LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   chrooted sftp on centos 6.4 and public key auth (https://www.linuxquestions.org/questions/linux-security-4/chrooted-sftp-on-centos-6-4-and-public-key-auth-4175480031/)

garba 10-08-2013 10:46 AM
chrooted sftp on centos 6.4 and public key auth
 
Hi everyobody, I've been banging my head against the wall over the past 24 hours trying to get public key authentication to work on my chrooted sftp server. I'm using this nice feature which comes with openssh 5.3 (default in centos 6.4) and everthing works fine, I can succesfully log into the chrooted dir but for some reason public key auth doesn't work. Here's the ouput from the ssh client and server (user name is rh6-02, this sftp repo will be used as a log aggregator and every machine will have its own account to upload its log files, hence the username which might look a bit confusing at first)

[root@rh6-02 .ssh]# sftp -vvvvvvvvvv -o "IdentityFile=/root/.ssh/id_rsa" rh6-02@rh6-02
Connecting to rh6-02...
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to rh6-02 [192.168.3.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 514/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'rh6-02' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 527/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0x7fdc440ba5f0)
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1477
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
Couldn't read packet: Connection reset by peer

(password authenthication has been disabled but it works)

Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: fd 5 is not O_NONBLOCK
Oct 8 17:36:55 rh6-02 sshd[6639]: debug1: Forked child 6704.
Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: send_rexec_state: entering fd = 8 config len 767
Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: ssh_msg_send: type 0
Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: send_rexec_state: done
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: oom_adjust_restore
Oct 8 17:36:55 rh6-02 sshd[6704]: Set /proc/self/oom_score_adj to 0
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: inetd sockets after dupping: 3, 3
Oct 8 17:36:55 rh6-02 sshd[6704]: Connection from 192.168.3.2 port 60890
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: match: OpenSSH_5.3 pat OpenSSH*
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: Enabling compatibility mode for protocol 2.0
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: Local version string SSH-2.0-OpenSSH_5.3
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: fd 3 setting O_NONBLOCK
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: Network child is on pid 6705
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: preauth child monitor started
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: privsep user:group 74:74
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: permanently_set_uid: 74/74
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: list_hostkey_types: ssh-rsa,ssh-dss
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEXINIT sent
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 784 bytes for a total of 805
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEXINIT received
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit:
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit:
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: first_kex_follows 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: reserved 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit:
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit:
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: first_kex_follows 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: reserved 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: mac_setup: found hmac-md5
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: kex: client->server aes128-ctr hmac-md5 none
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 78
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 79
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 78
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 79
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: mac_setup: found hmac-md5
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: kex: server->client aes128-ctr hmac-md5 none
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 78
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 79
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 78
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 79
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 1
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 0
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 1
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 0 used once, disabling now
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_choose_dh: remaining 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 152 bytes for a total of 957
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: dh_gen_key: priv key bits set: 129/256
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: bits set: 527/1024
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: bits set: 514/1024
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_sign entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 5
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 5
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 6
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_sign
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_sign: signature 0x7f964c0e2270(271)
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 6
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_derive_keys
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: set_newkeys: mode 1
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_NEWKEYS sent
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: expecting SSH2_MSG_NEWKEYS
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 720 bytes for a total of 1677
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: set_newkeys: mode 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_NEWKEYS received
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: KEX done
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 5 used once, disabling now
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 48 bytes for a total of 1725
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: userauth-request for user rh6-02 service ssh-connection method none
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: attempt 0 failures 0
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_getpwnamallow entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 7
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 8
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 7
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_pwnamallow
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: Trying to reverse map address 192.168.3.2.
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: parse_server_config: config reprocess config len 767
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: checking match for 'Group caachosts' user rh6-02 host rh6-02 addr 192.168.3.2
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: user rh6-02 matched group list caachosts at line 141
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: match found
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:142 setting ChrootDirectory /ac-log-parser/incoming/%u
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:143 setting ForceCommand internal-sftp
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:144 setting PasswordAuthentication no
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:145 setting RSAAuthentication yes
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:146 setting PubkeyAuthentication yes
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 8
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: input_userauth_request: setting up authctxt for rh6-02
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_start_pam entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 50
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_inform_authserv entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 3
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_inform_authrole entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 4
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: input_userauth_request: try method none
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 48 bytes for a total of 1773
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 7 used once, disabling now
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: userauth-request for user rh6-02 service ssh-connection method publickey
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 50
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: attempt 1 failures 0
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: initializing for "rh6-02"
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: input_userauth_request: try method publickey
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: test whether pkalg/pkblob are acceptable
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_allowed entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 21
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 22
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: setting PAM_RHOST to "rh6-02"
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: setting PAM_TTY to "ssh"
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 50 used once, disabling now
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 3
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_authserv: service=ssh-connection, style=
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 3 used once, disabling now
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 4
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_authrole: role=
Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 4 used once, disabling now
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 21
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_keyallowed entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_keyallowed: key_from_blob: 0x7f964c0f64a0
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: temporarily_use_uid: 502/503 (e=0/0)
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: trying public key file /incoming/.ssh/authorized_keys
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: restore_uid: 0/0
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: temporarily_use_uid: 502/503 (e=0/0)
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: trying public key file /incoming/.ssh/authorized_keys
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: restore_uid: 0/0
Oct 8 17:36:55 rh6-02 sshd[6704]: Failed publickey for rh6-02 from 192.168.3.2 port 60890 ssh2
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_keyallowed: key 0x7f964c0f64a0 is not allowed
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 22
Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 48 bytes for a total of 1821
Oct 8 17:36:55 rh6-02 sshd[6705]: Connection closed by 192.168.3.2
Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: do_cleanup
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: PAM: sshpam_thread_cleanup entering
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 80
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 81
Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 80
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 81
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: do_cleanup
Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: cleanup
Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: PAM: sshpam_thread_cleanup entering

