Date: Thu, 24 May 2018 12:09:25 +0100 From: tech-lists <tech-lists@zyxst.net> To: freebsd-questions@freebsd.org Cc: freebsd-stable@freebsd.org Subject: trying to get sftp-only logins to work with a public keys Message-ID: <cf258d06-919e-9bcd-6d85-d68cea358fde@zyxst.net>
next in thread | raw e-mail | index | archive | help
Hello list, I'm trying to get (chrooted) sftp login working with public keys. I made a sftp-only user which works fine, and is chrooted. I created a .ssh directory with 770 perms (root:user) and put their public key in there with 600 perms (user:user) however when trying pubkey auth it always falls back to keyboard-interactive (which will succeed when the password is applied). I don't know why in key exchange it says it sent a packet then didn't. Can anyone help please? Context is recent freebsd-11-stable, both client and server. I have this in /etc/ssh/sshd_config: Subsystem sftp internal-sftp Match User testsftp ChrootDirectory /usr/home/testsftp PubkeyAuthentication yes X11Forwarding no AllowTcpForwarding no AuthorizedKeysFile /usr/home/testsftp/.ssh/authorized_keys ForceCommand internal-sftp permissions in the test users .ssh dir are like this: drwxrwx--- 2 root testsftp 512B May 24 10:51 . drwxr-xr-x 5 root testsftp 512B May 24 10:35 .. -rw------- 1 testsftp testsftp 105B May 24 11:49 authorized_keys here is the -v -v debug output from ssh client: debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key: /home/REDACTED/.ssh/id_rsa (0x0) debug2: key: /home/REDACTED/.ssh/id_dsa (0x0) debug2: key: /home/REDACTED/.ssh/id_ecdsa (0x0) debug2: key: /home/REDACTED/.ssh/id_ed25519 (0x802015240) debug1: SSH2_MSG_EXT_INFO received debug1: Fssh_kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/REDACTED/.ssh/id_rsa debug1: Trying private key: /home/REDACTED/.ssh/id_dsa debug1: Trying private key: /home/REDACTED/.ssh/id_ecdsa debug1: Offering ED25519 public key: /home/REDACTED/.ssh/id_ed25519 debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password for testsftp@REDACTED: thanks, -- J.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cf258d06-919e-9bcd-6d85-d68cea358fde>