Some help with SSH. Permission denied (public key) --(Finally solved)

[bloomo]

I've been using password SSH login from a local machine on my network and I'd like to setup SSH keys with password authentication to lock SSH down a little further.

I have generated rsa pub/private keys on my OSX machine and copied the pub key to my users ssh auxiliary field in Freenas.

No dice, I get a "Permission denied (publickey)" message.

I tried looking at the permissions on the authorized_keys file in my user/.ssh folder (on FreeNAS) and it was
-rwxrwxr-x+. I tried to chmod this according to the OpenSSH docs, to change it to 600, (read only). I got permission denied.

After even more research, I found out this is because my dataset is set to Windows. Obviously chmod does not work on windows ACLs. I'm not sure what the setfacl of the .ssh and authorized_keys on Freenas should be at. Don't want to mess with anything I shouldn't.

Anyone feel like putting me out of my misery and helping solve this?

I'm on Freenas 9.2.1.8
Client machine is on OSX Mavericks.
File permissions are:
client: OSX
-rw------- on id_rsa
drwx----- on the .ssh folder
server: FreeNAS
drwxrwxr-x+ on the /user/.ssh folder
-rwxrwxr-x+ on authorized_keys

 

[anodos]

Put the .ssh folder in a dataset with unix permissions. Is there any reason why you need your home folders to have windows acltype? I only set them that way for CIFS shares.

 

[bloomo]

Yeh my home folder is my data backup dataset and I connect to it via cifs. So is having the .ssh folder in a windows acl dataset impossible or just complicated?

 

[bloomo]

Just in case anyone else has this problem, finally got this working.
I can't say that the order that I did this in was specific, that's the nature of a unix noob hacking away at a problem :-O
Forget above post.

Solution is for an SSH key stored on a Windows ACL dataset.

1. Once RSA keys are generated on your client machine (mine is OSX), cut and paste the public key into your auxillary field in your user in the freenas GUI. Save.

2. (Read number 3, you may be able to skip this step, I don't know) Navigate via CLI to your users home directory. Use setfacl -x to remove the "everyone" and "group" permissions on .ssh folder and authorized_keys inside it. You can do this separately or through inheritance if you know more than I do. You can see your permissions by using getfacl .ssh / getfacl authorized_keys. Copy the whole line of "everyone" or "group" and paste if after setfacl -x, DON'T forget to add the filename at the end of the command. Otherwise you're removing those permissions for the entire dataset. It should go something like this:
[XXXXX@XXXXX] ~% getfacl .ssh
# file: .ssh
# owner: XXXXX
# group: XXX
owner@:rwxpDdaARWcCo-:fd----:allow
group@:rwxpDdaARWcCo-:fd----:allow
everyone@:rwxpDdaARWcCo-:fd----:allow
[XXXXX@XXXXX] ~% setfacl -x everyone@:rwxpDdaARWcCo-:fd----:allow .ssh
So do the same for authorized_keys.

3. Once the above still didn't work (maybe try this step before the above and report back if it works without), I booted into Windows and browsed to my home users dataset that the .ssh folder is stored in (you must be authenticated as the home user/owner) . I right clicked on my home users BASE dataset and used the security panel to affect the permissions. Click advanced. Here you are in the advanced permissions tab. I allowed only my user rwx, there was an "everyone" and a weird "S-1-2-etc" user id in there that I have no idea where it came from. Both also had read and execute permissions. Get rid of those and tick the inherit box to propagate changes all the way through your dataset. SSH doesn't like it when other people can access the dataset that the SSH key is stored on.

Now SSH should work.
Yay.

 

[cancel]

Hi there,

Found useful those steps.

Still after performing all this it did not worked for me.
But to share my experience, I looked further in /var/log/auth.log, and the SSHD daemon was complaining about bad permissions on the user home directory:

Code:

Authentication refused: bad ownership or modes for directory /mnt/zpool/work/home/git

What I did , I removed the group permissions on my home directory ( git ), leaving just the owner permissions.

Code:

root@freenas:/mnt/zpool/work/home # setfacl -x group@:rwxpDdaARWcCos:fd----I:allow git
root@freenas:/mnt/zpool/work/home # getfacl git
    # file: git
    # owner: git
    # group: git
                owner@:rwxpDdaARWcCos:fd----I:allow
root@freenas:/mnt/zpool/work/home #

After this, I was able to successfully login with ssh key
Hope this helps