trying to get sftp-only logins to work with a public keys

tech-lists tech-lists at zyxst.net
Thu May 24 11:09:28 UTC 2018 

Hello list,

I'm trying to get (chrooted) sftp login working with public keys. I made 
a sftp-only user which works fine, and is chrooted. I created a .ssh 
directory with 770 perms (root:user) and put their public key in there 
with 600 perms (user:user) however when trying pubkey auth it always 
falls back to keyboard-interactive (which will succeed when the password 
is applied). I don't know why in key exchange it says it sent a packet 
then didn't. Can anyone help please?

Context is recent freebsd-11-stable, both client and server.

I have this in /etc/ssh/sshd_config:

Subsystem sftp internal-sftp

Match User testsftp
ChrootDirectory /usr/home/testsftp
PubkeyAuthentication yes
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /usr/home/testsftp/.ssh/authorized_keys
ForceCommand internal-sftp

permissions in the test users .ssh dir are like this:

drwxrwx---  2 root      testsftp   512B May 24 10:51 .
drwxr-xr-x  5 root      testsftp   512B May 24 10:35 ..
-rw-------  1 testsftp  testsftp   105B May 24 11:49 authorized_keys

here is the -v -v debug output from ssh client:

debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/REDACTED/.ssh/id_rsa (0x0)
debug2: key: /home/REDACTED/.ssh/id_dsa (0x0)
debug2: key: /home/REDACTED/.ssh/id_ecdsa (0x0)
debug2: key: /home/REDACTED/.ssh/id_ed25519 (0x802015240)
debug1: SSH2_MSG_EXT_INFO received
debug1: Fssh_kex_input_ext_info: 
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/REDACTED/.ssh/id_rsa
debug1: Trying private key: /home/REDACTED/.ssh/id_dsa
debug1: Trying private key: /home/REDACTED/.ssh/id_ecdsa
debug1: Offering ED25519 public key: /home/REDACTED/.ssh/id_ed25519
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password for testsftp at REDACTED:

thanks,
-- 
J.

More information about the freebsd-questions mailing list