[scponly] Could not open keyfile '/home/testuser/.ssh/authorized_keys': Permission denied

oliver rau oliver.rau at systemlogistik.dpd.com
Thu Oct 25 15:24:07 EDT 2012 

Hi Kaleb,

here's that stuff / changes:

ls -ld /
drwxr-xr-x 21 root root 4096 27. Sep 12:14 /

ls -ld /home
drwxr-xr-x 15 root root 4096 24. Okt 15:47 /home

ls -ld /home/daTeV2SyS9/
drwxr-xr-x 9 root root 4096 24. Okt 15:50 /home/daTeV2SyS9/

ls -ld /home/daTeV2SyS9/.ssh/
drwx------ 2 daTeV2SyS9 daTeV2SyS9 4096 25. Okt 13:48 /home/daTeV2SyS9/.ssh/

ls -l /home/daTeV2SyS9/.ssh/authorized_keys
-rw------- 1 daTeV2SyS9 daTeV2SyS9 2450 25. Okt 14:39
/home/daTeV2SyS9/.ssh/authorized_keys


Because I guess there are some missing libs:

ls -l /home/daTeV2SyS9/lib/
drwxr-xr-x 3 root root   4096 24. Okt 15:47 i686
-rwxr-xr-x 1 root root 118060 24. Okt 15:47 ld-linux.so.2
-rwxr-xr-x 1 root root  26492 24. Okt 15:47 libacl.so.1
-rwxr-xr-x 1 root root  14888 24. Okt 15:47 libattr.so.1
-rwxr-xr-x 1 root root  30496 24. Okt 15:47 libnss_compat-2.11.3.so
-rwxr-xr-x 1 root root  30496 24. Okt 15:47 libnss_compat.so.2
-rw-r--r-- 1 root root  42580  8. Jun 07:46 libnss_files-2.11.3.so
lrwxrwxrwx 1 root root     22  2. Okt 09:09 libnss_files.so.2 ->
libnss_files-2.11.3.so
-rwxr-xr-x 1 root root   8436 24. Okt 15:47 libpam_misc.so.0
-rwxr-xr-x 1 root root  43360 24. Okt 15:47 libpam.so.0
-rwxr-xr-x 1 root root  40732 24. Okt 15:47 libpopt.so.0
-rwxr-xr-x 1 root root 104276 24. Okt 15:47 libselinux.so.1

ls -l /home/daTeV2SyS9/lib/i686/cmov/
-rwxr-xr-x 1 root root   38360 24. Okt 15:47 libcrypt.so.1
-rwxr-xr-x 1 root root 1327556 24. Okt 15:47 libc.so.6
-rwxr-xr-x 1 root root    9736 24. Okt 15:47 libdl.so.2
-rw-r--r-- 1 root root   42580  8. Jun 07:46 libnss_files-2.11.3.so
lrwxrwxrwx 1 root root      22  2. Okt 09:10 libnss_files.so.2 ->
libnss_files-2.11.3.so
-rwxr-xr-x 1 root root  117367 24. Okt 15:47 libpthread.so.0
-rwxr-xr-x 1 root root   30684 24. Okt 15:47 librt.so.1


and finally stripped /etc/ssh/sshd_config:

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel DEBUG
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile  %h/.ssh/authorized_keys
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

a simple 'sftp -v daTeV2SyS9 at localhost' connects without prompt for
password, even from a client command-line it works:

Oct 25 21:10:51 sys-ftp sshd[1142]: debug1: Forked child 3763.
Oct 25 21:10:51 sys-ftp sshd[3763]: Set /proc/self/oom_adj to 0
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: rexec start in 5 out 5
newsock 5 pipe 7 sock 8
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: inetd sockets after dupping:
3, 3
Oct 25 21:10:51 sys-ftp sshd[3763]: Connection from 127.0.0.1 port 45509
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: Client protocol version 2.0;
client software version OpenSSH_5.5p1 Debian-6+squeeze2
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: match: OpenSSH_5.5p1
Debian-6+squeeze2 pat OpenSSH*
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: Enabling compatibility mode
for protocol 2.0
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: Local version string
SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: PAM: initializing for
"daTeV2SyS9"
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: PAM: setting PAM_RHOST to
"localhost"
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: PAM: setting PAM_TTY to "ssh"
Oct 25 21:10:51 sys-ftp sshd[3763]: Failed none for daTeV2SyS9 from
127.0.0.1 port 45509 ssh2
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: Checking blacklist file
/usr/share/ssh/blacklist.DSA-1024
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: Checking blacklist file
/etc/ssh/blacklist.DSA-1024
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: temporarily_use_uid:
1013/1013 (e=0/0)
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: trying public key file
/home/daTeV2SyS9/.ssh/authorized_keys
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: fd 4 clearing O_NONBLOCK
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: matching key found: file
/home/daTeV2SyS9/.ssh/authorized_keys, line 2
Oct 25 21:10:51 sys-ftp sshd[3763]: Found matching DSA key:
0e:88:47:b9:bb:05:0f:03:38:9b:03:6b:a1:1f:ab:2e
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: restore_uid: 0/0
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: Checking blacklist file
/usr/share/ssh/blacklist.DSA-1024
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: Checking blacklist file
/etc/ssh/blacklist.DSA-1024
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: temporarily_use_uid:
1013/1013 (e=0/0)
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: trying public key file
/home/daTeV2SyS9/.ssh/authorized_keys
Oct 25 21:10:51 sys-ftp sshd[3763]: debug1: fd 4 clearing O_NONBLOCK
"auth.log" 88L, 7605C

