LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Stuck on SSH public key authentication for www-data (https://www.linuxquestions.org/questions/linux-software-2/stuck-on-ssh-public-key-authentication-for-www-data-4175580513/)

maples 05-23-2016 03:54 PM

Stuck on SSH public key authentication for www-data
 
I have a web server and a desktop. I would like to be able to mount /var/www/html/ from the webserver to a directory on my desktop using sshfs.

I have a user 'anthony' on both the server and the desktop. I can SSH between the desktop and server with public key authentication (password login is disabled).
From there, I can 'su' to www-data (I have set a password for the www-data user).

Code:

anthony@maples-desktop:~$ ssh 192.168.0.100

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon May 23 16:25:50 2016 from 192.168.0.101
anthony@poweredge1950:~$ su www-data
Password:
www-data@poweredge1950:/home/anthony$ cd
www-data@poweredge1950:~$

As you can see, public key authentication is working properly.

I thought that I could just copy my id_rsa.pub from my desktop into /var/www/.ssh/authorized_keys on the server. But it's not working like I thought it would:
Code:

ssh www-data@192.168.0.100
Permission denied (publickey).

Here's the verbose output:
Code:

$ ssh www-data@192.168.0.100 -v
OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1k 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22.
debug1: Connection established.
debug1: identity file /home/anthony/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u2
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA <SNIP>
debug1: Host '192.168.0.100' is known and matches the ECDSA host key.
debug1: Found key in /home/anthony/.ssh/known_hosts:9
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/anthony/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/anthony/.ssh/id_dsa
debug1: Trying private key: /home/anthony/.ssh/id_ecdsa
debug1: Trying private key: /home/anthony/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).

When that didn't work, I tried copying /home/anthony/.ssh/authorized_keys to /var/www/.ssh/authorized_keys (in case I had somehow incorrectly copied my public key) but that still didn't work.

I've checked, and I'm using the correct home directory for www-data:
Code:

www-data@poweredge1950:/home/anthony$ cd
www-data@poweredge1950:~$ pwd
/var/www
www-data@poweredge1950:~$ echo $HOME
/var/www

I do not have "AllowUsers" set in my /etc/ssh/sshd_config

I didn't know if I needed a keypair for www-data, so I generated that, and that didn't fix it either.

I checked that the permissions for authorized_keys is the same as the user 'anthony':
Code:

www-data@poweredge1950:~$ cd .ssh/
www-data@poweredge1950:~/.ssh$ pwd
/var/www/.ssh
www-data@poweredge1950:~/.ssh$ ls -la
total 20
drwx------ 2 www-data www-data 4096 May 23 16:35 .
drwxrwxr-x 4 www-data www-data 4096 May 23 16:35 ..
-rw-rw-r-- 1 www-data www-data  404 May 23 16:35 authorized_keys
-rw------- 1 www-data www-data 1675 May 23 16:34 id_rsa
-rw-r--r-- 1 www-data www-data  404 May 23 16:34 id_rsa.pub

So what I'm not understanding is why it's not allowing me to log in? I have my desktop's public key in www-data's authorized_keys on the server. It's not a problem with SSH, I can ssh from anthony@maples-desktop to anthony@poweredge1950 without any problem.

keefaz 05-23-2016 04:02 PM

/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)

maples 05-23-2016 04:07 PM

Quote:

Originally Posted by keefaz (Post 5549831)
/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)

That didn't work either. I changed the permissions, but even after I restarted the SSH server, "ssh www-data@192.168.0.100" still gave me "Permission denied (publickey)."

keefaz 05-23-2016 04:10 PM

authorized_keys file contains anthony@maples-desktop's id_rsa.pub content?

maples 05-23-2016 04:13 PM

Quote:

Originally Posted by keefaz (Post 5549834)
authorized_keys file contains anthony@maples-desktop's id_rsa.pub content?

Yes. Right now, that's all it contains:
Code:

www-data@poweredge1950:~$ md5sum .ssh/authorized_keys
9815696ed24521e7ab23d8ad23f35960  .ssh/authorized_keys


anthony@maples-desktop:~$ md5sum .ssh/id_rsa.pub
9815696ed24521e7ab23d8ad23f35960  .ssh/id_rsa.pub


keefaz 05-23-2016 04:20 PM

Quote:

Originally Posted by maples (Post 5549839)
Yes. Right now, that's all it contains:
Code:

www-data@poweredge1950:~$ md5sum .ssh/authorized_keys
9815696ed24521e7ab23d8ad23f35960  .ssh/authorized_keys


anthony@maples-desktop:~$ md5sum .ssh/id_rsa.pub
9815696ed24521e7ab23d8ad23f35960  .ssh/id_rsa.pub


Same content ;)

At this point, you don't see differences comparing ~/.ssh directories for both www-data and anthony users ? Not using authorized_keys2 in anthony's .ssh for example?

maples 05-23-2016 04:23 PM

Nope, nothing like that:
Code:

www-data@poweredge1950:~$ ls .ssh/
authorized_keys  id_rsa  id_rsa.pub

Code:

anthony@maples-desktop:~$ ls .ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts  known_hosts.old


keefaz 05-23-2016 04:31 PM

Nothing in logs (as root) tail /var/log/messages
Or grep ssh /var/log/*

keefaz 05-23-2016 04:37 PM

What are the permissions of /var/www ?