this is my sshd_config:

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel DEBUG3

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

Match Group caachosts
ChrootDirectory /ac-log-parser/incoming/%u
ForceCommand internal-sftp
PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes

and this is the jail, file permissions seem to be ok, checked one million times already

[root@rh6-02 /]# ls -lartR /ac-log-parser/incoming/
/ac-log-parser/incoming/:
total 12
drwxr-xr-x 3 root root 4096 Oct 7 17:17 ..
drwxr-xr-x 3 root root 4096 Oct 8 16:30 rh6-02
drwxr-xr-x 3 root root 4096 Oct 8 17:41 .

/ac-log-parser/incoming/rh6-02:
total 12
drwx------ 3 rh6-02 rh6-02 4096 Oct 8 15:34 incoming
drwxr-xr-x 3 root root 4096 Oct 8 16:30 .
drwxr-xr-x 3 root root 4096 Oct 8 17:41 ..

/ac-log-parser/incoming/rh6-02/incoming:
total 12
drwx------ 3 rh6-02 rh6-02 4096 Oct 8 15:34 .
drwxr-xr-x 3 root root 4096 Oct 8 16:30 ..
drwx------ 2 rh6-02 rh6-02 4096 Oct 8 17:08 .ssh

/ac-log-parser/incoming/rh6-02/incoming/.ssh:
total 12
drwx------ 3 rh6-02 rh6-02 4096 Oct 8 15:34 ..
-rw------- 1 rh6-02 rh6-02 393 Oct 8 16:35 authorized_keys
drwx------ 2 rh6-02 rh6-02 4096 Oct 8 17:08 .

of course, home dir for the rh6-02 user is /incoming. Anybody got an idea of what's going on here? And yes, the private key and the authorized_keys file work when used to log on to a non-chrooted account... Thanks everybody for your help.

Habitual 10-08-2013 12:52 PM
https://www.linuxquestions.org/quest...gs-4175464257/


All times are GMT -5. The time now is 05:20 AM.