Problems with the rsync task and user's SSH public key

[escalibur]

Hello everyone!

I'm having issues with rsync task..

I've modified the informations so operator is not my acutual user I'm using in this case. It's chosen just as an example.


My pan is to use rsync to replicate data from FreeNAS to Synology NAS (DSM 5.1). I've generated RSA SSH key at Synology and then copied it (with authenticat_key to FreeNAS operator's home directory (located at /mnt/storage/Users).

I have also copied RSAkeyID.pub content to operator's public key field at FreeNAS so it should use the same public key.

Can someone tell me what I'm doing wrong in this case?

Thanks in advance!

 

[Roger Wilco]

Hi,

can your freenas user ssh to synology using the key authentication, or does it fallback to password auth?

 

[escalibur]

It keeps asking me for the password regardless from which NAS I'm trying to connect.

 

[Roger Wilco]

Are you sure you've copied the keys the right way?

Basically the public/private key authentication is based on a challenge/response mechanism.
Example:
- User_X on Host_A wants to log onto Host_B as User_Y without using a password for authentication.
- On Host_B the ssh service needs to make sure that User_A is really the one he claims to be.
- In order to check this, the ssh service on Host_B looks into User_Y's authorized_keys (which are public keys of users who may login onto Host_B as User_Y), encrypts some challenge with the public key, and sends it to User_X on Host_A.
- On Host_A the ssh service tries to decrypt the challenge with User_X's private key and sends the response back to the ssh service on Host_B.
- If the response is correct, then User_X is probably be the one he claims to be and is granted access (because only User_X can decrypt the challenge).
- If the response is wrong, the authentication falls back to a password authentication (again in order to find out whether User_X is the one he claims to be).

So, are you sure, that you've copied your freenas user's public key to the authorized_keys file of your Synology user?

 

[escalibur]

I'm sure because I copied it with WinSCP. However I still don't understand why FreeNAS is telling me that my user doesn't have a public key when it definitely does (as tou can see on the screenshot).


Ps. Can these keys be generated with "root" user and then be used with eg. "user1" user?

 

[Roger Wilco]

I am just asking whether you've copied it the right way, because you wrote:

My pan is to use rsync to replicate data from FreeNAS to Synology NAS (DSM 5.1). I've generated RSA SSH key at Synology and then copied it (with authenticat_key to FreeNAS operator's home directory (located at /mnt/storage/Users).

This says that you've created a key pair on your Syno box and copied it to your Feeenas box, which is the wrong way - this should allow you a passwordless login from Syno to Freenas.

Don't forget to check the file permissions too - IIRC the private key needs 0600 permissions.

Try to go through this:
http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html

 

[escalibur]

Ok. Thanks for your help. I will do it again from scratch and let you know about the results. :)

 

[Roger Wilco]

HTH :)

 

[escalibur]

Ok. I think I'm a bit closed to the working solution but my issue atm is that I'm trying to do this as non-root user. So I'm strugguling with files' ownership and no matter how much chown i try to input I still cannot gather right ownership for my non-root user. Almost every guide is meant for root user. So if anyone could write which commands I need to input to be able to do this I would be very grateful. Thanks in advance.

Edit: Ok I found the reason for this....my Users' directory was set as Windows ACL.

Configuration continues... -> :)

 

[escalibur]

Code:

[user1@FreeNAS ~/.ssh]$ ls -lah
total 13
drwxrwxr-x+ 2 user1  Users     4B Jan  5 22:47 .
drwxrwxr-x+ 3 user1  wheel     4B Jan  5 22:46 ..
-rw-------  1 user1  Users   1.7k Jan  5 22:13 id_rsa
-rw-r--r--  1 user1  Users   174B Jan  5 22:20 known_hosts

I finnally manged to establish paswordless SSH connection from FreeNAS -> Synology. However I cannot do the same from Synology -> FreeNAS. I tried to combine two public keys into one authorized_keys file with chmod 600 but it still doesn't work but in only one way.


Because manual SSH connection from FreeNAS to Synology works without a password I tried to create rsync task and I'm still getting this message:

That same user is connecting fine from FreeNAS to Synology with 'ssh user@IP_ADDRESS' only.

 

[escalibur]

authorized_keys is missing because I was testing does it make any difference in the current situation. I have authorized_keys on Synology otherwise it wouldn't work as it does now. If I've understood correctly FreeNAS should have authorized_keys file generated from Synology's .pub key?

 

[escalibur]

I can't see a reason why it shouldn't. My biggest issue is that obviously I cannot use rsync task from FreeNAS to Synology because a reason for that is that FreeNAS doesn't know where to find authorized_keys?

 

[Roger Wilco]

If I've understood correctly FreeNAS should have authorized_keys file generated from Synology's .pub key?

