<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Brian – for what it’s worth, I ran into this a while back myself. I adjusted the offending parent dir permissions, and I haven’t had any issues resulting from it in 5108R. Key-based authorization is the only method I use now for SSH.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> blueonyx-bounces@mail.blueonyx.it [mailto:blueonyx-bounces@mail.blueonyx.it] <b>On Behalf Of </b>Brian M<br><b>Sent:</b> Friday, November 15, 2013 4:33 PM<br><b>To:</b> BlueOnyx General Mailing List<br><b>Subject:</b> [BlueOnyx:14034] Re: key-based auth for ssh user?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hi Michael-<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I think I'm running into some issue specific to BOnyx permissions. I have this working on other distros. Key placed in the authorized_keys file is rsa 2048<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am hesitant to change some of the perms on this dir tree as it will affect actual vsite accesses.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>thanks for thoughts!<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Brian.<o:p></o:p></p></div><div><p class=MsoNormal>-----------------------------------<o:p></o:p></p></div><div><div><p class=MsoNormal>Nov 15 15:33:17 www sshd[13150]: Authentication refused: bad ownership or modes for directory /home/.sites/106/site3/.users/14/theuser<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwxr-xr-x 14 root root 4096 Nov 15 15:27 home<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwxrwxr-x 6 root root 4096 Feb 6 2010 .sites<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwxrwxr-x 3 root root 4096 Feb 6 2010 106<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwxrwsr-x 7 nobody site3 4096 Feb 7 2010 site3<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwxr-sr-x 4 root site3 4096 Nov 7 13:51 .users<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwxr-sr-x 3 root site3 4096 Nov 15 15:28 14<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwxrws--x 6 theuser site3 4096 Nov 15 15:30 theuser<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>drwx------ 2 theuser site3 4096 Nov 15 15:30 .ssh<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>-rw------- 1 theuser site3 381 Nov 15 15:30 authorized_keys<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Nov 7, 2013 at 5:17 PM, Michael Stauber <<a href="mailto:mstauber@blueonyx.it" target="_blank">mstauber@blueonyx.it</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Hi Brian,<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>> I have a need for to add key-based auth for one user.<br>><br>> I have edited /etc/ssh/sshd-config and enabled pubkey auth and the path for<br>> the keyfile.<br>><br>> if I create the user via useradd -m their directory gets created in /home<br>> but adding a key to the keyfile I specified does not allow access.<o:p></o:p></p></div><p class=MsoNormal>That's one way to do it, but it's neither necessary to edit the SSHd<br>config, nor should you create users manually with the "useradd" command.<br><br>If you manually add users with "useradd", then the users will not show<br>up in the GUI and they cannot be CMU-migrated either.<br><br>All you need to do for key based SSH authentication is this:<br><br>Create the user in question via the GUI. Enable shell access for the<br>user. Login by SSH as that user.<br><br>Now create an SSH key for that user by running this command as that user<br>from SSH:<br><br>ssh-keygen -t rsa<br><br>It'll ask a few questions. Simply press return on any question to accept<br>the defaults. This will create a 2048 bit private and public SSH key<br>(without password) for that user in ~username/.ssh/<br><br>Next create the file ~username/.ssh/authorized_keys and into that paste<br>the SSH public key that this user is using to SSH into the box.<br><br>If he's logging in from another Linux box, then that's his<br>~username/.ssh/id_rsa.pub on that other Linux box, provided the key was<br>also generated there with "ssh-keygen -t rsa" and standard parameters.<br><br>That public key will look roughly like this, although the part in the<br>middle is a lot longer:<br><br>ssh-rsa [Lots-of-weird-text] <a href="mailto:username@workstation.home">username@workstation.home</a><br><br>Save the changes.<br><br>Once that's one this user can login by SSH using key based<br>authentication. If his SSH session sends the key that's stored in<br>~username/.ssh/authorized_keys, he will be allowed to log in.<br><br>If no key is sent (or the key doesn't match), he'll be asked for the<br>account password instead.<br><br>That's all there is to do.<br><span style='color:#888888'><br><span class=hoenzb>--</span><br><span class=hoenzb>With best regards</span><br><br><span class=hoenzb>Michael Stauber</span><br><span class=hoenzb>_______________________________________________</span><br><span class=hoenzb>Blueonyx mailing list</span><br><span class=hoenzb><a href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a></span><br><span class=hoenzb><a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a></span></span><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>