Date: Sat, 14 Sep 2019 21:20:10 +1000 From: MJ <mafsys1234@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: OT: My ssh authorized_keys doesn't work with nfs/nis Message-ID: <b67fb85d-ae07-a5af-3eec-0e7b1ad63fba@gmail.com> In-Reply-To: <CAGBxaXmyX-YT4=1aH5dCRT4sj0H1ZMxnOnKO4ctVf=vtWqY=5Q@mail.gmail.com> References: <CAGBxaXkVQNE6deyWs9JXh9vqmKz8tLc9HfqC8ZmBLrK2jv7p3A@mail.gmail.com> <0b5eed49-986a-d40e-7df9-971a47cb500e@FreeBSD.org> <CAGBxaXmyX-YT4=1aH5dCRT4sj0H1ZMxnOnKO4ctVf=vtWqY=5Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14/09/2019 9:09 pm, Aryeh Friedman wrote: > On Sat, Sep 14, 2019 at 6:50 AM Matthew Seaman <matthew@freebsd.org> wrote: > >> On 14/09/2019 08:39, Aryeh Friedman wrote: >>> My ~/.ssh/authorized_keys files works fine on a machine that is not in my >>> NIS domain but when I copy my id_rsa.pub (which is what I did to create >> the >>> non-NIS authorized_keys) to my NIS account and give it the same >> permissions >>> as the working machine it insists on asking for a password. >>> >>> ssh faraway (non-NIS machine) >>> does not ask for a password >>> but >>> ssh nearby (NIS machine) does >>> >>> Both have identical authorized keys and both (and their parent dirs) are >>> set to 644. Both machines are FreeBSD 11 and the machine doing the ssh >>> call is FreeBSD 12 >>> >> >> Check the ownership / permissions on ~/.ssh on the machine where key >> based auth is not working -- sshd will refuse to use authorized_keys if >> it thinks permissions are too loose. >> > > I don't think you can make them any tighter then this and not get errors: > > aryeh% id > uid=1001(aryeh) gid=1001(aryeh) groups=1001(aryeh),0(wheel),1003(aegis) > aryeh% ls -ld .ssh > drwx------ 2 aryeh aryeh 512 Sep 14 06:49 .ssh > aryeh% ls -l .ssh > total 16 > -rw------- 1 aryeh aryeh 792 Sep 14 05:02 authorized_keys > -rw------- 1 aryeh aryeh 1675 Aug 30 11:09 id_rsa > -rw------- 1 aryeh aryeh 396 Aug 30 11:09 id_rsa.pub > -rw------- 1 aryeh aryeh 545 Sep 14 03:19 known_hosts > > >> Also check for authorized_keys related settings in /etc/ssh/sshd_config >> -- it is not uncommon to require authorized_keys to be installed in some >> centralized, root owned directory that individual users don't have write >> access to. >> > > I am using the default out of the box /etc/sshd_config for 11 and 12 that > has only two uncommented out configs: > > AuthorizedKeysFile .ssh/authorized_keys > Subsystem sftp /usr/libexec/sftp-server On mine (2 I looked at): 1 has ~/.ssh/authorized_keys and the other has it commented out. Both work. That path doesn't look right. Shouldn't it be either "~/" or "%h/"? > > So unless I am reading the first one completely wrong then it uses > ~user/.ssh/authorized_keys which is what the ls above is of. > > >> Cheers, >> >> Matthew >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b67fb85d-ae07-a5af-3eec-0e7b1ad63fba>