FreeNAS 11 - SSH: permission denied (publickey)

Mortama

Cadet
Joined
Aug 13, 2016
Messages
2
I'm trying to setup SSH access to my FreeNAS using SSH public keys and I've run into a problem I've not been able to find a solution to.

I have a user, mattias, to which I paste an RSA public key into the "SSH Public Key" field. Afterwards when I try to SSH ssh mattias@192.168.1.30
I get Permission denied (publickey). If I use the -v I get the following:
Code:
$ ssh mattias@192.168.1.30 -v
OpenSSH_7.3p1, OpenSSL 1.0.2k  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.1.30 [192.168.1.30] port 22.
debug1: Connection established.
debug1: identity file /c/Users/USERNAME/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/USERNAME/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/USERNAME/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/USERNAME/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/USERNAME/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/USERNAME/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/USERNAME/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/USERNAME/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4-hpn14v5
debug1: match: OpenSSH_7.4-hpn14v5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.1.30:22 as 'mattias'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XdfLFnuYX09cbPPUobn5bvLz4UDNklFucIYcVp/iNA0
debug1: Host '192.168.1.30' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/USERNAME/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /c/Users/USERNAME/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /c/Users/USERNAME/.ssh/id_dsa
debug1: Trying private key: /c/Users/USERNAME/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/USERNAME/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).


From the last section "Trying private key" it looks like it's not even checking against the correct private key. The correct private key is id_rsa not id_dsa.

One interesting thing is, if I assign the same public key to the root user it works...

Image of mattias settings:
30vnn10.png


Image of root settings:
e0o4tx.png



Any ideas?

I would gladly accept the answer "user error" if the same public key didn't work for the root user. But since it does, I'm lost...
 
Last edited:

fracai

Guru
Joined
Aug 22, 2012
Messages
1,212
Those aren't the same public keys. The user ends with "ekh", root ends with "4V/".
 

Mortama

Cadet
Joined
Aug 13, 2016
Messages
2
Yeah sorry. I updated the first image in an edit. At that time I had tried generating a new SSH key (which didn't help).
So the keys do match in my setup, while my images don't.
 
D

dlavigne

Guest
Were you able to resolve this? If not, is the error reproducible on 11.1?
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194

stitch

Dabbler
Joined
Jan 7, 2017
Messages
24
Same problem here with 11.1. I did have it working after swapping the public key briefly on the non-root user, after not modifying anything it broke again.
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Same here, password does work

Code:
OpenSSH_7.5p1 Debian-5, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /home/xxx/.ssh/config
debug1: /home/xxx/.ssh/config line 5: Applying options for freenas
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.xx.xx [192.168.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/xxx/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xxx/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5p1 Debian-5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5-hpn14v5
debug1: match: OpenSSH_7.5-hpn14v5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.xx.xx22 as 'xxxx'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:xxxxxxxxxxxxxxxxxxxx
debug1: checking without port identifier
debug1: Host '192.168.xx.xx' is known and matches the ECDSA host key.
debug1: Found key in /home/xxx/.ssh/known_hosts:24
debug1: found matching key w/out port
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/xxx/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

 

qtino

Cadet
Joined
Dec 27, 2018
Messages
4
I can confirm that it was a permissions problem on the freenas side. My Freenas version is FreeNAS-11.2-RELEASE-U1
Logged in as the user I'm trying to login, and executed these permissions and it worked.

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
 

guermantes

Patron
Joined
Sep 27, 2017
Messages
213
I can confirm that it was a permissions problem on the freenas side. My Freenas version is FreeNAS-11.2-RELEASE-U1
Logged in as the user I'm trying to login, and executed these permissions and it worked.

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

This is my experience as well. When creating new users in 11.0 U4 , the default permissions for home directory, .ssh directory and .authorized_keys are always too lax so as they have to be manually changed before SSH will work.
 

diedrichg

Wizard
Joined
Dec 4, 2012
Messages
1,319
I can confirm that it was a permissions problem on the freenas side. My Freenas version is FreeNAS-11.2-RELEASE-U1
Logged in as the user I'm trying to login, and executed these permissions and it worked.

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
OMG! Thank you! Seriously, after hours of Googling and YouTubing - this was the solution! Thank you so much!
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,477
This solved my problem as well. Thank you!
 

yru_IT

Cadet
Joined
Mar 20, 2019
Messages
8
OK, I have been having this problem also, but when I try to chmod the user I get:
1554321975202.png

I have my home directories on my dataset hard-drives with a separate folder for each user in the homes folder. My keys are copied from another Linux server which this will replace if and when I can get it working. All my research shows that the ssh server is touchy about the permissions and wants 700 for the .ssh folder and 600 for the authorized_keys file. I just can't find a way to change them!

Any suggestions welcome...
 

Spearfoot

He of the long foot
Moderator
Joined
May 13, 2015
Messages
2,478
OK, I have been having this problem also, but when I try to chmod the user I get:
View attachment 29794
I have my home directories on my dataset hard-drives with a separate folder for each user in the homes folder. My keys are copied from another Linux server which this will replace if and when I can get it working. All my research shows that the ssh server is touchy about the permissions and wants 700 for the .ssh folder and 600 for the authorized_keys file. I just can't find a way to change them!

Any suggestions welcome...
Try running your chmod command using sudo.
 

yru_IT

Cadet
Joined
Mar 20, 2019
Messages
8
I tried that also, get message:
Sorry, user root is not allowed to execute '/bin/chmod authorized_keys as root on Dynamo2.local.
 

Attachments

  • 1554323984978.png
    1554323984978.png
    10.1 KB · Views: 765

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Via webui maybe? else run it as the user itself? weird root cant change it.
 

qtino

Cadet
Joined
Dec 27, 2018
Messages
4
Hello yru_IT,

It seems the problem is that you are not logged in as user jdoe. Try change the user with:

su - jdoe

and then execute the permissions commands. Or just password login as user jdoe to be able to set the permissions.
 

yru_IT

Cadet
Joined
Mar 20, 2019
Messages
8
Hello yru_IT,

It seems the problem is that you are not logged in as user jdoe. Try change the user with:



and then execute the permissions commands. Or just password login as user jdoe to be able to set the permissions.
OK, was busy for a couple of days, now back to this... I have tried logging in as root at the console terminal attached to the server rather than the web based terminal window. Still no luck root is NOT allowed to change the permissions of the user in either the .ssh folder or the authorized _keys file in that folder. Not able to change from the web based terminal either. Logged in as the user using SCP both as root and as user, still not able to change the permissions, using either the FTP port or the SFTP port. Always permission denied.
WHY is permission denied even as root in terminal??? This makes no sense.
 

Spearfoot

He of the long foot
Moderator
Joined
May 13, 2015
Messages
2,478
OK, was busy for a couple of days, now back to this... I have tried logging in as root at the console terminal attached to the server rather than the web based terminal window. Still no luck root is NOT allowed to change the permissions of the user in either the .ssh folder or the authorized _keys file in that folder. Not able to change from the web based terminal either. Logged in as the user using SCP both as root and as user, still not able to change the permissions, using either the FTP port or the SFTP port. Always permission denied.
WHY is permission denied even as root in terminal??? This makes no sense.
The only explanation I can think of would be if your 'homes' dataset is read-only. You can check this by going to Storage and checking the homes dataset options.
 
Top