[SOLVED] Centrilized authorized_keys (AuthorizedKeysFile) for sshd
[SOLVED]
Hi
Little background on what I want to achieve and why I do this. I have a RHEL server with users logging in via ssh. I want to start using public keys instead of passwords with ssh. But public key is as good as a rotten tomato if it is unpassphrased and I cannot guarantee that all users will use passphrases. Therefore I will generate both private and public key on the server and will distribute the private key to the user via user-friendly web interface and thats where I will force them to use passphrase. I know they can change later the passphrase or remove it totally but my users are not so advanced.
So now I am trying to setup a centralized authorized_keys file with to be able to make them only root writable so they cannot put their own public keys on the server , it will be handled by scripts.
Now the actual problem. I created /etc/ssh/keys directory instead of ~/.ssh and changed AuthorizedKeysFile to /etc/ssh/keys/%u in sshd_config
But when I try to connect with the key I get the following error in the logs (after enabling DEBUG3 in sshd_config)
Code:
Mar 8 15:22:28 stagesmpp sshd[12248]: debug3: mm_request_receive entering
Mar 8 15:22:29 stagesmpp sshd[22358]: debug2: channel 0: rcvd adjust 33544
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: monitor_read: checking request 20
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: mm_answer_keyallowed entering
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: mm_answer_keyallowed: key_from_blob: 0x579a80
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: trying public key file /etc/ssh/keys/ipx
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: fd 4 clearing O_NONBLOCK
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/etc/ssh/keys'
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/etc/ssh'
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/etc'
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/'
Mar 8 15:22:30 stagesmpp sshd[12248]: Authentication refused: bad ownership or modes for directory /
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: restore_uid: 0/0
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: trying public key file /etc/ssh/keys/ipx
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: fd 4 clearing O_NONBLOCK
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/etc/ssh/keys'
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/etc/ssh'
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/etc'
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: secure_filename: checking '/'
Mar 8 15:22:30 stagesmpp sshd[12248]: Authentication refused: bad ownership or modes for directory /
Mar 8 15:22:30 stagesmpp sshd[12248]: debug1: restore_uid: 0/0
Mar 8 15:22:30 stagesmpp sshd[12248]: Failed publickey for ipx from 10.0.76.150 port 53394 ssh2
Here is how the permissions look like on the files/dirs
Code:
/ drwxr-xr-x 91 root root 12288 Mar 8 11:22 etc
/etc drwxr-xr-x 3 root root 4096 Mar 8 15:21 ssh
/etc/ssh drwxr-xr-x 2 root root 4096 Mar 8 13:55 keys
/etc/ssh/keys -r-------- 1 ipx ipx 395 Mar 8 13:39 ipx
What is the problem with the permission, I cannot figure it out?
Regards
/Bortek
Last edited by bortek; 03-10-2010 at 10:56 AM..
Reason: code tags, please...
Well, if I chmod 700 /etc/ssh/keys then I think it cannot even access that directory.