What does it mean: Oct 25 21:10:51 sys-ftp sshd[3763]: Failed none for
daTeV2SyS9 from 127.0.0.1 port 45509 ssh2

If I use a script it always hangs with 'failed none for daTeV2SyS9' and
that's it.

Thanks,
Oliver

On 25.10.2012 17:52, Kaleb Pederson wrote:
> I don't understand exactly what changes you made. I'll need to see the
> full permissions on the hierarchy to be able to offer any suggestions.
>
> OpenSSH should provide sufficient information to debug this when using
> the right settings.
>
> Also, the scponly FAQ references strace/ktrace/struss that can also be
> used to find out exactly what system call is failing.
>
> --Kaleb
>
> On Thu, Oct 25, 2012 at 1:58 AM, Oliver Rau
> <oliver.rau at systemlogistik.dpd.com> wrote:
>>
>> Am 25.10.2012 07:23, schrieb Kaleb Pederson:
>>> On Wed, Oct 24, 2012 at 11:14 AM, oliver rau
>>> <oliver.rau at systemlogistik.dpd.com> wrote:
>>>
>>> I presume that testuser is NOT in the ftpgroup?
>>>
>>> I emulated the rest of your permissions and everything works on my
>>> machine. I'd bet that if you add o+rx to that directory everything
>>> works?
>>>
>>> Please confirm.
>>>
>> I changed testuser to daTeV2SyS9, similar conf like before, then I put
>> 0755 on /home but still doesn't work, got these messages in auth.log:
>>
>> Oct 25 10:47:48 sys-ftp sshd[18967]: debug1: Forked child 19912.
>> Oct 25 10:47:48 sys-ftp sshd[19912]: Set /proc/self/oom_adj to 0
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: rexec start in 5 out 5
>> newsock 5 pipe 7 sock 8
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: inetd sockets after
>> dupping: 3, 3
>> Oct 25 10:47:48 sys-ftp sshd[19912]: Connection from 10.15.19.xxx port 47981
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: Client protocol version
>> 2.0; client software version 1.34
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: no match: 1.34
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: Enabling compatibility mode
>> for protocol 2.0
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: Local version string
>> SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: PAM: initializing for
>> "daTeV2SyS9"
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: PAM: setting PAM_RHOST to
>> "em2012.systemlogistik.dpd.de"
>> Oct 25 10:47:48 sys-ftp sshd[19912]: debug1: PAM: setting PAM_TTY to "ssh"
>> Oct 25 10:47:48 sys-ftp sshd[19912]: Failed none for daTeV2SyS9 from
>> 10.15.19.100 port 47981 ssh2
>>
>> Thanks,
>> Oliver
>>
>>
>> Sitz der Gesellschaft: Neufahrn bei Freising
>> Registergericht Muenchen HRA 77871
>>
>> Persoenlich haftende Gesellschafterin:
>> DPD Systemlogistik Management GmbH
>> Registergericht Bad Hersfeld HRB 799
>> Geschaeftsfuehrer: Andreas Wild
>>
>>
>> E-Mails schonen die Umwelt. Umso mehr, wenn sie nicht ausgedruckt werden.
>> Bitte drucken Sie diese E-Mail nur, wenn es erforderlich ist.
>>
>> Think about the environment! Do not print this mail unless necessary.

Sitz der Gesellschaft: Neufahrn bei Freising
Registergericht Muenchen HRA 77871

Persoenlich haftende Gesellschafterin:
DPD Systemlogistik Management GmbH
Registergericht Bad Hersfeld HRB 799
Geschaeftsfuehrer: Andreas Wild


E-Mails schonen die Umwelt. Umso mehr, wenn sie nicht ausgedruckt werden.
Bitte drucken Sie diese E-Mail nur, wenn es erforderlich ist.

Think about the environment! Do not print this mail unless necessary.

More information about the scponly mailing list