[scponly] RSA Keys and scponly

Ralf Durkee rd at rd1.net
Sun Nov 6 01:41:05 EST 2005


The authorized keys file can be moved out of the home directory to a 
system directory such as the real root /etc/ssh/ using the 
"AuthorizedKeysFile" directive in your sshd_config file. See 
sshd_config(5) man page for details. This is recommended if your don't 
want you users installing their own keys. The ownership of the 
authorized key should be root, but the group should be a user specific 
group, with just read access for the user.

But get it working with an account that has a regular shell first, as 
Lupe Christoph suggested. The authentication and the shell are 2 
different steps.

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Security Consultant
http://rd1.net


Frank Mohr wrote:
> Tim Churchard wrote:
> 
>>My scponlyc users cannot login, the server denies the public key
>>everytime.  At the moment I have the test username: scponlyctest and his
>>chroot home directory is /mnt/share/rbup/scponlytest
>>
>>I had to create a
>> .ssh directory in that test directory, I chown'd it to
>>scponlytest:users and chmod to 0700 for the directory and 0600 for the
>>authorized_keys and known_hosts files.  
> 
> 
> that shouldn't be necessary as the .ssh directory and authorized_keys
> file may also belong to root, but your chown's shouldn't hurt
> a known_hosts file is only needed for the ssh client
> 
> 
>>Did I create the .ssh directory
>>in the wrong place?  (its just in the ~ directory) 
> 
> 
> it just has to be ~scponlyctest/.ssh
> 
> 
>>Can somebody explain how using scponlyc to chroot users would effect the
>> RSA key validation?  Is there a howto or some docs somewhere I should read?
> 
> 
> as the scponly/scponlyc shell doesn't interact with the ssh login
> process, there should be no problem with the scponlyc shell
> 
> the /mnt/share/rbup/scponlytest directory sounds strange
> is this a local disk or a nfs (or even smb?) mount ?
> 
> the authorized_keys file must be readable by root during the
> authentication process and some network protocols prevent this
> 
> some hints:
> - try to connect with scp -vvv and have a look at the debug output
> - have a look at the syslog messages on the server
> - as Lupe proposed:
>   start a sshd in debug mode with
>   sshd -ddd -p <some unused port>
>   and connect to this ssh server with
>   scp -vvv -P port
>   this should give you some more informations why the authenticaton
>   fails
> 
> frank
> 
> 	
> 
> 	
> 		
> ___________________________________________________________ 
> Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
> 
> .
> 



More information about the scponly mailing list