EDIT
The issue as exposed here is
solved (about files modes of the.sshfolder.But an other issue persists so I create a new question : > Unable to login with SSH-RSA key
I can no longer connect with ssh-rsa key for a specific user, but it still work for other users.
The git user defined as follow :
# cat /etc/passwd | grep git git:x:1002:1002:,,,:/var/git:/bin/bash
So you noticed that this is the git user thus its home is /var/git, it’s not in /home.
Now, ssh always prompt me for password :
$ ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0a6d637e4a79787c">[email protected]</a> <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="385f514c784b4a4e">[email protected]</a>'s password:
I checked logs :
# tail -n 1 /var/log/auth.log [...] Authentication refused: bad ownership or modes for file /var/git/.ssh/authorized_keys
So authorized_keys as some ownership or modes missconfiguration.
I don’t understand because here is the conf for this file :
# ls -l /var/git/.ssh/ | grep auth -rw-rw-r-- 1 git git 394 mai 22 17:39 authorized_keys
And here is (in case…) the parent .ssh dir:
# ls -al /var/git/ | grep ssh drwxrwxr-x 2 git git 4096 mai 22 17:39 .ssh
And the $HOME directory :
# ls -l /var/ | grep git drwxr-xr-x 7 git git 4096 mai 27 10:49 git
So owners are always git, like owner groups. And files are readable so where could be the trick ?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
The problem is the fact that file and directory permissions do not meet the requirements of StrictModes, which in OpenSSH is yes by default and should not be changed. Try setting the permissions of authorized_keys to 0600 and the .ssh directory to 0700.
# chmod 0700 .../.ssh/ # chmod 0600 .../.ssh/authorized_keys
Note that the ... will differ based on installation (e.g., in this question it is /var/git/ but for users it will be /home/username/.
Method 2
For reasons of paranoia, the .ssh directory and authorized_keys must not be group-writable. I guess the thinking is, the user must be the only one with explicit control over his/her authorization. I believe a work-around for this lies with ACL. The other work around is StrictModes=no setting in sshd’s configuration file. But it would be too dangerous to do that for the sake of one user.
P.S. your ls -l /var | grep git is more concisely done as ls -ld /var/git
Method 3
The $HOME/.ssh directory mode must be 700 and authorized_keys should be readable by the owner only, i.e. mode 600:
chmod u=rwx,g=,o= /var/git/.ssh chmod u=rw,g=,o= /var/git/.ssh/authorized_keys
As to the private key, it must be read-write-able by the owner only:
chmod u=rw,g=,o= /var/git/.ssh/id_?sa
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0