maples 05-23-2016 04:45 PM

Code:

www-data@poweredge1950:~$ ls -la /var/www/
total 52
drwxrwxr-x  4 www-data www-data 4096 May 23 16:35 .
drwxr-xr-x 13 root    root    4096 Dec 14 16:36 ..
-rw-rw-r--  1 www-data www-data 5590 May 23 17:07 .bash_history
-rw-rw-r--  1 www-data www-data  46 May 22 23:38 .bashrc
drwxrwxr-x  5 www-data www-data 4096 May 23 16:13 html
-rw-rw-r--  1 www-data www-data  177 Sep 19  2015 index.html
-rw-rw-r--  1 www-data www-data  62 Nov 25 09:09 .lesshst
-rw-rw-r--  1 www-data www-data  48 May 23 15:09 old-index.php
drwx------  2 www-data www-data 4096 May 23 16:35 .ssh
-rw-rw-r--  1 www-data www-data 7957 May 23 16:35 .viminfo
-rw-rw-r--  1 www-data www-data  26 May 22 23:50 .vimrc

Nothing shows up in either of the commands you suggested for the logs:
Code:

root@poweredge1950:~# tail /var/log/messages
May 22 07:20:50 poweredge1950 kernel: [3329018.057841] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 07:25:45 poweredge1950 kernel: [3329313.077694] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)
May 22 07:50:50 poweredge1950 kernel: [3330818.073325] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 08:50:45 poweredge1950 kernel: [3334413.188655] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)
May 22 09:35:50 poweredge1950 kernel: [3337118.226140] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 20:40:38 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 22 20:41:08 2016 [try http://www.rsyslog.com/e/2007 ]
May 23 06:30:54 poweredge1950 rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="688" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
May 23 06:39:01 poweredge1950 rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]
May 23 06:39:01 poweredge1950 rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]
May 23 15:03:46 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Mon May 23 15:04:16 2016 [try http://www.rsyslog.com/e/2007 ]

The other command only came up with a lot of "Accepted pubkey for anthony from 192.168.0.101...", dpkg logs from when I installed it, and popcon logs.

However, I checked the end of auth.log, which contained something worth mentioning (immediately after I tried SSHing to www-data@192.168.0.100):
Code:

root@poweredge1950:~# tail /var/log/auth.log
May 23 17:38:25 poweredge1950 systemd-logind[598]: New session 3740 of user anthony.
May 23 17:38:30 poweredge1950 su[14666]: Successful su for root by anthony
May 23 17:38:30 poweredge1950 su[14666]: + /dev/pts/2 anthony:root
May 23 17:38:30 poweredge1950 su[14666]: pam_unix(su:session): session opened for user root by anthony(uid=1000)
May 23 17:38:52 poweredge1950 sshd[14671]: Authentication refused: bad ownership or modes for directory /var/www
May 23 17:38:52 poweredge1950 sshd[14671]: Connection closed by 192.168.0.101 [preauth]
May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session opened for user root by (uid=0)
May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session closed for user root
May 23 17:44:16 poweredge1950 sshd[14749]: Authentication refused: bad ownership or modes for directory /var/www
May 23 17:44:16 poweredge1950 sshd[14749]: Connection closed by 192.168.0.101 [preauth]

I'm not sure what this means, though; I don't see anything unusual with the permissions (as listed above).

keefaz 05-23-2016 04:48 PM

Quote:

Originally Posted by maples (Post 5549858)
I'm not sure what this means, though; I don't see anything unusual with the permissions (as listed above).

I think it's the culprit, permissions too permissive :/

Try chmod 755 /var/www

Habitual 05-23-2016 06:22 PM

www-data has a nologin shell, I'll bet is jamming you up.
Code:

grep www-data /etc/passwd
Also, if you have keys, then why allow "ssh www-data@server" without one?

maples 05-23-2016 08:54 PM

Quote:

Originally Posted by keefaz (Post 5549859)
I think it's the culprit, permissions too permissive :/

Try chmod 755 /var/www

That did it! I can now SSH as www-data, and sshfs is now working as expected.

I wonder why it refuses to let you login when group has write permission?

Thanks for all the help! :D

maples 05-23-2016 08:56 PM

Quote:

Originally Posted by Habitual (Post 5549888)
www-data has a nologin shell, I'll bet is jamming you up.
Code:

grep www-data /etc/passwd
Also, if you have keys, then why allow "ssh www-data@server" without one?

That was something that I had done long ago (otherwise I wouldn't have been able to give the output from www-data in the replies above):
Code:

root@poweredge1950:~# grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/bash

And yes, I am using SSH keys. /etc/ssh/sshd_config has "PasswordAuthentication" set to "no"; it's been that way since the day I set it up.

Turbocapitalist 05-23-2016 09:09 PM

Quote:

Originally Posted by maples (Post 5549933)
That did it! I can now SSH as www-data, and sshfs is now working as expected.

I wonder why it refuses to let you login when group has write permission?

It's so the key used for authentication cannot be overwritten by others.

Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term.

What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data.


All times are GMT -5. The time now is 03:51 PM.