From owner-freebsd-questions@freebsd.org Sat Sep 14 11:09:30 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8E811F0C14 for ; Sat, 14 Sep 2019 11:09:30 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46VqXB2qc4z3LL2; Sat, 14 Sep 2019 11:09:30 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-io1-xd2e.google.com with SMTP id d17so46415402ios.13; Sat, 14 Sep 2019 04:09:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EE1BYMT834m0enfAXho6Urno88BlqdHXUVQqgjPal3M=; b=MSN16RlpubxVIT4+EupHg560rot+eNid9EoREd+W429YSc01PPjKnswwiVJnhPL0PL dWhMCplJQr/51bHaKh3E7J6j3/hFoKt86rlIa8jnVYENiCuCt1OyUFOZCFGwVsfKaoO7 nVxqPMFzusd47mkX3/YzgsfRrIqEvqZ11inhPMjXb8V9A6jTTC/vE5mAbkoPRB3DseqE pxcOnrGxuqqGSZVnTT0nKogDziuBuAjD0bm4CxK8Vj5rm4w9qyq7YD8bp15AO6m55M8y fs2aYPgPro1GXQMbMrivkMBDb5a5SfJMY7xeve60pHC7s3QoPWtqIklkzWyV1TRWdGMD u5ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EE1BYMT834m0enfAXho6Urno88BlqdHXUVQqgjPal3M=; b=rD6xeerdb/+kU43OoIRG6B5jvpZ4gKxqwVPA3Adja3GAZtB0jJUQDa1cQZnAYVjWxb TuCVinr7Iez8uidGO7X5c6Opc0CFLQkdYYqZ/GCAvANdXSLPS1CbLFbnVtpRgj8bNvwb eGhza21ZZKLXgOm3tzbjWzR9PDgs/bWhYXhxItHcQjE86acY4WmGVyBSiWWyNHycDGrR uC5edtbJ4JuK0XdbbQ6bAVSjUW6gRSU0J7lEirZs1s3AB7BowPCq5dpWnOnqiCRTuuh4 yTFQcHPQ6J5WkUMOODEXL4h4jsnrTh9ju1VEiyi+XPrC7bBuvxpRzdtvtsFJAs2JNJdj 6OIA== X-Gm-Message-State: APjAAAW67ED4GUptHKXFslkUqNcMKPBvUoe0iUVs/GLeGP7F3nRtsZMa KxtzCS8NhFty9mYYNZOrCd8y1I5iujle2uOylpVArwztN3Q= X-Google-Smtp-Source: APXvYqyz9poahk9RyPOij5q8VzoJRJONBTv9woFYxVaduqBae4E3bY/L8SzkGFwzseES9d+76/4KEnxsqGCpUHsnIEc= X-Received: by 2002:a02:948c:: with SMTP id x12mr54659509jah.96.1568459368992; Sat, 14 Sep 2019 04:09:28 -0700 (PDT) MIME-Version: 1.0 References: <0b5eed49-986a-d40e-7df9-971a47cb500e@FreeBSD.org> In-Reply-To: <0b5eed49-986a-d40e-7df9-971a47cb500e@FreeBSD.org> From: Aryeh Friedman Date: Sat, 14 Sep 2019 07:09:17 -0400 Message-ID: Subject: Re: OT: My ssh authorized_keys doesn't work with nfs/nis To: Matthew Seaman Cc: FreeBSD Mailing List X-Rspamd-Queue-Id: 46VqXB2qc4z3LL2 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Sep 2019 11:09:30 -0000 On Sat, Sep 14, 2019 at 6:50 AM Matthew Seaman wrote: > On 14/09/2019 08:39, Aryeh Friedman wrote: > > My ~/.ssh/authorized_keys files works fine on a machine that is not in my > > NIS domain but when I copy my id_rsa.pub (which is what I did to create > the > > non-NIS authorized_keys) to my NIS account and give it the same > permissions > > as the working machine it insists on asking for a password. > > > > ssh faraway (non-NIS machine) > > does not ask for a password > > but > > ssh nearby (NIS machine) does > > > > Both have identical authorized keys and both (and their parent dirs) are > > set to 644. Both machines are FreeBSD 11 and the machine doing the ssh > > call is FreeBSD 12 > > > > Check the ownership / permissions on ~/.ssh on the machine where key > based auth is not working -- sshd will refuse to use authorized_keys if > it thinks permissions are too loose. > I don't think you can make them any tighter then this and not get errors: aryeh% id uid=1001(aryeh) gid=1001(aryeh) groups=1001(aryeh),0(wheel),1003(aegis) aryeh% ls -ld .ssh drwx------ 2 aryeh aryeh 512 Sep 14 06:49 .ssh aryeh% ls -l .ssh total 16 -rw------- 1 aryeh aryeh 792 Sep 14 05:02 authorized_keys -rw------- 1 aryeh aryeh 1675 Aug 30 11:09 id_rsa -rw------- 1 aryeh aryeh 396 Aug 30 11:09 id_rsa.pub -rw------- 1 aryeh aryeh 545 Sep 14 03:19 known_hosts > Also check for authorized_keys related settings in /etc/ssh/sshd_config > -- it is not uncommon to require authorized_keys to be installed in some > centralized, root owned directory that individual users don't have write > access to. > I am using the default out of the box /etc/sshd_config for 11 and 12 that has only two uncommented out configs: AuthorizedKeysFile .ssh/authorized_keys Subsystem sftp /usr/libexec/sftp-server So unless I am reading the first one completely wrong then it uses ~user/.ssh/authorized_keys which is what the ls above is of. > Cheers, > > Matthew > > -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org