Code:
Mar 9 09:18:34 stagesmpp sshd[18774]: debug3: mm_answer_authpassword: sending result 0
Mar 9 09:18:34 stagesmpp sshd[18774]: debug3: mm_request_send entering: type 11
Mar 9 09:18:34 stagesmpp sshd[18774]: Failed none for ipx from 10.0.76.150 port 59747 ssh2
Mar 9 09:18:34 stagesmpp sshd[18774]: debug3: mm_request_receive entering
Mar 9 09:18:37 stagesmpp sshd[18774]: debug3: monitor_read: checking request 20
Mar 9 09:18:37 stagesmpp sshd[18774]: debug3: mm_answer_keyallowed entering
Mar 9 09:18:37 stagesmpp sshd[18774]: debug3: mm_answer_keyallowed: key_from_blob: 0x66cef0
Mar 9 09:18:37 stagesmpp sshd[18774]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Mar 9 09:18:37 stagesmpp sshd[18774]: debug1: trying public key file /etc/ssh/keys/ipx
Mar 9 09:18:37 stagesmpp sshd[18774]: debug1: restore_uid: 0/0
Mar 9 09:18:37 stagesmpp sshd[18774]: debug1: temporarily_use_uid: 500/500 (e=0/0)
Mar 9 09:18:37 stagesmpp sshd[18774]: debug1: trying public key file /etc/ssh/keys/ipx
Mar 9 09:18:37 stagesmpp sshd[18774]: debug1: restore_uid: 0/0
Mar 9 09:18:37 stagesmpp sshd[18774]: Failed publickey for ipx from 10.0.76.150 port 59747 ssh2
Mar 9 09:18:37 stagesmpp sshd[18774]: debug3: mm_answer_keyallowed: key 0x66cef0 is not allowed
Mar 9 09:18:37 stagesmpp sshd[18774]: debug3: mm_request_send entering: type 21
Mar 9 09:18:37 stagesmpp sshd[18774]: debug3: mm_request_receive entering
This is strange cause I have read on other forums that people have done it but they never mention what permissions they sued on directories and subdirectories.
What am I doing wrong?
Last edited by pludi; 03-09-2010 at 04:36 AM..
Reason: code tags, please...
Bingo! That's it. The / was group writable I could not even think about it but this is a test server so I must have played with permissions long ago and broke /. I changed the / permissions to drwx-rx-rx and it started to work!!! Thanks everybody!
Hi,
I copied the key of rsa.pub to authorized_keys using the below command
cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
By mistake i have executed another command
view cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
so now additional keys are copied.so please help me... (3 Replies)
Hi
I have an ssh 'for' loop script to login and put a key on multiple servers. I need to append a file on each server but the command which works ok from the prompt does not work via the script. I have
cat filename | ssh user@servername "cat >>append.file.name"
I have tried to 'spawn' this in... (0 Replies)
Hello Friends,
I am trying to troubleshoot one scenario for the customer. In their server configuration, each vhost has it's own user. The option is to shell access chrooted.
The question is where would be the best place to store the authorized_keys file so that we can ssh in from the... (0 Replies)
I'm trying to have an unattended remote PC log some data on home PC.
man sshd says I should be able to put a command in authorized_keys.
This is what I have on the remote machine. The key is a special key that isn't used elsewhere.
In my ~/.ssh/authorized_keys file on my desktop:... (12 Replies)
I am trying to set up ssh/scp to be able to login in w/o using a password. The man pages for ssh and ssh-keygen explain how to do this.
So, using "rsa1" style, I created the public and private keys by way of ssh-keygen, then added the contents of "$HOME/.ssh/identity.pub" to a newly created... (6 Replies)
I am creating public and private key for sftp in ksh.
then copy the name1.pub file into /.ssh/authorized_keys directory in remote server.
Now my question is how to write that script which do not ask me for the password from prompt.
please help.
thanks in advance. (1 Reply)
Hello gurus,
I have question. I have enabled ssh on the servers.
I am planning to change the oracle user's(os user) password. If I change the password will it affect the authorized_keys? Do I need to regenerate it.
Thanks, (2 Replies)
Hi,
We have around 200 SUN Servers in production environment and I have one box from where I manage all the servers. It's setup such that I can SSH from my box onto all the 200 servers with without supplying password. It is working fine but sometimes we notice the keys getting changed and asking... (1 Reply)
Hi,
We have around 200 SUN Servers in production environment and I have one box from where I manage all the servers. It's setup such that I can SSH from my box onto all the 200 servers with without supplying password. It is working fine but sometimes we notice the keys getting changed and asking... (0 Replies)
Friends,
I made the installation of the ssh in the it conspires,
I configured in the ssh_config the following
parameters..
SyslogFacility AUTH
LogLevel INFO
that should generate sshd.log in the /var/log.... more no this generating.
Somebody could help myself in... (0 Replies)
