From owner-freebsd-stable@freebsd.org  Thu May 24 11:47:12 2018
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A90FFEEA56E;
 Thu, 24 May 2018 11:47:12 +0000 (UTC)
 (envelope-from tech-lists@zyxst.net)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
 [66.111.4.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4663686033;
 Thu, 24 May 2018 11:47:12 +0000 (UTC)
 (envelope-from tech-lists@zyxst.net)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 94ACA21C64;
 Thu, 24 May 2018 07:47:11 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Thu, 24 May 2018 07:47:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h=cc
 :content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=6ZhHgvCWQugnJzgtXRP90uq7FDd89
 lhNAaqOKbjPJbc=; b=KMbB16RzWATN5r1xY/aPSU25770RTkWjLHWUaDaD21cEI
 rcjHAgRvDusdBEUukZwmaVT4TJ7Ruu1OsGT7OqhVzbb7Lb97kcMMMzLETBGEbiFB
 Q1GJRiFc1Z0Y9UjDBPQ4/KHk9NZM0qtn+kyBUb65NU+f/VqguLs0EPgwNl+ENPij
 dw3ebequAAK6uPGg2nWmVzlI9Dp9CfzJc0HyUkirEtJsEkbl9fodO30PC+fCD1Cj
 opyugvAqtDoTeWrVye2sxzx6nBjvzG166TvyrZ4Kd/J1M5JpXFewHHgcg0lPtdpG
 t3i09cXQauG4XM4e/UtuX/xUIiosBkLfLN1+9E49Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=6ZhHgv
 CWQugnJzgtXRP90uq7FDd89lhNAaqOKbjPJbc=; b=Dy3icnRqWEdtIFZqZLuVMA
 fu44uWrwUPG4oOQ/y/9i04zULwcPg6J0rzv7A0jk085/4xW3Tqkh05RD3bcGWJSy
 24Bd9lRWbrWlKb8D1F6GVvpMvMT+7gteHk/x7T0MGZY+g32LM6w7pd+Xu4bhiheK
 IN7V11SXlrFmZwSqftwFbwY2YpPRu0Fu3gUqqP1s+b3a2qQeXEWzNg4HNDuTqR0e
 pzkbvNhj1qJgSt1OhCqET0ttCTDQKIAOHO+GYCQbFNdLOdQwmzX4t4k19GHer1Ko
 +Fyc8wddMdrbAnmyeS+0HwiyCZvdJl9LhpdV8jkt8CiIvaSvl+ulAWI+x98bnmvA
 ==
X-ME-Proxy: <xmx:P6YGW5KIcAJ7vqOFhJ4NuEq9_3iAjLREr_L4UQmDsPoivsyhsHbqpA>
X-ME-Proxy: <xmx:P6YGWz1PZcHKFhsHKPBZJuAUsESCqd_W4e4tDD6w5BK3He0XWg6tNw>
X-ME-Proxy: <xmx:P6YGW0qglZ5cy2GtQKCnLQb9nc8cGHFlyaVI7usWJ9QqSKZH5ITcSw>
X-ME-Proxy: <xmx:P6YGW7CCTi6pLWnGL5l6-_WR0xZOD5zZRBYxNj0J_KSGh_TaSiZzzw>
X-ME-Proxy: <xmx:P6YGWxGLCFpEOyoDWUuJNSqfNtYDulBZ7raDnAXgDQ9RmVwNIgiaCg>
X-ME-Proxy: <xmx:P6YGW6YSy2rSwx6X-qfIjJFsEVuV3dHAHjgHbpCNC1dTB1IoD23oow>
X-ME-Sender: <xms:P6YGWxsUMlRoSxCO9DMQ0ccfGIl9-88wzwyE3wLgB3Ab1YHkMZrD6A>
Received: from desktop.local (parsley.growveg.org [82.70.91.97])
 by mail.messagingengine.com (Postfix) with ESMTPA id E69A310398;
 Thu, 24 May 2018 07:47:10 -0400 (EDT)
Subject: Re: trying to get sftp-only logins to work with a public keys
To: freebsd-questions@freebsd.org
References: <cf258d06-919e-9bcd-6d85-d68cea358fde@zyxst.net>
Cc: freebsd-stable@freebsd.org
From: tech-lists <tech-lists@zyxst.net>
Organization: none
Message-ID: <c6ee6cc8-3473-c267-bce1-135e5163aafb@zyxst.net>
Date: Thu, 24 May 2018 12:47:09 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <cf258d06-919e-9bcd-6d85-d68cea358fde@zyxst.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 11:47:13 -0000

On 24/05/2018 12:09, tech-lists wrote:
> Hello list,
> 
> I'm trying to get (chrooted) sftp login working with public keys. I made 
> a sftp-only user which works fine, and is chrooted. I created a .ssh 
> directory with 770 perms (root:user) and put their public key in there 
> with 600 perms (user:user) however when trying pubkey auth it always 
> falls back to keyboard-interactive (which will succeed when the password 
> is applied). I don't know why in key exchange it says it sent a packet 
> then didn't. Can anyone help please?
> 
> Context is recent freebsd-11-stable, both client and server.
> 
> I have this in /etc/ssh/sshd_config:
> 
> Subsystem sftp internal-sftp
> 
> Match User testsftp
> ChrootDirectory /usr/home/testsftp
> PubkeyAuthentication yes
> X11Forwarding no
> AllowTcpForwarding no
> AuthorizedKeysFile /usr/home/testsftp/.ssh/authorized_keys
> ForceCommand internal-sftp

Solved this by setting perms on .ssh dir to be root:user 750 (and not 
760 or 770) didn't see this documented anywhere so posting in the hope 
this helps others.

-- 
J.