From owner-freebsd-questions@freebsd.org  Sat Sep 14 12:36:38 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B60FEF35E8
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Sat, 14 Sep 2019 12:36:38 +0000 (UTC)
 (envelope-from freebsd@edvax.de)
Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.74])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "mout.kundenserver.de",
 Issuer "TeleSec ServerPass Class 2 CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46VsSk1tCXz3QQV
 for <freebsd-questions@freebsd.org>; Sat, 14 Sep 2019 12:36:37 +0000 (UTC)
 (envelope-from freebsd@edvax.de)
Received: from r56.edvax.de ([188.102.97.67]) by mrelayeu.kundenserver.de
 (mreue107 [212.227.15.183]) with ESMTPA (Nemesis) id
 1Mqrjz-1iVGpZ1bft-00mtE6; Sat, 14 Sep 2019 14:36:36 +0200
Date: Sat, 14 Sep 2019 14:36:35 +0200
From: Polytropon <freebsd@edvax.de>
To: Aryeh Friedman <aryeh.friedman@gmail.com>
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject: Re: OT: My ssh authorized_keys doesn't work with nfs/nis
Message-Id: <20190914143635.95f83f06.freebsd@edvax.de>
In-Reply-To: <CAGBxaXmt1bH78sbGJzbLoAvzSN9mRfbWW89AFjQpuiXG9DVrCA@mail.gmail.com>
References: <CAGBxaXkVQNE6deyWs9JXh9vqmKz8tLc9HfqC8ZmBLrK2jv7p3A@mail.gmail.com>
 <0b5eed49-986a-d40e-7df9-971a47cb500e@FreeBSD.org>
 <CAGBxaXmyX-YT4=1aH5dCRT4sj0H1ZMxnOnKO4ctVf=vtWqY=5Q@mail.gmail.com>
 <20190914132059.207eef7e.freebsd@edvax.de>
 <CAGBxaXmt1bH78sbGJzbLoAvzSN9mRfbWW89AFjQpuiXG9DVrCA@mail.gmail.com>
Reply-To: Polytropon <freebsd@edvax.de>
Organization: EDVAX
X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K1:PdsaLRLCj/F/DFtTYWaolWu0d7jam+UA9tRk0t3GmCXGeAn8QQU
 +TMgDMJ3oU1Jkfsqjy6ZsmwhQM6aJgXkXwdqyE0SWW5KUxmh/97hku5KPrfxKM7M7me+jaj
 ZHpnZeZjY45YUYOqM/pL+U7Iz8Iwrp6Wnp+0VDJkifhbnKXHCJ1D607XrR/2JNyAi2TkYNg
 tLzTl05GMC7r6Ldvbt/zw==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:rEggejAY4oc=:8wOAGhyPiIJv8MEP84j5tQ
 0bRsF4M0f6vAhjgBobcjYGoyjVm9pbkiPvtwnuuMMIpJn04zmRYUl9lrTO5qsUligER6vFWyZ
 ZwgqM7cf518RC8oe975ktvMQx8uPaPXDoeZ0Pw2HZwCWY9WQrVyWLdgK73ipkHb1DAXTBBGFA
 M1met0oQkndbZRO7Xc+K5ysEDzxxUdwS1rS1P1JgW//2s9IoxRuuifdrM/iiiLQBvjMob3UQ5
 jOgfoIIW978rP/hZbm45DvO8o8pgdvAbSsn72l6ZaBYWtyR47JTDJJw7mth6hYEckJbnai8+q
 hRHRUGOujak6Cr/XBl97iJTfyc2NR/sxH4QqY6hGrh655Q0ctUUurIYu9rKa65WVNZuco0TgB
 dvNVDuPa3LzKmbq4gR+Szy71dEU2biW4wv/Vb4lleOw0oboKXnkxuri5LW1K6i/Zll2+Flyff
 s3bhZjxfT4AUBtG2RPtcZQoWy554dCLKmz2nHJURIxz+xe4XkMY2MpPvRYB30hcSpPJHYvM0h
 RXI01JGs9j7ztIBIchDJKmrBPFxfSZDpBpkSEID+fVqigEsFls+9zwR+NgT1qQ2CHwUxzc7q5
 O6N9VN5ObfSL7b27egsAZcaGIn9T1s14lEqolahVG/e4gDIqbQWtAc1cYNydemIR20MvMDMSx
 NR5wWArgEqR04nwg9ffViIY8HImCytVmEi9h3Y2z9KWnr6bZs7MxatkxjJHmO60TR5GBzz9OI
 UL/0gyiXBZrNTGjYS9VM6qsG+VNbCUyB2F7a5B2DIXv559mHekABmnd+oe+KRfWu6S5mAIc+y
 Vt9jVMRiLmLlWUrnZpcQKeDzU7x/lX3e+ZPawZjlSyDJBzE07Ir73aGZUBnZSgwuBPg4IBNuH
 KbxEFvIYhcoq/uNg3Ykm9daRXW664ojdfllaA2nZk=
X-Rspamd-Queue-Id: 46VsSk1tCXz3QQV
X-Spamd-Bar: ++++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd@edvax.de has no SPF policy when
 checking 217.72.192.74) smtp.mailfrom=freebsd@edvax.de
X-Spamd-Result: default: False [4.39 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 HAS_REPLYTO(0.00)[freebsd@edvax.de]; MV_CASE(0.50)[];
 HAS_ORG_HEADER(0.00)[];
 RWL_MAILSPIKE_EXCELLENT(0.00)[74.192.72.217.rep.mailspike.net : 127.0.0.20];
 TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
 FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:8560, ipnet:217.72.192.0/20, country:DE];
 RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; REPLYTO_EQ_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[edvax.de];
 AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.69)[0.690,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.98)[0.976,0];
 RCVD_IN_DNSWL_NONE(0.00)[74.192.72.217.list.dnswl.org : 127.0.5.0];
 MID_CONTAINS_FROM(1.00)[]; R_SPF_NA(0.00)[];
 RCVD_COUNT_TWO(0.00)[2];
 IP_SCORE(0.32)[ip: (-0.76), ipnet: 217.72.192.0/20(0.24), asn: 8560(2.15),
 country: DE(-0.01)]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Sep 2019 12:36:38 -0000

