Any chance Windows Notepad was used anywhere in this process?
Fixing Public Key Authentication
-
-
Any chance Windows Notepad was used anywhere in this process?
Negative
-
BTW, thanks for jumping in to help!
-
-
I am beginning to suspect the key format that was used when creating your keys is not compatible with what OMV's Openssh is expecting.
What were the choices for key format when you created the keys?
-
RSA, DSA, ECDSA, EdDsa, SSH-1 (RSA)
What's strange is that in the user's section where you put your public key value in, if it's not formatted correctly it will tell you.
When I put this one in, it didn't say there was any formatting issues with it.
I suppose I could create the pair via the linux box itself.
-
When I run this command: ssh-keygen -t rsa and add the passphrase, i get a permission denied.
The directory is /home/eric/.ssh. I think the permissions are jacked up with this directory. How do I fix this so that I can actually save files in here without having to sudo?
This command: ls -l /home/eric/.ssh shows:
These are the permissions for the files in the /home/eric/.ssh directory but I think the permissions are jacked up with this .ssh directory.
Here's the permission error:
-
-
Yep, I think at the core of this, when I have to sudo the: ssh-keygen -t rsa command, it's making the key have root@servername and not eric@servername.
I need to get the permissions on /home/eric/.ssh fixed then I think I'll be good!
Can you help with that?
-
Accept the default file name for the key, don't use omv.
Show the output of
ls -al /home/eric
-
Accept the default file name for the key, don't use omv.
Show the output of
ls -al /home/eric
-
-
I just went through the process here: [GUIDE] Enable SSH with Public Key Authentication (Securing remote webUI access to OMV)
I created the key on my omv box with: ssh-keygen -t rsa
Converted the key: ssh-keygen -e -f ~/.ssh/id_rsa.pub
SCP'd the public and private keys over to my Windoze box.
Opened the private key in PuttyGen, copied the public key text, and pasted into the 'public keys' section in OMV web ui.
Pointed putty to the private key that I copied above.
When I log in, the server is still refusing my key.
Maybe permissions? Maybe not.
-
Can anyone help me to get past this dead end?
-
Here's my ssh_config if that will help to diagnose:
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AllowGroups root ssh
AddressFamily any
Port 22
PermitRootLogin no
AllowTcpForwarding yes
Compression yes
PasswordAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /var/lib/openmediavault/ssh/authorized_keys/%u
PubkeyAuthentication yes
-
-
This was the fix, btw:
ssh-copy-id user_name@host_name
-
Hi everyone,
I hope I'm posting the right thing in the right section - please tell me if otherwise.
I have been trying to make public key authentication work for a long time on OMV, and after a few hours of troubleshooting I think I understand the problem better.What I'm trying to achieve
Allow a user created via OMV web GUI to open an SSH session with Public Key AuthenticationMy configuration
- Fresh install of OMV 5.4.3-1
- No plugins
- Installed on a dedicated physical host
Issue & steps to reproduce
- Create a new user (hereafter referred to as "bob") in OMV web GUI
- Assign bob to ssh group
- Generate a keypair with PuTTYgen
- Add the public key (in RFC4716 format) to the user in OMV web GUI
- Restart SSHD service
- Connect to OMV via PuTTY with private key configured
- Get "Server refused our key" error message and prompt for password
My findings
- I understand that OMV creates users without homedirs, and cannot use /home/bob/.ssh/authorized_keys to store the public key
- Therefore, the config file (/etc/ssh/sshd_config) is modified to add AuthorizedKeysFile with 3 entries, which SSHD will scan in order until it finds a relevant key :
- .ssh/authorized_keys (standard directory)
- .ssh/authorized_keys2 (also standard for ssh2 with legacy clients)
- /var/lib/openmediavault/ssh/authorized_keys/%u (where %u is replaced by the user trying to connect) --> this is where OMV stores keys added via GUI
- Scanning auth logs (/var/log/auth.log) reveals an important error :
Authentication refused: bad ownership or modes for directory /
This means that the root directory's permissions are unsatisfactory for sshd to trust the authorized_keys file stored in /var/lib/...
Indeed, permissions for "/" are set to root:root 775, which means group-writeable - whereas SSHD needs every directory in the path to authorized_keys to be only owner-writeable.
Proposed resolution
IMO there are two ways to deal with this :
- change permissions for root directory : chmod 755 /
--> This solution is confirmed working, but even though it's standard best practice, I cannot confirm that it doesn't cause any side effects. - Disable SSHD StrictMode, which runs multiple checks to validate SSH auth : in /etc/ssh/sshd_config, change StrictModes to no
--> This solution works but is not desirable as sshd puts these control for good reasons, mainly to prevent exposing sensitive files.
Does this sound like the right way to handle this ? Maybe there was a simpler way ?
Cheers!
I'm runing in this problem, too.
OMV does not execute the command omv-salt stage run setup after installation? With me it is also "broken", although I have version 5.6.24-1, where it should be fixed.
-
Just wasted 30 mins on this problem.
-
-
And does it work for you?
-
And does it work for you?
I had to manually change the permissions on /
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!