FreeNAS 11.2-U4 - SSH: permission denied (publickey)

[maniyer]

I'm trying to setup SSH on my FreeNAS setup but no mater what I do, I cannot get a user to login. Root is the only user that connects successfully. All other users get the 'permission denied (publickey)'.

I have tried everything from the following thread but I still can't get it to work: https://www.ixsystems.com/community/threads/freenas-11-ssh-permission-denied-publickey.59762/

I'm fairly new to FreeNAS, so not sure what I'm doing wrong. Please, I need clear step by step instructions because the previous thread above isn't very clear on where and what to do. I have attached the logs and user settings so you can see what I'm getting.
I'm on version 11.2-U4

 

[maniyer]

An update of this situation, any user can login when 'Allow password authentication' is switched on, but I would like to avoid using password authentication for security reasons. How do I get the public key to work with non-root users? I have attached another screen grab to show my findings.

 

[proto]

auth.log is your friend, please check on server side!
anyway, I think you have bad permission... unflag Write for Group permission and try again with your key auth.

 

[maniyer]

I agree I probably have bad permissions, but how do I fix them? I have un-flaged 'Write for Group' and saved it, but when I go back in, it's still flagged. I have also tried to create a brand new test user and the problem persists. auth.log reports 'Authentication refused: bad ownership or modes for file /mnt/LIFE/Maniyer4/.ssh/authorized_keys'

 

[proto]

as root
chmod 755 /mnt/LIFE/Maniyer4 # should fix, but it's still too open

you can't su as your user is not in wheel group.

note:
/mnt/LIFE should have 755 permissions (owner:group --> usually root:wheel)
Manyer4 homedir can be more restrictive, my homedir is usally 700, so other users cannot read my files/directories.

 

[cJZ]

If you just want to forgo troubleshooting, unset StrictModes in /etc/ssh/sshd_config

Code:

nano /etc/ssh/sshd_config
StrictModes no

I know it doesn't help much, but if you're the only user and your appliance is firewalled, I can't see it do much harm.

 

[danb35]

The "operation not permitted" errors tell me that the user's home directory is on a dataset with Windows permissions. Change that to Unix permissions and then you should be able to run the chmod commands to set the appropriate permissions, which is almost certainly what's going on.

 

[proto]

The "operation not permitted" errors tell me that the user's home directory is on a dataset with Windows permissions.

Oh! The OP set "permit sudo" I didn't noticed.

I have a "windows" Dataset but I can login with no issue, until I change the homedir permission from "default" 755 to 775. Write for group on homedir is not allowed by SSH using auth keys. It fails even with Unix permissions.

root@bestia[/mnt/Edge0/Private/Common]# ls -ltr
total 34
-rw-r--r-- 1 root wheel 0 Jun 27 06:46 .windows
drwxrwxr-x 3 pluto pluto 12 Jun 27 07:20 pluto
drwxr-xr-x 3 pippo pippo 12 Jun 27 07:22 pippo


where:
Common is a "nested" dataset with Windows permissions.
pluto --> I cannot login because of "bad ownership" error with auth keys, but I can access with password as SSH falls back to password auth.
Authentication refused: bad ownership or modes for directory /mnt/Edge0/Private/Common/pluto
pippo --> I can login with no issue.

That "Authentication refused: bad ownership or modes..." error is the key.

 

[maniyer]

Thanks everyone, this really helped. You were right, I had my home directory with Windows permissions, which don't allow any permission changes on the webGUI. As soon as I changed it to UNIX I was able to un-flag Write for group and now I can use the public key without any problems. The reason I had it on Windows permissions was because I thought it was required to mount a share with SMB, but after some testing, I could load a share with SMB even with UNIX permissions. Rookie mistake.