chrooted sftp on centos 6.4 and public key auth
Hi everyobody, I've been banging my head against the wall over the past 24 hours trying to get public key authentication to work on my chrooted sftp server. I'm using this nice feature which comes with openssh 5.3 (default in centos 6.4) and everthing works fine, I can succesfully log into the chrooted dir but for some reason public key auth doesn't work. Here's the ouput from the ssh client and server (user name is rh6-02, this sftp repo will be used as a log aggregator and every machine will have its own account to upload its log files, hence the username which might look a bit confusing at first)
[root@rh6-02 .ssh]# sftp -vvvvvvvvvv -o "IdentityFile=/root/.ssh/id_rsa" rh6-02@rh6-02 Connecting to rh6-02... OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to rh6-02 [192.168.3.2] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /root/.ssh/id_rsa type 1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 120/256 debug2: bits set: 514/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'rh6-02' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug2: bits set: 527/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7fdc440ba5f0) debug3: Wrote 64 bytes for a total of 1109 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1477 debug1: Authentications that can continue: publickey debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey). Couldn't read packet: Connection reset by peer (password authenthication has been disabled but it works) Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: fd 5 is not O_NONBLOCK Oct 8 17:36:55 rh6-02 sshd[6639]: debug1: Forked child 6704. Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: send_rexec_state: entering fd = 8 config len 767 Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: ssh_msg_send: type 0 Oct 8 17:36:55 rh6-02 sshd[6639]: debug3: send_rexec_state: done Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: oom_adjust_restore Oct 8 17:36:55 rh6-02 sshd[6704]: Set /proc/self/oom_score_adj to 0 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: inetd sockets after dupping: 3, 3 Oct 8 17:36:55 rh6-02 sshd[6704]: Connection from 192.168.3.2 port 60890 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: match: OpenSSH_5.3 pat OpenSSH* Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: Enabling compatibility mode for protocol 2.0 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: Local version string SSH-2.0-OpenSSH_5.3 Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: fd 3 setting O_NONBLOCK Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: Network child is on pid 6705 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: preauth child monitor started Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: privsep user:group 74:74 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: permanently_set_uid: 74/74 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: list_hostkey_types: ssh-rsa,ssh-dss Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEXINIT sent Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 784 bytes for a total of 805 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEXINIT received Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: first_kex_follows 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: reserved 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: first_kex_follows 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_parse_kexinit: reserved 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: mac_setup: found hmac-md5 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: kex: client->server aes128-ctr hmac-md5 none Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 78 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 79 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 78 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 79 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: mac_setup: found hmac-md5 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: kex: server->client aes128-ctr hmac-md5 none Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 78 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 79 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 78 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 79 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 1 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 0 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 1 Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 0 used once, disabling now Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_choose_dh: remaining 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 152 bytes for a total of 957 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: dh_gen_key: priv key bits set: 129/256 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: bits set: 527/1024 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: bits set: 514/1024 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_sign entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 5 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 5 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 6 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_sign Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_sign: signature 0x7f964c0e2270(271) Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 6 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: kex_derive_keys Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: set_newkeys: mode 1 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_NEWKEYS sent Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: expecting SSH2_MSG_NEWKEYS Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 720 bytes for a total of 1677 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: set_newkeys: mode 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: SSH2_MSG_NEWKEYS received Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: KEX done Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 5 used once, disabling now Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 48 bytes for a total of 1725 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: userauth-request for user rh6-02 service ssh-connection method none Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: attempt 0 failures 0 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_getpwnamallow entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 7 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 8 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 7 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_pwnamallow Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: Trying to reverse map address 192.168.3.2. Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: parse_server_config: config reprocess config len 767 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: checking match for 'Group caachosts' user rh6-02 host rh6-02 addr 192.168.3.2 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: user rh6-02 matched group list caachosts at line 141 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: match found Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:142 setting ChrootDirectory /ac-log-parser/incoming/%u Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:143 setting ForceCommand internal-sftp Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:144 setting PasswordAuthentication no Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:145 setting RSAAuthentication yes Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: reprocess config:146 setting PubkeyAuthentication yes Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 8 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: input_userauth_request: setting up authctxt for rh6-02 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_start_pam entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 50 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_inform_authserv entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 3 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_inform_authrole entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 4 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: input_userauth_request: try method none Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 48 bytes for a total of 1773 Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 7 used once, disabling now Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: userauth-request for user rh6-02 service ssh-connection method publickey Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 50 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: attempt 1 failures 0 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: initializing for "rh6-02" Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: input_userauth_request: try method publickey Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: test whether pkalg/pkblob are acceptable Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_allowed entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 21 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 22 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: setting PAM_RHOST to "rh6-02" Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: setting PAM_TTY to "ssh" Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 50 used once, disabling now Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 3 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_authserv: service=ssh-connection, style= Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 3 used once, disabling now Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 4 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_authrole: role= Oct 8 17:36:55 rh6-02 sshd[6704]: debug2: monitor_read: 4 used once, disabling now Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 21 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_keyallowed entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_keyallowed: key_from_blob: 0x7f964c0f64a0 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: temporarily_use_uid: 502/503 (e=0/0) Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: trying public key file /incoming/.ssh/authorized_keys Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: restore_uid: 0/0 Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: temporarily_use_uid: 502/503 (e=0/0) Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: trying public key file /incoming/.ssh/authorized_keys Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: restore_uid: 0/0 Oct 8 17:36:55 rh6-02 sshd[6704]: Failed publickey for rh6-02 from 192.168.3.2 port 60890 ssh2 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_answer_keyallowed: key 0x7f964c0f64a0 is not allowed Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 22 Oct 8 17:36:55 rh6-02 sshd[6705]: debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: Wrote 48 bytes for a total of 1821 Oct 8 17:36:55 rh6-02 sshd[6705]: Connection closed by 192.168.3.2 Oct 8 17:36:55 rh6-02 sshd[6705]: debug1: do_cleanup Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: PAM: sshpam_thread_cleanup entering Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_send entering: type 80 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive_expect entering: type 81 Oct 8 17:36:55 rh6-02 sshd[6705]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: monitor_read: checking request 80 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_send entering: type 81 Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: mm_request_receive entering Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: do_cleanup Oct 8 17:36:55 rh6-02 sshd[6704]: debug1: PAM: cleanup Oct 8 17:36:55 rh6-02 sshd[6704]: debug3: PAM: sshpam_thread_cleanup entering this is my sshd_config: # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV LogLevel DEBUG3 # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server Match Group caachosts ChrootDirectory /ac-log-parser/incoming/%u ForceCommand internal-sftp PasswordAuthentication no RSAAuthentication yes PubkeyAuthentication yes and this is the jail, file permissions seem to be ok, checked one million times already [root@rh6-02 /]# ls -lartR /ac-log-parser/incoming/ /ac-log-parser/incoming/: total 12 drwxr-xr-x 3 root root 4096 Oct 7 17:17 .. drwxr-xr-x 3 root root 4096 Oct 8 16:30 rh6-02 drwxr-xr-x 3 root root 4096 Oct 8 17:41 . /ac-log-parser/incoming/rh6-02: total 12 drwx------ 3 rh6-02 rh6-02 4096 Oct 8 15:34 incoming drwxr-xr-x 3 root root 4096 Oct 8 16:30 . drwxr-xr-x 3 root root 4096 Oct 8 17:41 .. /ac-log-parser/incoming/rh6-02/incoming: total 12 drwx------ 3 rh6-02 rh6-02 4096 Oct 8 15:34 . drwxr-xr-x 3 root root 4096 Oct 8 16:30 .. drwx------ 2 rh6-02 rh6-02 4096 Oct 8 17:08 .ssh /ac-log-parser/incoming/rh6-02/incoming/.ssh: total 12 drwx------ 3 rh6-02 rh6-02 4096 Oct 8 15:34 .. -rw------- 1 rh6-02 rh6-02 393 Oct 8 16:35 authorized_keys drwx------ 2 rh6-02 rh6-02 4096 Oct 8 17:08 . of course, home dir for the rh6-02 user is /incoming. Anybody got an idea of what's going on here? And yes, the private key and the authorized_keys file work when used to log on to a non-chrooted account... Thanks everybody for your help. |
|
All times are GMT -5. The time now is 05:20 AM. |