Yet another SSH problem

[diedrichg]

I've watched videos. I've copied instructions verbatim. I've read this forum inside-out but I still can't get private/public keys to work!! I'm so frustrated I can't see straight.

Here's what I'm doing. WTF am I doing wrong?!

1. In my Linux terminal:
   1. #ssh-keygen -t rsa
   2. I press enter to not rename the file
   3. I enter a password
2. I go to my Linux home folder, get inside the .ssh folder, double-click the id_rsa.pub file and copy all the text inside.
3. Next I go to my FreeNAS GUI within my web browser
   1. I click my user from the left pane
   2. In the pop-up window I paste my ssh text (from the id_rsa.pub file) into the SSH Public Key section. I press OK
4. Still in the GUI I open a Shell window
   1. The shell window shows [root@freenas ~]#
   2. I then chmod 600 /mnt/guenther/diedrich/.ssh/authorized_keys
5. Back in my Linux terminal I
   
   1. ssh diedrich@freenasIP
   2. and I get Permission denied (publickey).

I've also tried various methods such as

• scp ~/.ssh/id_rsa.pub diedrich@freenasIP:
• cat ~/.ssh/id_rsa.pub | ssh diedrich@freenasIP "cat >> ~/.ssh/authorized_keys"
• cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
• I've also tried placing the pub info in the authorized_keys file at /mnt/guenther/.ssh
• etc, etc, etc

Seriously, how dense am I? WTF am I doing wrong?

 

[Whattteva]

Try running ssh with -v option and post the error message.
So in your case: "ssh -v diedrich@freenasIP"

 

[diedrichg]

OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/diedrich/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/diedrich/.ssh/id_rsa-cert type -1
debug1: identity file /home/diedrich/.ssh/id_dsa type -1
debug1: identity file /home/diedrich/.ssh/id_dsa-cert type -1
debug1: identity file /home/diedrich/.ssh/id_ecdsa type -1
debug1: identity file /home/diedrich/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2_hpn13v11 FreeBSD-20130515
debug1: match: OpenSSH_6.2_hpn13v11 FreeBSD-20130515 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA xx:xx:xx:xx:xx
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the ECDSA host key.
debug1: Found key in /home/diedrich/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/diedrich/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/diedrich/.ssh/id_dsa
debug1: Trying private key: /home/diedrich/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

 

[diedrichg]

FYI, I'll change the port whenever I figure out how to get this working in the first place.

 

[Whattteva]

What are the permissions of:
/home/diedrich
/home/diedrich/.ssh
/home/diedrich/.ssh/id_rsa

Also, do you have ~/.ssh/authorized_keys file ?
You never mentioned it in your previous post.

EDIT: nvm, it seems that you do have it.
Verify that authorized_keys look something like:
ssh-rsa blablabla... rsa-key-xxxx

Also, you may want to try to restart the ssh daemon.

 

[diedrichg]

Code:

[root@freenas /mnt/guenther/.ssh]# ls -l                               
total 12                                                               
-rw-------  1 root  family  404 Sep  1 22:28 authorized_keys           
[root@freenas /mnt/guenther/.ssh]# cd /mnt/guenther/diedrich/.ssh                                                     
[root@freenas /mnt/guenther/diedrich/.ssh]# ls -l                     
total 12                                                               
-rw-------  1 diedrich  wheel  404 Sep  1 15:54 authorized_keys

I checked user diedrich and the key matches the key when double-clicking root user in the GUI>users section

Am I missing a .ssh folder lower than /mnt/ ?

Oh, crap. I see that you meant /home/...

Code:

diedrich@Osiris-Mint /home $ ls -l
total 4
drwxr-xr-x 34 diedrich diedrich 4096 Sep  1 21:52 diedrich
 
diedrich@Osiris-Mint ~/.ssh $ ls -l
total 12
-rw------- 1 diedrich diedrich 1766 Sep  1 11:44 id_rsa
-rw-r--r-- 1 diedrich diedrich  402 Sep  1 11:44 id_rsa.pub
-rw-r--r-- 1 diedrich diedrich  222 Sep  1 11:48 known_hosts

 

[Whattteva]

What's the permission of /mnt/guenther/diedrich ?
I'm guessing that's what your home directory is set to?

 

[diedrichg]

FreeNAS user directories are under /mnt/guenther/
permissions for /mnt/guenther are
drwxrwx--- 17 root family 18 Sep 1 22:27 guenther

 

[Whattteva]

Yea sorry, I thought guenther is the home, I meant diedrich.
Also, I don't understand why you have .ssh in both /mnt/guenther and /mnt/guenther/diedrich?

Which one is the real user?

 

[diedrichg]

drwxrwx--- 5 diedrich wheel 6 Sep 1 11:32 diedrich

 

[Whattteva]

drwxrwx--- 5 diedrich wheel 6 Sep 1 11:32 diedrich

I think that's the problem right there.
Change it so that the group permission does not have write permission.

 

[diedrichg]

*sigh* no go, still can't handshake
drwxr-x--- 5 diedrich wheel 6 Sep 1 11:32 diedrich

I'll just start from the beginning. I'll erase my laptop's .ssh folder. I'll erase FreeNAS /mnt/guenther/.ssh. I'll erase /mnt/guenther/diedrich/.ssh.

When I start again, I copy the .pub file to the authorized_keys in ______, where?

edit: FYI, every time I make a change I make sure I cycle ssh in services tab in the GUI

 

[Whattteva]

You want to copy the SSH public key to the "SSH Public Key" section on the FreeNAS web admin GUI.
It's under:
Account -> Users -> diedrich -> SSH Public Key

Also, you only need the .ssh folder under the folder that you get when you do "cd ~diedrich" command.

Make sure on the FreeNAS system:
1) ~diedrich folder is only at most rwxr-xr-x (no write for others).
2) .ssh folder is only rwx------
2) .ssh/authorized_keys is only rw-------

On the remote system:
1) .ssh folder is only rwx------
2) .ssh/id_rsa is only rw-------

 

[diedrichg]

Ok. Well. I've done it manually through nano and I've done it through the GUI and still the same result. I can't thank you enough for your help and patience! Thank you. I'm going to put this to rest for at least tonight and maybe try it tomorrow.

And to clarify, all I'm changing is the authorized_keys file info and then chmod 600 auth_keys, right? There are no other files to copy over or edit, correct? And the only place the SSH Public Key is copied to is to the user's GUI section? No other user - root - or other section get the SSH Public Key?

 

[Whattteva]

And to clarify, all I'm changing is the authorized_keys file info and then chmod 600 auth_keys, right? There are no other files to copy over or edit, correct? And the only place the SSH Public Key is copied to is to the user's GUI section? No other user - root - or other section get the SSH Public Key?

authorized_keys 600 is correct.
There should be no other files to copy over or edit is correct.
The user's GUI section should automatically put that key in the correct place.
Yes, only the owner should get access to the SSH public key AND the .ssh folder.
Also, your ~user folder (/mnt/guenther/diedrich in your case) cannot be writable by anyone other than the owner (others can have read and execute though, just not write).

 

[diedrichg]

I got the edited instructions for folder permissions. I'll double-check tomorrow that everything is straight. I'll let you know how it goes! Thanks again, you were awesome!

 

[Whattteva]

Hopefully, you bring good news. :)