OT: My ssh authorized_keys doesn't work with nfs/nis

Aryeh Friedman aryeh.friedman at gmail.com
Sat Sep 14 11:09:30 UTC 2019 

On Sat, Sep 14, 2019 at 6:50 AM Matthew Seaman <matthew at freebsd.org> wrote:

> On 14/09/2019 08:39, Aryeh Friedman wrote:
> > My ~/.ssh/authorized_keys files works fine on a machine that is not in my
> > NIS domain but when I copy my id_rsa.pub (which is what I did to create
> the
> > non-NIS authorized_keys) to my NIS account and give it the same
> permissions
> > as the working machine it insists on asking for a password.
> >
> > ssh faraway (non-NIS machine)
> > does not ask for a password
> > but
> > ssh nearby (NIS machine) does
> >
> > Both have identical authorized keys and both (and their parent dirs) are
> > set to 644.  Both machines are FreeBSD 11 and the machine doing the ssh
> > call is FreeBSD 12
> >
>
> Check the ownership / permissions on ~/.ssh on the machine where key
> based auth is not working -- sshd will refuse to use authorized_keys if
> it thinks permissions are too loose.
>

I don't think you can make them any tighter then this and not get errors:

aryeh% id
uid=1001(aryeh) gid=1001(aryeh) groups=1001(aryeh),0(wheel),1003(aegis)
aryeh% ls -ld .ssh
drwx------  2 aryeh  aryeh  512 Sep 14 06:49 .ssh
aryeh% ls -l .ssh
total 16
-rw-------  1 aryeh  aryeh   792 Sep 14 05:02 authorized_keys
-rw-------  1 aryeh  aryeh  1675 Aug 30 11:09 id_rsa
-rw-------  1 aryeh  aryeh   396 Aug 30 11:09 id_rsa.pub
-rw-------  1 aryeh  aryeh   545 Sep 14 03:19 known_hosts


> Also check for authorized_keys related settings in /etc/ssh/sshd_config
> -- it is not uncommon to require authorized_keys to be installed in some
> centralized, root owned directory that individual users don't have write
> access to.
>

I am using the default out of the box /etc/sshd_config for 11 and 12 that
has only two uncommented out configs:

AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/sftp-server

So unless I am reading the first one completely wrong then it uses
~user/.ssh/authorized_keys which is what the ls above is of.


>         Cheers,
>
>         Matthew
>
>

-- 
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org

More information about the freebsd-questions mailing list