From owner-freebsd-questions@freebsd.org Sat Sep 14 14:51:41 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 55FF6F6E82 for ; Sat, 14 Sep 2019 14:51:41 +0000 (UTC) (envelope-from per@hedeland.org) Received: from mailout.easydns.com (mailout.easydns.com [64.68.202.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46VwSX2Wdlz4474 for ; Sat, 14 Sep 2019 14:51:39 +0000 (UTC) (envelope-from per@hedeland.org) Received: from localhost (localhost [127.0.0.1]) by mailout.easydns.com (Postfix) with ESMTP id 06A87A160D; Sat, 14 Sep 2019 14:51:39 +0000 (UTC) Received: from mailout.easydns.com ([127.0.0.1]) by localhost (emo13-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzeQOSzi_LPC; Sat, 14 Sep 2019 14:51:38 +0000 (UTC) Received: from hedeland.org (81-228-157-209-no289.tbcn.telia.com [81.228.157.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout.easydns.com (Postfix) with ESMTPSA id 1816CA04A7; Sat, 14 Sep 2019 14:51:35 +0000 (UTC) Received: from pluto.hedeland.org (pluto.hedeland.org [10.1.1.5]) by tellus.hedeland.org (8.15.2/8.15.2) with ESMTPS id x8EEpXhl041663 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 14 Sep 2019 16:51:34 +0200 (CEST) (envelope-from per@hedeland.org) Subject: Re: OT: My ssh authorized_keys doesn't work with nfs/nis To: MJ Cc: Aryeh Friedman , FreeBSD Mailing List References: <99038e82-9643-cbe8-63d7-e3a04ada43b5@gmail.com> From: Per Hedeland Message-ID: Date: Sat, 14 Sep 2019 16:51:33 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46VwSX2Wdlz4474 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of per@hedeland.org has no SPF policy when checking 64.68.202.10) smtp.mailfrom=per@hedeland.org X-Spamd-Result: default: False [2.70 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RECEIVED_SPAMHAUS_PBL(0.00)[209.157.228.81.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[hedeland.org]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.40)[0.402,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; IP_SCORE(0.66)[ip: (1.68), ipnet: 64.68.200.0/22(-0.11), asn: 16686(1.83), country: CA(-0.09)]; NEURAL_SPAM_LONG(0.84)[0.838,0]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_IN_DNSWL_LOW(-0.10)[10.202.68.64.list.dnswl.org : 127.0.5.1]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16686, ipnet:64.68.200.0/22, country:CA]; FREEMAIL_CC(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Sep 2019 14:51:41 -0000 On 2019-09-14 15:26, MJ wrote: > Well it's great to see that extra debugging information totally missed it. The bad permissions was a security problem on the server - it *shouldn't* be reported to a client, even when it is run with -vvv. It is possible though a bit tricky to run the *server* with debugging, that may have revealed the problem. Hm, actually I tried the scenario *without* any debugging now, and in the server's /var/log/auth.log I found: Sep 14 16:41:58 pluto sshd[7708]: Authentication refused: bad ownership or modes for directory /home/per FreeBSD 12.0-RELEASE, OpenSSH_7.8p1 (in base). And I got the exact same result with a server running 10.3-RELEASE, OpenSSH_7.2p2. --Per > :-P > > > On 14/09/2019 11:24 pm, Aryeh Friedman wrote: >> Problem solved it turned out to be really simple the home dir was 777 when >> the widest ssh wants it is 755 (all the permissions I where look at before >> where the .ssh dir not the home dir) >> >> On Sat, Sep 14, 2019 at 9:22 AM MJ wrote: >> >>> >>> On 14/09/2019 5:39 pm, Aryeh Friedman wrote: >>>> My ~/.ssh/authorized_keys files works fine on a machine that is not in my >>>> NIS domain but when I copy my id_rsa.pub (which is what I did to create >>> the >>>> non-NIS authorized_keys) to my NIS account and give it the same >>> permissions >>>> as the working machine it insists on asking for a password. >>>> >>>> ssh faraway (non-NIS machine) >>>> does not ask for a password >>>> but >>>> ssh nearby (NIS machine) does >>>> >>>> Both have identical authorized keys and both (and their parent dirs) are >>>> set to 644. Both machines are FreeBSD 11 and the machine doing the ssh >>>> call is FreeBSD 12 >>>> >>> Well in desperation I guess you could: >>> >>> Nuke the dud server's authorized_keys >>> Use "ssh-copy-id -i /your/path/to/key aryeh@nearby" to copy your pub key >>> to the dud server. >>> Test with "ssh -i /your/path/to/key -vv aryeh@nearby" >>> >>> Cheers >>> Mark. >>> >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"