OT: My ssh authorized_keys doesn't work with nfs/nis
Aryeh Friedman
aryeh.friedman at gmail.com
Sat Sep 14 11:09:30 UTC 2019
On Sat, Sep 14, 2019 at 6:50 AM Matthew Seaman <matthew at freebsd.org> wrote:
> On 14/09/2019 08:39, Aryeh Friedman wrote:
> > My ~/.ssh/authorized_keys files works fine on a machine that is not in my
> > NIS domain but when I copy my id_rsa.pub (which is what I did to create
> the
> > non-NIS authorized_keys) to my NIS account and give it the same
> permissions
> > as the working machine it insists on asking for a password.
> >
> > ssh faraway (non-NIS machine)
> > does not ask for a password
> > but
> > ssh nearby (NIS machine) does
> >
> > Both have identical authorized keys and both (and their parent dirs) are
> > set to 644. Both machines are FreeBSD 11 and the machine doing the ssh
> > call is FreeBSD 12
> >
>
> Check the ownership / permissions on ~/.ssh on the machine where key
> based auth is not working -- sshd will refuse to use authorized_keys if
> it thinks permissions are too loose.
>
I don't think you can make them any tighter then this and not get errors:
aryeh% id
uid=1001(aryeh) gid=1001(aryeh) groups=1001(aryeh),0(wheel),1003(aegis)
aryeh% ls -ld .ssh
drwx------ 2 aryeh aryeh 512 Sep 14 06:49 .ssh
aryeh% ls -l .ssh
total 16
-rw------- 1 aryeh aryeh 792 Sep 14 05:02 authorized_keys
-rw------- 1 aryeh aryeh 1675 Aug 30 11:09 id_rsa
-rw------- 1 aryeh aryeh 396 Aug 30 11:09 id_rsa.pub
-rw------- 1 aryeh aryeh 545 Sep 14 03:19 known_hosts
> Also check for authorized_keys related settings in /etc/ssh/sshd_config
> -- it is not uncommon to require authorized_keys to be installed in some
> centralized, root owned directory that individual users don't have write
> access to.
>
I am using the default out of the box /etc/sshd_config for 11 and 12 that
has only two uncommented out configs:
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/sftp-server
So unless I am reading the first one completely wrong then it uses
~user/.ssh/authorized_keys which is what the ls above is of.
> Cheers,
>
> Matthew
>
>
--
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
More information about the freebsd-questions
mailing list