On Sat, 14 Sep 2019 07:36:26 -0400, Aryeh Friedman wrote:
> On Sat, Sep 14, 2019 at 7:21 AM Polytropon <freebsd@edvax.de> wrote:
> 
> > On Sat, 14 Sep 2019 07:09:17 -0400, Aryeh Friedman wrote:
> > > I am using the default out of the box /etc/sshd_config for 11 and 12 that
> > > has only two uncommented out configs:
> > >
> > > AuthorizedKeysFile .ssh/authorized_keys
> > > Subsystem sftp /usr/libexec/sftp-server
> > >
> > > So unless I am reading the first one completely wrong then it uses
> > > ~user/.ssh/authorized_keys which is what the ls above is of.
> >
> > From "man 5 sshd_config":
> >
> >      AuthorizedKeysFile
> >              Specifies the file that contains the public keys that can be
> > used
> >              for user authentication.  AuthorizedKeysFile may contain
> > tokens
> >              of the form %T which are substituted during connection setup.
> >              The following tokens are defined: %% is replaced by a literal
> >              '%', %h is replaced by the home directory of the user being
> >              authenticated, and %u is replaced by the username of that
> > user.
> >              After expansion, AuthorizedKeysFile is taken to be an absolute
> >              path or one relative to the user's home directory.  The
> > default
> >              is ``.ssh/authorized_keys''.
> >
> > Maybe you can try to use "%h/.ssh/authorized_keys" or, if it applies,
> > "/usr/home/%u/.ssh/authorized_keys" to check if this is a path problem?
> >
> 
> Neither idea works and I don't think we are using the same version of sshd
> (your must be from ports or something mine is from base)... [...]

It is. :-)



> [...] because the
> same section of the man page reads nothing like what you posted:
> 
>     AuthorizedKeysFile
>              Specifies the file that contains the public keys used for user
>              authentication.  The format is described in the AUTHORIZED_KEYS
>              FILE FORMAT section of sshd(8).  Arguments to
> AuthorizedKeysFile
>              accept the tokens described in the TOKENS section.  After
>              expansion, AuthorizedKeysFile is taken to be an absolute path
> or
>              one relative to the user's home directory.  Multiple files may
> be
>              listed, separated by whitespace.  Alternately this option may
> be
>              set to none to skip checking for user keys in files.  The
> default
>              is ".ssh/authorized_keys .ssh/authorized_keys2".

I assume the documentation source listed there will tell you
roughly the same. Maybe the keys path wasn't constructed as
required?



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...