Cannot setup ssh autorized_key for normal user. But for root

Pausentee · 8 May 2023 12:49

Maybe I just have block…

I want to embed a ‘ssh userxy@mydietpiraspi somecmd’ in a script on a remote machine.
For arguments sake lets assume on the remote machine the username is bob.

So on my remote machine I created id_rsa in /home/bob/.ssh/ with ssh-keygen -t rsa
and on my mydietpiraspi edited /etc/ssh/sshd_config lines:
43 PubkeyAuthentication yes
44 AuthorizedKeysFile .ssh/authorized_keys

Then copied public key over with
ssh-copy-id -i /home/bob/.ssh/id_rsa.pub userxy@mydietpiraspi
prompt came for userxy passwd and I logged in successfully.

After that ssh userxy@mydietpiraspi should not prompt for a password.
But it does.
I checked for bob’s public key in userxy .ssh/authorized_keys and it is in there.

If I do the same for root@mydietpiraspi it works.
ssh-copy-id -i /home/bob/.ssh/id_rsa.pub root@mydietpiraspi
Passwd prompt for root shows up, logged in successfully.
Now bob can login as root@mydietpiraspi without being prompted for a passwd.

Why?

Joulinar · 8 May 2023 16:27

was there an issue to fill the troubleshooting template? You are running Dropbear or OpenSSH

We already had some cases where ssh-copy-id was not working correctly. Dropbear Public Key Authentication - #16 by MichaIng

Pausentee · 8 May 2023 19:25

That would be OpenSSH_8.4 on the pi.
On the remote machine where I used ssh-copy-id OpenSSH_7.9

Joulinar · 9 May 2023 08:35

did you check permission on files and filder for /home/userxy/.ssh if they set correctly?

Pausentee · 9 May 2023 09:19

They are as they should be.
the dir is owned by userxy 700
files inside too.
authorized_keys 600
known_hosts 644

Joulinar · 9 May 2023 12:51

can you check format of your public key [SOLVED] SSH PubkeyAuthentication not working - #5 by zenzip

Pausentee · 11 May 2023 13:06

it is fine, a oneliner.
And as said, it works with root, for any user on the remote machine.

homer77 · 9 January 2024 15:48

Some time passed since May but I’m experiencing the same problem on my quite fresh install on a Raspi 4 and the latest dietpi image.

I gave the publickey during installation (dietpi.txt) and found it correctly formatted in the authorized_keys file in root’s and dietpi’s home directory. Despite having configured sshd correspondingly I could still only login with password, not with publickey.
(Btw.: I’m speaking of openssh-server here, not dropbear!)

After I searched a lot after a reason for that I’m continuously receiving Could not open user 'dietpi' authorized keys '.ssh/authorized_keys': Permission denied with debug3 in journalctl and permisson denied at the client. After checking permissions, reading about SELINUX, copying the file in /etc/ssh/keys/dietpi/ with root as owner but still without succes. I now read this post, tried to login with root et voilá! I’m in.

So that’s a workaround as I can now sudo -su dietpi into the less privileged user but of course I don’t want to allow root to ssh forever.

One aspect I had under suspicion was that I encrypted my /home/dietpi with gocryptfs. But as I have my .ssh in $HOME both when it’s mounted and when unmounted - and ssh fails both times that doesn’t seem to be the problem.

I also thought that sshd needed chown root:root to /home/dietpi/.ssh/* but a) can’t I access /home/dietpi as root and b) did I try that with /etc/ssh/keys/authorized_keys and that still didn’t worked.

Would be nice if s.o. with more expertise could take a look at this as I am afraid I fired all my guns now

Joulinar · 9 January 2024 16:27

can you share following

/home/dietpi/.ssh

homer77 · 10 January 2024 20:23

You mean ls -la /home/dietpi/.ssh?

