SSH NFSv4 ACL Passwordless Login

Status
Not open for further replies.
Binary Buddha

Binary Buddha

Contributor
Joined
Mar 6, 2016
Messages
126
Can somebody that has passwordless SSH working post the GETFACL output for their .ssh directory and .ssh/authorized_keys2 file?

I may or may not have screwed the permissions up when I had to rebuild the server. I know that it was working at some point.

My traditional UNIX permissions are as follows:
drw------- 2 binary binary 5 Aug 30 23:37 .ssh/
-rw-r----- 1 binary binary 396 Aug 30 23:37 .ssh/authorized_keys2
 
R

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
Code:
[root@poweredge] ~# getfacl .ssh
# file: .ssh
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
        everyone@:r-x---a-R-c--s:------:allow
[root@poweredge] ~# getfacl .ssh/authorized_keys
# file: .ssh/authorized_keys
# owner: root
# group: wheel
            owner@:rw-p--aARWcCos:------:allow
            group@:r-----a-R-c--s:------:allow
        everyone@:r-----a-R-c--s:------:allow
 
Binary Buddha

Binary Buddha

Contributor
Joined
Mar 6, 2016
Messages
126
Robert Trevellyan said:
Code:
[root@poweredge] ~# getfacl .ssh
# file: .ssh
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:------:allow
            group@:r-x---a-R-c--s:------:allow
        everyone@:r-x---a-R-c--s:------:allow
[root@poweredge] ~# getfacl .ssh/authorized_keys
# file: .ssh/authorized_keys
# owner: root
# group: wheel
            owner@:rw-p--aARWcCos:------:allow
            group@:r-----a-R-c--s:------:allow
        everyone@:r-----a-R-c--s:------:allow
Click to expand...


Nope... That didn't work... Now I can't access .ssh....

Can you get me getfacl -d .ssh?

Old NFSv4 ACLs
# file: .ssh/
# owner: binary
# group: binary
owner@:rw-p--aARWcCos:-------:allow
group@:------a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow​
# file: .ssh/authorized_keys2
# owner: binary
# group: binary
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow​
New NFSv4 ACLs
# file: .ssh/
# owner: binary
# group: binary
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow​
# file: .ssh/authorized_keys2
# owner: binary
# group: binary
owner@:rw-p--aARWcCos:-------:allow
group@:r-----a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow​
 
R

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
Code:
[root@poweredge] ~# getfacl -d .ssh
getfacl: .ssh: there are no default entries in NFSv4 ACLs
 
R

Robert Trevellyan

Pony Wrangler
Joined
May 16, 2014
Messages
3,778
Why do you have an authorized_keys2 file?
Code:
[root@poweredge] ~# ls -al .ssh/
total 10
drwxr-xr-x  2 root  wheel     6 Mar 12 18:03 ./
drwxr-xr-x  3 root  wheel    19 Aug 14 13:56 ../
-rw-r--r--  1 root  wheel   762 Feb 19  2016 authorized_keys
-rw-------  1 root  wheel  1679 Mar 12 16:31 id_rsa
-rw-r--r--  1 root  wheel   402 Mar 12 16:31 id_rsa.pub
-rw-r--r--  1 root  wheel  1913 Jul  4 14:05 known_hosts
 
Binary Buddha

Binary Buddha

Contributor
Joined
Mar 6, 2016
Messages
126
Robert Trevellyan said:
Why do you have an authorized_keys2 file?
Code:
[root@poweredge] ~# ls -al .ssh/
total 10
drwxr-xr-x  2 root  wheel     6 Mar 12 18:03 ./
drwxr-xr-x  3 root  wheel    19 Aug 14 13:56 ../
-rw-r--r--  1 root  wheel   762 Feb 19  2016 authorized_keys
-rw-------  1 root  wheel  1679 Mar 12 16:31 id_rsa
-rw-r--r--  1 root  wheel   402 Mar 12 16:31 id_rsa.pub
-rw-r--r--  1 root  wheel  1913 Jul  4 14:05 known_hosts
Click to expand...


authorized_keys2 is for Protocol 2 of SSH. It works for Freenas.
 
