On Wed, Sep 23, 2009 at 8:31 PM, Jonathan C. Bailey <[email protected]> wrote: > / and /home have correct permissions. rsyncbackup is another UID 0 user > (don't ask - it's worked fine on other platforms). All the SSH related > permissions seem fine too. I've also tried authorized_keys and > authorized_keys2. I've copied the same keys to root and it still works.
Solaris ssh is a hybrid of OpenSSH and Solarisisms. Your configuration may be tripping over a Solarisism. Perhaps leading with this at security-discuss will get the attention of someone more familiar with the details of the differences. They response will probably include something like: Why not use a non-UID 0 account with RBAC and have the following in authorized_keys? command="/usr/bin/pfexec /backup/validate-rsync ntso" ssh-rsa KEY_TEXT rsyncbac...@ntso > > BTW, I *did* turn root into a real user and added the 'PermitRootLogin yes' > line to sshd_config. > > -Jon > > ----- Original Message ----- > From: "Mike Gerdts" <[email protected]> > To: "Jonathan C. Bailey" <[email protected]> > Sent: Wednesday, September 23, 2009 8:25:20 PM GMT -05:00 Colombia > Subject: Re: [osol-discuss] SSH with public keys not working (not recognizing > the key file)? > > On Wed, Sep 23, 2009 at 7:13 PM, Jonathan C. Bailey > <[email protected]> wrote: >> /home/rsyncbackup is 700 >> /home/rsyncbackup/.ssh is 700 >> /home/rsyncbackup/.ssh/authorized_keys2 is 600 > > I assume that the user rsyncbackup is also the owner of all of those. > > (grasping at straws a bit...) > > And how about / and /home? They should be writable by only root. > > sshd is also picky about permissions on the path to the sshd_confg > file. Check the permissions on /etc, /etc/ssh, and > /etc/ssh/sshd_config. > >> >> Also removed the "command" option from the key (so it started with ssh-rsa), >> and no difference.. Same problem... Here's the server side of that exchange: >> debug1: userauth-request for user rsyncbackup service ssh-connection method >> publickey >> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0 >> debug2: input_userauth_request: try method publickey >> debug1: test whether pkalg/pkblob are acceptable >> debug1: temporarily_use_uid: 0/0 (e=0/0) >> debug1: trying public key file /home/rsyncbackup/.ssh/authorized_keys >> debug1: restore_uid: 0/0 >> debug1: temporarily_use_uid: 0/0 (e=0/0) >> debug1: trying public key file /home/rsyncbackup/.ssh/authorized_keys2 > > I see here that it is looking at authorized_keys and authorized_keys2. > Which file did you add it to? What happens if you try the other? > >> debug3: secure_filename: checking '/home/rsyncbackup/.ssh' >> debug3: secure_filename: checking '/home/rsyncbackup' >> debug3: secure_filename: terminating check at '/home/rsyncbackup' >> debug1: restore_uid: 0/0 >> debug2: key not found >> debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa >> Failed publickey for rsyncbackup from 10.243.193.3 port 52043 ssh2 > > I seriously doubt this is your problem, but usernames > 8 characters > long are not supported. > >> >> >> -Jon >> >> ----- Original Message ----- >> From: "Mike Gerdts" <[email protected]> >> To: "Jonathan C. Bailey" <[email protected]> >> Cc: "opensolaris-discuss" <[email protected]> >> Sent: Wednesday, September 23, 2009 6:57:16 PM GMT -05:00 Colombia >> Subject: Re: [osol-discuss] SSH with public keys not working (not >> recognizing the key file)? >> >> On Wed, Sep 23, 2009 at 6:31 PM, Jonathan C. Bailey >> <[email protected]> wrote: >>> Everything is on one line.. Actually, the authorized_keys file was copied >>> (working) from an Ubuntu 8.04 system.. Here's an example below. I've >>> removed the actual key text in this case to shorten up the line (but >>> everything *is* on one line)... >>> >>> command="/backup/validate-rsync ntso" ssh-rsa KEY_TEXT rsyncbac...@ntso >>> >>> -Jon >> >> What are the permissions on the authorized_keys file and all the >> directories leading up to it? >> >> 1. Can the user read the file? >> 2. Can anyone else write to the file or any parent/ancestor directory? >> >> >> -- >> Mike Gerdts >> http://mgerdts.blogspot.com/ >> > > > > -- > Mike Gerdts > http://mgerdts.blogspot.com/ > _______________________________________________ > opensolaris-discuss mailing list > [email protected] -- Mike Gerdts http://mgerdts.blogspot.com/ _______________________________________________ opensolaris-discuss mailing list [email protected]