No.
The authorized_keys file resides on the remote host (the Synobox in your case), and contains the public keys (which you have to copy manually into authorized_keys (it's not generated)) of users who are, well, authorised to log onto the remote host as the user in whose homedir/.ssh the authorized_keys file resides.

I'd suggest you use the "replication" identity at least for testing:
- On your FreeNas box look into /data/ssh
- Copy the replication.pub file to your Synobox into the user's homedir/.ssh/authorized_keys
- try (as root ): ssh -i /data/ssh/replication user@1.2.3.4

Correct your permission issues and generate the proper key pair then

Btw, the tutorial I mentioned earlier uses regular users (not root), and, everything is described or referenced in the ssh manpage...

 

[escalibur]

FreeNAS:

authorized_keys (chmod 600) <- made from id_rsa.pub generated on FreeNAS
id_rsa (chmod 600) <- generated on FreeNAS
known_hosts (chmod 644) <- automatically made from the first connection attempt​

Synology:

authorized_keys (chmod 600) <- copied from FreeNAS
id_rsa (chmod 600) <- generated on Synology
known_hosts (chmod 644) <- automatically made from the first connection attempt
​

Current situation:

I can connect from FreeNAS to Synology without a password but not from Synology to FreeNAS. Why? Correct me if I'm wrong but should .pub from Synology be merged with authorized_keys file currently used on both NASes?

 

[Roger Wilco]

Get public key (*.pub) from the key pair generated on Synology and put it into authorized_keys on FreeNAS.
Remove the public key you've generated on FreeNAS from the authorized_keys residing on FreeNAS (doesn't make sense).

It is really simple:
In order to use the publickey authentication from FreeNAS to Synology:
- Generate a key pair on FreeNAS
- Put the generated public key into authorized_keys on Synology

In order to use the publickey authentication from Synology to FreeNAS:
- Generate a key pair on Synology
- Put the generated public key into authorized_keys on FreeNAS

 

[escalibur]

I did so before too and this is what I'm getting:

SYNOLOGY> ssh -v user1@10.1.1.2
OpenSSH_6.6, OpenSSL 1.0.1j-fips 15 Oct 2014
debug1: Connecting to 10.1.1.2 [10.1.1.2] port 22.
debug1: Connection established.
debug1: identity file /var/services/homes/syno/.ssh/id_rsa type -1
debug1: identity file /var/services/homes/syno/.ssh/id_rsa-cert type -1
debug1: identity file /var/services/homes/syno/.ssh/id_dsa type -1
debug1: identity file /var/services/homes/syno/.ssh/id_dsa-cert type -1
debug1: identity file /var/services/homes/syno/.ssh/id_ecdsa type -1
debug1: identity file /var/services/homes/syno/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/services/homes/syno/.ssh/id_ed25519 type -1
debug1: identity file /var/services/homes/syno/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6p2-hpn14v4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
debug1: match: OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 0d:a1:a4:ad:3a:24:22:f1:39:ff:03:78:40:df:5d:ek
debug1: Host '10.1.1.2' is known and matches the ECDSA host key.
debug1: Found key in /var/services/homes/user1/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /var/services/homes/user1/.ssh/id_rsa
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /var/services/homes/user1/.ssh/id_dsa
debug1: Trying private key: /var/services/homes/user1/.ssh/id_ecdsa
debug1: Trying private key: /var/services/homes/user1/.ssh/id_ed25519
debug1: Next authentication method: password
user1@10.1.1.2's password:

 

[Roger Wilco]

This seems odd:
debug1: key_parse_private2: missing begin marker

Try again from scratch:
On Synology:
ssh-keygen -t rsa
Do not use a passphrase.

You should end up with:
id_rsa
id_rsa.pub

Copy id_rsa.pub to FreeNAS into the .ssh directory of the user.

On FreeNAS:
The permissions of the .ssh directory should be 700.
Rename (mv) id_rsa.pub to authorized_keys.
The permissions of authorized_keys should be 600.

Now you should be able to ssh from Synology to FreeNAS without a password.
If it doesn't work try searching for "debug1: key_parse_private2: missing begin marker" on the internet.
Or, maybe try another key type (e.g. ssh-keygen -t dsa)

 

[escalibur]

Ok I will test that. Do you know about that 'red' message I'm getting from rsync task? Is there any way to create a task which could backup my data from FreeNAS to Synology? I have a feeling that you cannot define user's home directory to rsync so it always keeps asking for the public key which I definitely already have (as you saw it too).


Edit: Nah...tried one more time with RSA then DSA and it doesn't work (not even by generating with 'root')...

debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey,password

Now only if I could get rsync task to work over SSH. :/

 

[Roger Wilco]

Sorry, I've never played around with rsync...

 

[escalibur]

Ok thanks a lot Roger Wilco.


Does anyone else know?