Binary Buddha

Binary Buddha

Contributor
Joined
Mar 6, 2016
Messages
126
Robert Trevellyan said:
Code:
[root@poweredge] ~# getfacl -d .ssh
getfacl: .ssh: there are no default entries in NFSv4 ACLs
Click to expand...


**Scratches Head*** Hmmm... That's what I get too

So, starting from scratch again and rm -rf ~/.ssh and readding the public key through the Freenas Webgui for my account to satisfy the "why aren't you doing it from gui" and those that don't quite know about SSH Protocol 2. After that, shutdown the SSH service via webgui and adding in
Code:
LogLevel DEBUG3
in the "Extra Options" section of the service. Because apparently, Freenas overwrites anything you put in /etc/ssh/sshd_config via command line. As per /etc/syslog.conf, the output would be sent to /var/log/debug.log. "Normally" it would be sent to /var/log/auth.log, /var/log/messages, or /var/log/secure. After attempting to login via SSH key I get the output of the attached file. In that bunch of yada yada yada and blah blah following lines of significance as follows:

Sep 2 02:24:53 abyss sshd[12376]: debug3: mm_answer_keyallowed: key 0x8040165c0 is not allowed
Sep 2 02:24:53 abyss sshd[12376]: debug3: mm_request_send entering: type 23
Sep 2 02:24:53 abyss sshd[12376]: debug1: trying public key file /mnt/MAIN/HOME/binary/.ssh/authorized_keys
Sep 2 02:24:53 abyss sshd[12376]: debug1: fd 4 clearing O_NONBLOCK
Sep 2 02:24:53 abyss sshd[12376]: debug1: trying public key file /mnt/MAIN/HOME/binary/.ssh/authorized_keys2
Sep 2 02:24:53 abyss sshd[12376]: debug1: Could not open authorized keys '/mnt/MAIN/HOME/binary/.ssh/authorized_keys2': No such file or directory
Sep 2 02:24:53 abyss sshd[12376]: debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
Sep 2 02:24:53 abyss sshd[12376]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]


Possibility of SSHD not reading it due to permissions. Attempted to chmod -R 600 ~/.ssh and I get "chmod: .ssh/authorized_keys: Operation not permitted". Which I believe is NFSv4 ACLs being a boinker. However, if I modify the NFSv4 ACLs to what Mr. Trevellyan has my user account can no longer access to the .ssh directory.

... WTF Over...
 

Attachments

  • debug.txt
    17.8 KB · Views: 392
SweetAndLow

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
You need to have UNIX permissions on the dataset that holds your user home directories. You currently have it set to windows permissions. Delete the dataset and start over.

Sent from my Nexus 5X using Tapatalk
 
Binary Buddha

Binary Buddha

Contributor
Joined
Mar 6, 2016
Messages
126
SweetAndLow said:
You need to have UNIX permissions on the dataset that holds your user home directories. You currently have it set to windows permissions. Delete the dataset and start over.

Sent from my Nexus 5X using Tapatalk
Click to expand...


Uh... Yeah, no.... I can't delete the data and I don't have enough room to copy it somewhere.


Sent from my iPhone using Tapatalk
 
Binary Buddha

Binary Buddha

Contributor
Joined
Mar 6, 2016
Messages
126
SweetAndLow said:
You need to have UNIX permissions on the dataset that holds your user home directories. You currently have it set to windows permissions. Delete the dataset and start over.

Sent from my Nexus 5X using Tapatalk
Click to expand...


Yep that didn't work. Created a new dataset and user homing too that dataset and it didn't work.


Sent from my iPhone using Tapatalk
 
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "SSH NFSv4 ACL Passwordless Login"

Similar threads

Binary Buddha
  • Locked
So passwordless SSH broke
Replies
14
Views
5K
genBTC
G
B
Issue with FreeNAS ACL/ACE
Replies
1
Views
2K
Barrikin
B
B
Can I create a NFS or SMB share that can provides full access to Dataset?
Replies
2
Views
3K
benze
B
S
SMB Share not honoring permissions/ACL for new items
Replies
3
Views
2K
shimian5
S
anodos
  • Sticky
Methods For Fine-Tuning Samba Permissions
2 3
Replies
51
Views
166K
Davvo
Davvo
Top