><br><span>With best regards</span><br><br><span>Michael Stauber</span><br><span>_______________________________________________</span><br>
<span>Blueonyx mailing list</span><br><span><a href="mailto:Blueonyx@mail.blueonyx.it" target="_blank">Blueonyx@mail.blueonyx.it</a></span><br><span><a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a></span></span><u></u><u></u></p>
</div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div></div><br>_______________________________________________<br>
Blueonyx mailing list<br>
<a href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a><br>
<a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a><br>
<br></blockquote></div><br></div>