I made .ssh 700 and authorized_keys 600. Both belong to dietpi:dietpi. There’s nothing else in /home/dietpi/.ssh

(Sorry, would have c/p command’s output but I don’t have acces to the machine right now)

Pausentee · 11 January 2024 12:52

It is funny, I just checked and my problem still persists. If I want auto-login I have to login as root since I can’t get it to work for userxy

-rw-------  1 userxy userxy 567 Jan 11 13:42 authorized_keys
-rw-------  1 userxy userxy 2602 Jun  8  2023 id_rsa
-rw-r--r--  1 userxy userxy 566 Jun  8  2023 id_rsa.pub

Interesstingly I should say that I have a second Pi setup that works as expected but I still cant find the difference.

Joulinar · 11 January 2024 21:11

hmm I tried on various systems and on all of them I’m able to login as user dietpi using ssh keys

Jan 11 21:57:04 DietPi sshd[552]: Accepted publickey for dietpi from 192.168.0.93 port 51935 ssh2: RSA SHA256:z.kzI
Jan 11 21:57:04 DietPi sshd[552]: pam_unix(sshd:session): session opened for user dietpi(uid=1000) by (uid=0)

furthermore I create a stupid dummy user named demouser

root@DietPi: adduser demouser
Adding user `demouser' ...
Adding new group `demouser' (1001) ...
Adding new user `demouser' (1001) with group `demouser (1001)' ...
Creating home directory `/home/demouser' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for demouser
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
Adding new user `demouser' to supplemental / extra groups `users' ...
Adding user `demouser' to group `users' ...
root@DietPi:

Afterwards I simply sored my authorized_keys file within home directory of this user

root@DietPi:~# ls -la /home/demouser/.ssh/
total 12
drwxr-xr-x 2 root     root     4096 Jan 11 22:03 .
drwx------ 3 demouser demouser 4096 Jan 11 22:03 ..
-rw-r--r-- 1 root     root      393 Jan 15  2022 authorized_keys
root@DietPi:~#

As well it seems permissions doesn’t matter. I simply created the file with root user.

And it’s working ootb.

Jan 11 22:03:25 DietPi sshd[646]: Accepted publickey for demouser from 192.168.0.93 port 52157 ssh2: RSA SHA256:z.I
Jan 11 22:03:25 DietPi sshd[646]: pam_unix(sshd:session): session opened for user demouser(uid=1001) by (uid=0)

Question: did you guys used a new key or is it an older one. On Debian Bookworm, some old keys are not accepted anymore.

homer77 · 12 January 2024 16:21

Mine is not fresh. It’s a reuse of the one I use on my current server. But … wait! It works with root and the same key - so that’s not the reason I would assume.

Joulinar · 12 January 2024 16:27

for testing you could create a new pair. Did you already checked ssh server logs while trying to connect?

Pausentee · 13 January 2024 16:20

I created a new key which is present in remote hosts authorized keys file.

-rw-------  1 userxy userxy 2602 11. Jan 13:56 id_rsa
-rw-r--r--  1 userxy userxy 565 11. Jan 13:56 id_rsa.pub

Joulinar · 14 January 2024 10:38

and did you already checked logs on server side while trying to connect?

Pausentee · 14 January 2024 11:19

Interesting, the message is: Authentication refused: bad ownership or modes for directory /home/userxy

Ownership seems ok though.

Joulinar · 14 January 2024 11:24

how does it looks

ls -la /home/userxy

and can you share more system details

Required

DietPi version | cat /boot/dietpi/.version
Distro version | echo $G_DISTRO_NAME $G_RASPBIAN
Kernel version | uname -a
Architecture | dpkg --print-architecture
SBC model | echo $G_HW_MODEL_NAME or (EG: RPi3)

Pausentee · 14 January 2024 11:31

I found it.
/home/userxy was 777 instead of 755

Thanks to you, I have checked that bloody log.
No idea why I didn’t do that before.
Interesting that ssh refuses to login to an open directory because keys could have been compromised by anybody.
But logical.

Have a nice weekend

system · 13 April 2024 11:32

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.