Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So, I'm setting up a server that connects to several ftp sites to put files. We need multiple users in order that the files aren't able to be read by the user that uses 1 (client requirement). So I have user prod and test. Both are set up the same way. I am actually testing with the same private/public key. test can login, prod can't. prod gets the error that server refused the key. Another user (centos, this is AWS instance) also is able to login with their key just fine (different keypair to these users).
The /var/log/secure shows only
Quote:
error: Received disconnect from 10.0.0.154: 14: No supported authentication methods available [preauth]
, implying that the server can't see the authorized_keys file. I triple checked spelling and had a coworker check (since this is very common error for me).
~/.ssh/authorized_keys is set to 400 on both users
~/.ssh is set to 500 on both users
No users or groups are denied in /etc/ssh/sshd_config to login
Users local account works correctly. You can login to it via sudo su - prod and everything works like it should. The profiles (sudo -Hiu prod env vs. sudo -Hiu test env) are basically identical other than the obvious.
I'm out of ideas of what it could be, and while normally I'd just delete the user and recreate, in this case that's not an option.
Did you check the permissions of ~ (i.e. the user's home directory itself) for both users. How about directories above that?
The "s" in ssh and sftp is "secure" and they will refuse to connect if they deem the connection to be insecure. If other users can access the ssh/sftp user's home directory because of permissions on it or directories above it then it will refuse the connection just as it would if ~.ssh for the user or any of its files didn't have the correct permissions.
For many home directories the directory is "/home/<user>" so you'd have to verify "/", "/home" and "/<user>" are restricting writes by other users. Usually I find / and /home to be okay and setting 750 on /home/<user> is sufficient.
and/or
Security Group as implied by the internal IP of 10.0.0.154
and/or
does prod have a linux passwd set? (su - prod is "iffy" as test, IMO)
No passwords set for any user on machine, since this is AWS, fully key-based logins and passwords are only used for sudo (which neither of these users have access to).
Quote:
Why is ftp hitting /var/log/secure is my Q.
Why are keys involved with file transfer protocol?
It implies sftp but I'm punting here.
Peace.
The users are only used to transfer the files TO the client ftp site, that part is working just fine, but the files are collected on this machine via scp from multiple other machines, and that's what's not working (well, it is for test).
Quote:
Originally Posted by MensaWater
Did you check the permissions of ~ (i.e. the user's home directory itself) for both users. How about directories above that?
Yes, multiple times
Quote:
The "s" in ssh and sftp is "secure" and they will refuse to connect if they deem the connection to be insecure. If other users can access the ssh/sftp user's home directory because of permissions on it or directories above it then it will refuse the connection just as it would if ~.ssh for the user or any of its files didn't have the correct permissions.
For many home directories the directory is "/home/<user>" so you'd have to verify "/", "/home" and "/<user>" are restricting writes by other users. Usually I find / and /home to be okay and setting 750 on /home/<user> is sufficient.
As stated, permissions on ~/.ssh on both is 500, ~/.ssh/authorized_keys is 400.
Last edited by Timothy Miller; 05-03-2017 at 03:44 PM.
You did not post anything about the client but I assume that you are using the same computer/username/private key and trying to login to the server using either prod or test as the remote server name? I also assume that password authentication is disabled?
I also assume that you created you the keys for test first which work and then copied the public key from test to prod on the server which does not work.
If using a linux client you can try adding debug information to see if that adds any additional information.
You did not post anything about the client but I assume that you are using the same computer/username/private key and trying to login to the server using either prod or test as the remote server name? I also assume that password authentication is disabled?
I also assume that you created you the keys for test first which work and then copied the public key from test to prod on the server which does not work.
If using a linux client you can try adding debug information to see if that adds any additional information.
Correct on most counts, the prod & test are just the users on the remote server that I'm trying to connect to, it's the same remote server name for both users (client doesn't want prod data to be handled by test and vice versa, so even though all data is collected on the same server, and ftp'd to the same ftp server, we require 2 users to do it). Also connecting from Windows clients.
Last edited by Timothy Miller; 05-03-2017 at 06:08 PM.
I use 500/400 on all servers, as many DO have realk living users connecting to them to do various things, and this reduces the likelihood of them from doing something stupid.
Last edited by Timothy Miller; 05-04-2017 at 02:31 AM.
As stated, permissions on ~/.ssh on both is 500, ~/.ssh/authorized_keys is 400.
Yes you said that before, but what are the permissions on the user's home and the directories above it? Just saying you checked them and then saying again what the permissions were on the .ssh subdirectory and its file makes me suspect you didn't understand what I was saying about the other directories.
normally I'd just delete the user and recreate, in this case that's not an option.
Why not? The delete user command for your system should have the option to preserve the home directory (But, just to be super-careful, I'd tar it first too and put it in a safe place) and then you can immediately recreate the same user.
Yes you said that before, but what are the permissions on the user's home and the directories above it? Just saying you checked them and then saying again what the permissions were on the .ssh subdirectory and its file makes me suspect you didn't understand what I was saying about the other directories.
Oh, the home directories are 750
Quote:
Originally Posted by Laserbeak
Looks like you've fully examined the server. I'd look at the client... do they have the keys set up properly? Are they using the right ssh command?
keys are set up properly, to test I'm using the test user keypair for both and doing it from my actual workstation.
Quote:
Originally Posted by Laserbeak
Why not? The delete user command for your system should have the option to preserve the home directory (But, just to be super-careful, I'd tar it first too and put it in a safe place) and then you can immediately recreate the same user.
The directory isn't the important part (I've deleted it multiple times hoping maybe it was just a permissions/spelling issue), these users also are system accounts that software is running as. Actually, they're just system accounts that because this client wanted to do things differently than everyone else were then required to be able to have ssh (scp) working...
Last edited by Timothy Miller; 05-04-2017 at 08:10 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.