Geek Answers Handbook

Public key authorization in the chroot sftp directory

I want to add public key authorization to my chroot sftp directory, but I always get:

debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/test/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey). Couldn't read packet: Connection reset by peer

Chroot works because authorization with a password is possible. I have another account on this host without chroot, and it works with this key. I tried many times, but still it doesn’t work.

On the server in auth.log there is only: Connection closed xxx [preauth]

This is my directory:

 ls -laR /sftp/ /sftp/: total 12 drwxr-xr-x 3 root root 4096 May 3 16:55 . drwxr-xr-x 23 root root 4096 May 3 14:46 .. drwxr-xr-x 3 root root 4096 May 3 16:45 backup /sftp/backup: total 12 drwxr-xr-x 3 root root 4096 May 3 16:45 . drwxr-xr-x 3 root root 4096 May 3 16:55 .. drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming /sftp/backup/incoming: total 12 drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 . drwxr-xr-x 3 root root 4096 May 3 16:45 .. drwx------ 2 backup sftpusers 4096 May 3 21:06 .ssh /sftp/backup/incoming/.ssh: total 12 drwx------ 2 backup sftpusers 4096 May 3 21:06 . drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .. -rw------- 1 backup sftpusers 391 May 3 21:06 authorized_keys

My user:

 backup:x:1002:1003::/incoming:/usr/sbin/nologin

My ssh configuration:

 Match Group sftpusers ChrootDirectory /sftp/%u AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no

Please, help.

+13
linux ssh sftp chroot
source share
2 answers

I tried this solution (by putting AuthorizedKeysFile in the Match block) and sshd -T complains:

 /etc/ssh/sshd_config line 153: Directive 'AuthorizedKeysFile' is not allowed within a Match block

(RHEL 6.6, openssh 5.3p1-104)

SOLUTION: The authorized_keys file (and the user directory .ssh) must exist in the home directory location specified by / etc / passwd, outside the chroot directory.

For example (using OP / uids usernames):
/ Etc / password:

 backup:x:1002:1003::/home/backup:/sbin/nologin

Create a root directory /home/backup Create a directory /home/backup/.ssh , change the backup ownership, chmod 700 /home/backup/.ssh
Copy authorized_keys file to /home/backup/.ssh , chmod 400 authorized_keys

 ls -laR /home /home: total 12 drwxr-xr-x 3 root root 4096 Jul 9 12:25 . drwxr-xr-x 3 root root 4096 Sep 22 2014 .. drwxr-xr-x 3 root root 4096 Jul 9 12:25 backup /home/backup: total 12 drwxr-xr-x 3 root root 4096 Jul 9 12:25 . drwxr-xr-x 3 root root 4096 Jul 9 12:25 .. drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .ssh /home/backup/.ssh: total 12 drwx------ 3 backup sftpusers 4096 Jul 9 12:28 . drwxr-xr-x 3 root root 4096 Jul 9 12:25 .. -r-------- 3 backup sftpusers 391 Jul 9 12:29 authorized_keys

/ etc / ssh / sshd_config becomes:

 Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no

The chroot directory structure:

 ls -laR /sftp/ /sftp/: total 12 drwxr-xr-x 3 root root 4096 May 3 16:55 . drwxr-xr-x 23 root root 4096 May 3 14:46 .. drwxr-xr-x 3 root root 4096 May 3 16:45 backup /sftp/backup: total 12 drwxr-xr-x 3 root root 4096 May 3 16:45 . drwxr-xr-x 3 root root 4096 May 3 16:55 .. drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming drwxr-xr-x 3 root root 4096 May 3 16:55 home /sftp/backup/incoming: total 12 drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 . drwxr-xr-x 3 root root 4096 May 3 16:45 .. /sftp/backup/home: total 12 drwxr-xr-x 3 root root 4096 May 3 16:55 . drwxr-xr-x 3 root root 4096 May 3 16:45 .. drwx------ 2 backup sftpusers 4096 May 3 21:06 backup /sftp/backup/home/backup: total 12 drwx------ 3 backup sftpusers 4096 May 3 21:06 . drwxr-xr-x 3 root root 4096 May 3 16:55 ..

Note: /sftp/backup/home/backup empty, it is only there to specify a path that will look like non-chroot /home/backup - the directory .ssh /home/backup/.ssh not /sftp/backup/home/backup/.ssh

+16
source share

The problem is resolved.

I changed it: AuthorizedKeysFile / sftp / backup / incoming / .ssh / authorized_keys to: AuthorizedKeysFile / sftp /% u / .ssh / authorized_keys

+9
source share

More articles:


All Articles