From owner-freebsd-questions@freebsd.org Sat Sep 14 12:41:12 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AAE06F3916 for ; Sat, 14 Sep 2019 12:41:12 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46VsZ006XXz3R02 for ; Sat, 14 Sep 2019 12:41:11 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-io1-xd35.google.com with SMTP id m11so68650108ioo.0 for ; Sat, 14 Sep 2019 05:41:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W3Fxll7SkDjaRuyx6u2yGUpWnYDK1TsIf/ybrng2/Zw=; b=CXs3IoSVFslBZU0gk6GLIfr5vvYaCgz64EGWGR+vEhT1HaiWamMewmvBxA93FPTF73 v9zAEmrkaKRfqHqcB0Pd9X/KEl0dV4brJ1TPDAPKtAk6pIY/hr/MKN4/vf1OD8tfDFlk WSOQ1/vE5SBuXN5RK2N1OktC8NE2DuR/PhlDTWQwI5F2KZHcSRobPnFph7W97HxjmZpH CXHcCQY6MtheFmF8ITHtzhmeLFttBUwKYzjo3m0j70dXTx9wrKUETPeHeGV1t5M2btIi Pp5scf/B/GPDH2pHQH21BA4pBBsCwIxK9NP7TGoBRxkeSoCMWmC5+EUOZmkTIiw3wvzC 9iGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W3Fxll7SkDjaRuyx6u2yGUpWnYDK1TsIf/ybrng2/Zw=; b=PPLRlhZDFC9UPMwL2DJNA1QFJtBfBA3CGQawVRtLjRhv2go6jax/fKEzc4RFPyikdZ fTPdK0FFSVw2JmQPgl3M5BhqDuPHZVAGlOJO/o6wUtTkwxRAH0MPS+aI9tmYGu1SSyCy O2iu+YHcR3A3oazr225LROvlYonqA3oWgZIungx4YDmOIemf4c1owXXkeqgQVEwtJm/2 MyIwhLQb30DLSH85KlOfK77YCSPky9G2t3fRQBi8poe+LPWYRPxhEnJ1UThAxEFCTHE0 pXhTPsr786+0AX0QWTKXSGzzsgirKNonuXTTr4dqBOuf1cIVWO3RiR+Psflw9C3KxLYt CS7g== X-Gm-Message-State: APjAAAX72g/PE0hEEK6ADo0xXfiVJD425QyPyIyvWm7uvs1UZrWjItt7 TBxPpoVf2ukb4UsWh7tlEw0OMvz1WOGxIKqXfg19kz2/ X-Google-Smtp-Source: APXvYqxGP4Lz86LiuDnVklUBHjCNVzsJjWzjyyycMTDB26j5j/G+KLnQ16Peb1Nn8+sy0r+KgUxhVJKm+EsZWWt5C94= X-Received: by 2002:a6b:148b:: with SMTP id 133mr6143718iou.81.1568464870602; Sat, 14 Sep 2019 05:41:10 -0700 (PDT) MIME-Version: 1.0 References: <0b5eed49-986a-d40e-7df9-971a47cb500e@FreeBSD.org> <20190914132059.207eef7e.freebsd@edvax.de> <20190914143635.95f83f06.freebsd@edvax.de> In-Reply-To: <20190914143635.95f83f06.freebsd@edvax.de> From: Aryeh Friedman Date: Sat, 14 Sep 2019 08:40:59 -0400 Message-ID: Subject: Re: OT: My ssh authorized_keys doesn't work with nfs/nis To: Polytropon Cc: FreeBSD Mailing List X-Rspamd-Queue-Id: 46VsZ006XXz3R02 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=CXs3IoSV; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of aryehfriedman@gmail.com designates 2607:f8b0:4864:20::d35 as permitted sender) smtp.mailfrom=aryehfriedman@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(0.00)[ip: (-5.49), ipnet: 2607:f8b0::/32(-2.70), asn: 15169(-2.24), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[5.3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Sep 2019 12:41:12 -0000 On Sat, Sep 14, 2019 at 8:36 AM Polytropon wrote: > On Sat, 14 Sep 2019 07:36:26 -0400, Aryeh Friedman wrote: > > On Sat, Sep 14, 2019 at 7:21 AM Polytropon wrote: > > > > > On Sat, 14 Sep 2019 07:09:17 -0400, Aryeh Friedman wrote: > > > > I am using the default out of the box /etc/sshd_config for 11 and 12 > that > > > > has only two uncommented out configs: > > > > > > > > AuthorizedKeysFile .ssh/authorized_keys > > > > Subsystem sftp /usr/libexec/sftp-server > > > > > > > > So unless I am reading the first one completely wrong then it uses > > > > ~user/.ssh/authorized_keys which is what the ls above is of. > > > > > > From "man 5 sshd_config": > > > > > > AuthorizedKeysFile > > > Specifies the file that contains the public keys that can > be > > > used > > > for user authentication. AuthorizedKeysFile may contain > > > tokens > > > of the form %T which are substituted during connection > setup. > > > The following tokens are defined: %% is replaced by a > literal > > > '%', %h is replaced by the home directory of the user > being > > > authenticated, and %u is replaced by the username of that > > > user. > > > After expansion, AuthorizedKeysFile is taken to be an > absolute > > > path or one relative to the user's home directory. The > > > default > > > is ``.ssh/authorized_keys''. > > > > > > Maybe you can try to use "%h/.ssh/authorized_keys" or, if it applies, > > > "/usr/home/%u/.ssh/authorized_keys" to check if this is a path problem? > > > > > > > Neither idea works and I don't think we are using the same version of > sshd > > (your must be from ports or something mine is from base)... [...] > > It is. :-) > > > > > [...] because the > > same section of the man page reads nothing like what you posted: > > > > AuthorizedKeysFile > > Specifies the file that contains the public keys used for > user > > authentication. The format is described in the > AUTHORIZED_KEYS > > FILE FORMAT section of sshd(8). Arguments to > > AuthorizedKeysFile > > accept the tokens described in the TOKENS section. After > > expansion, AuthorizedKeysFile is taken to be an absolute > path > > or > > one relative to the user's home directory. Multiple files > may > > be > > listed, separated by whitespace. Alternately this option > may > > be > > set to none to skip checking for user keys in files. The > > default > > is ".ssh/authorized_keys .ssh/authorized_keys2". > > I assume the documentation source listed there will tell you > roughly the same. Maybe the keys path wasn't constructed as > required? > Unless the default config file shipped with FreeBSD is fundimentally broken (which it is not becaue it *DOES* work on a host that has no NFS/NIS.... [the orgininal post showed the results of it two different machines with the only difference is "nearby" uses nfs/nis to mount home dirs and manage login ids and "faraway" does not... both are using default configs that where installed by bsdinstall at the time of system install and untouched by me ever since).... so I am willing to catagorically rule out path issues because same files in the same location on two different machines behave differently with the same config. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org