[scponly] ssh key auth. using the same chroot env., possible?
Paul Hyder
Paul.Hyder at noaa.gov
Tue Jun 26 12:37:42 EDT 2007
The key handling is done by sshd and depends on the specific implementation.
(To trace a problem you could run sshd in debug mode.) There are also possible
operating system differences.
Having said that, in virtually all cases the default of ~/.ssh/authorized_keys
should work (does for us with Linux and OpenSSH) as long as the directory
ownership and permissions are set correctly and the correct HOME directory
is used.
In your case (using a home directory of /some/path/to/user//files) the
default that should work is /some/path/to/usr/files/.ssh/authorized_keys
Verify that the .ssh directory is owned by the user and permissions
are set to rwx only by the user (mode 700).
If this still doesn't work please let us know more about the OS and version
of sshd.
Paul Hyder
Whit Blauvelt wrote:
> Your first method does work, Paul. So that's good enough. What won't work
> for me is putting authorized_keys in the home directory (whether defined as
> before or after the // - in an .ssh subdir of course). Is the second way
> actually working for anybody? I'd be curious to know the trick if so to
> complete a page on the wiki.
>
> Whit
>
>> On Wed, Nov 29, 2006 at 10:21:17PM -0700, Paul Hyder wrote:
>>> Relocating ssh keys is easy.
>>> -update the sshd_config AuthorizedKeysFile variable to match the new,
>>> root owned location (no longer in ~/.ssh/authorized_keys)
>>> We use /home/admin/.ssh/%u/authorized_keys2 and a single jail.
>>> -understand that the ssh key handling occurs BEFORE scponly, the keys
>>> should be located above the chroot point if you don't want the users
>>> to maintain them. (otherwise the sshd can look in the user's chroot
>>> incoming .ssh directory)
>>>
>>> Paul Hyder
>>> NOAA Earth System Research Laboratory, Global Systems Division
>>> Boulder, CO
More information about the scponly
mailing list