From owner-freebsd-stable@freebsd.org Thu May 24 11:09:28 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9562BEB1904; Thu, 24 May 2018 11:09:28 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3E0E684388; Thu, 24 May 2018 11:09:27 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 6BB1821C9B; Thu, 24 May 2018 07:09:27 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 24 May 2018 07:09:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h=cc :content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=9vcsHb1xtO/MMEq4shBCV/Z93Vk+t6hlw4/rsAsOxfQ=; b=D+vRC4gb 1MKuFMr5s/N9iIMo12uSN/yR4ccozd3fNhYTdWTh8i2MystVpsH0UOA5UfrUryjD HlTLPk2712/gl2HqgQgzhtT2SKiadKlt8pBNaXVziPcbYQdV4bGvr6zcAU4lgOgZ mTIMQXXVkUi8avS/Cmw2XPxebygxc4k6TnNsYyFnAYFr/Y2Kg42CaUZ+9jlobSze H1Gw7a2K1785nahhKhqOmOsKKBt1ixDdp19kozThTRAOLZUUjBCtVTaGlqjZq+/m gQjzyd519RXWzr18OPzENQjlC7HlUcA3twIb3CEHdSAgP3/Qv8WqNJsF/BIy6eQv NS+eMJIKlZqNIw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=9vcsHb1xtO/MMEq4shBCV/Z93Vk+t 6hlw4/rsAsOxfQ=; b=l46k8XBgOcwvB9b1ue4dMxMK6Gb6Res0vU4b+PumCwqIR qeQ4V9inbe4zrT941RC7c8dh+s66njoGjNoO8UbJPe+KfX6Jr6/P9dzceE96J467 0gZc6a5VCkbFgiOj7m+9R0gDTASYqvqZgMeEqaqRc/mp5zyoYw5BdF0unlBZFfY/ jlzgKoz8MA/0pCmLlz02sUyvZQXc/e84SAqEzw+cXscFjWvcHeYS/Uzxkly0seIh H9yuAHkDV6I8jqQaAS95PDT3E2fXvhW6Jc17uId6sF866FQyIkDB/8BiiAKsVZN3 RXqUOBC+uNniEwvetCWHfiGlV2pg4EDwdRPjNxXIA== X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Proxy: X-ME-Sender: Received: from desktop.local (parsley.growveg.org [82.70.91.97]) by mail.messagingengine.com (Postfix) with ESMTPA id 9E8C81037F; Thu, 24 May 2018 07:09:26 -0400 (EDT) From: tech-lists Subject: trying to get sftp-only logins to work with a public keys Organization: none To: freebsd-questions@freebsd.org Cc: freebsd-stable@freebsd.org Message-ID: Date: Thu, 24 May 2018 12:09:25 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2018 11:09:28 -0000 Hello list, I'm trying to get (chrooted) sftp login working with public keys. I made a sftp-only user which works fine, and is chrooted. I created a .ssh directory with 770 perms (root:user) and put their public key in there with 600 perms (user:user) however when trying pubkey auth it always falls back to keyboard-interactive (which will succeed when the password is applied). I don't know why in key exchange it says it sent a packet then didn't. Can anyone help please? Context is recent freebsd-11-stable, both client and server. I have this in /etc/ssh/sshd_config: Subsystem sftp internal-sftp Match User testsftp ChrootDirectory /usr/home/testsftp PubkeyAuthentication yes X11Forwarding no AllowTcpForwarding no AuthorizedKeysFile /usr/home/testsftp/.ssh/authorized_keys ForceCommand internal-sftp permissions in the test users .ssh dir are like this: drwxrwx--- 2 root testsftp 512B May 24 10:51 . drwxr-xr-x 5 root testsftp 512B May 24 10:35 .. -rw------- 1 testsftp testsftp 105B May 24 11:49 authorized_keys here is the -v -v debug output from ssh client: debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key: /home/REDACTED/.ssh/id_rsa (0x0) debug2: key: /home/REDACTED/.ssh/id_dsa (0x0) debug2: key: /home/REDACTED/.ssh/id_ecdsa (0x0) debug2: key: /home/REDACTED/.ssh/id_ed25519 (0x802015240) debug1: SSH2_MSG_EXT_INFO received debug1: Fssh_kex_input_ext_info: server-sig-algs= debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/REDACTED/.ssh/id_rsa debug1: Trying private key: /home/REDACTED/.ssh/id_dsa debug1: Trying private key: /home/REDACTED/.ssh/id_ecdsa debug1: Offering ED25519 public key: /home/REDACTED/.ssh/id_ed25519 debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password for testsftp@REDACTED: thanks, -- J.