LinuxQuestions.org - [SOLVED] Stuck on SSH public key authentication for www-data

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - Stuck on SSH public key authentication for www-data (https://www.linuxquestions.org/questions/linux-software-2/stuck-on-ssh-public-key-authentication-for-www-data-4175580513/)

Stuck on SSH public key authentication for www-data

I have a web server and a desktop. I would like to be able to mount /var/www/html/ from the webserver to a directory on my desktop using sshfs.

I have a user 'anthony' on both the server and the desktop. I can SSH between the desktop and server with public key authentication (password login is disabled).
From there, I can 'su' to www-data (I have set a password for the www-data user).

Code:

anthony@maples-desktop:~$ ssh 192.168.0.100



The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.



Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

You have new mail.

Last login: Mon May 23 16:25:50 2016 from 192.168.0.101

anthony@poweredge1950:~$ su www-data

Password: 

www-data@poweredge1950:/home/anthony$ cd

www-data@poweredge1950:~$

As you can see, public key authentication is working properly.

I thought that I could just copy my id_rsa.pub from my desktop into /var/www/.ssh/authorized_keys on the server. But it's not working like I thought it would:

Code:

ssh www-data@192.168.0.100

Permission denied (publickey).

Here's the verbose output:

Code:

$ ssh www-data@192.168.0.100 -v

OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1k 8 Jan 2015

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22.

debug1: Connection established.

debug1: identity file /home/anthony/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/anthony/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/anthony/.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/anthony/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/anthony/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/anthony/.ssh/id_ecdsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/anthony/.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/anthony/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u2

debug1: match: OpenSSH_6.7p1 Debian-5+deb8u2 pat OpenSSH* compat 0x04000000

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none

debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA <SNIP>

debug1: Host '192.168.0.100' is known and matches the ECDSA host key.

debug1: Found key in /home/anthony/.ssh/known_hosts:9

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/anthony/.ssh/id_rsa

debug1: Authentications that can continue: publickey

debug1: Trying private key: /home/anthony/.ssh/id_dsa

debug1: Trying private key: /home/anthony/.ssh/id_ecdsa

debug1: Trying private key: /home/anthony/.ssh/id_ed25519

debug1: No more authentication methods to try.

Permission denied (publickey).

When that didn't work, I tried copying /home/anthony/.ssh/authorized_keys to /var/www/.ssh/authorized_keys (in case I had somehow incorrectly copied my public key) but that still didn't work.

I've checked, and I'm using the correct home directory for www-data:

Code:

www-data@poweredge1950:/home/anthony$ cd

www-data@poweredge1950:~$ pwd

/var/www

www-data@poweredge1950:~$ echo $HOME

/var/www

I do not have "AllowUsers" set in my /etc/ssh/sshd_config

I didn't know if I needed a keypair for www-data, so I generated that, and that didn't fix it either.

I checked that the permissions for authorized_keys is the same as the user 'anthony':

Code:

www-data@poweredge1950:~$ cd .ssh/

www-data@poweredge1950:~/.ssh$ pwd

/var/www/.ssh

www-data@poweredge1950:~/.ssh$ ls -la

total 20

drwx------ 2 www-data www-data 4096 May 23 16:35 .

drwxrwxr-x 4 www-data www-data 4096 May 23 16:35 ..

-rw-rw-r-- 1 www-data www-data  404 May 23 16:35 authorized_keys

-rw------- 1 www-data www-data 1675 May 23 16:34 id_rsa

-rw-r--r-- 1 www-data www-data  404 May 23 16:34 id_rsa.pub

So what I'm not understanding is why it's not allowing me to log in? I have my desktop's public key in www-data's authorized_keys on the server. It's not a problem with SSH, I can ssh from anthony@maples-desktop to anthony@poweredge1950 without any problem.

/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)

Quote:

Originally Posted by keefaz (Post 5549831)

/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)

That didn't work either. I changed the permissions, but even after I restarted the SSH server, "ssh www-data@192.168.0.100" still gave me "Permission denied (publickey)."

authorized_keys file contains anthony@maples-desktop's id_rsa.pub content?

Quote:

Originally Posted by keefaz (Post 5549834)

authorized_keys file contains anthony@maples-desktop's id_rsa.pub content?

Yes. Right now, that's all it contains:

Code:

www-data@poweredge1950:~$ md5sum .ssh/authorized_keys 

9815696ed24521e7ab23d8ad23f35960  .ssh/authorized_keys





anthony@maples-desktop:~$ md5sum .ssh/id_rsa.pub 

9815696ed24521e7ab23d8ad23f35960  .ssh/id_rsa.pub

Quote:

Originally Posted by maples (Post 5549839)

Yes. Right now, that's all it contains:

Code:

www-data@poweredge1950:~$ md5sum .ssh/authorized_keys 

9815696ed24521e7ab23d8ad23f35960  .ssh/authorized_keys





anthony@maples-desktop:~$ md5sum .ssh/id_rsa.pub 

9815696ed24521e7ab23d8ad23f35960  .ssh/id_rsa.pub

Same content ;)

At this point, you don't see differences comparing ~/.ssh directories for both www-data and anthony users ? Not using authorized_keys2 in anthony's .ssh for example?

Nope, nothing like that:

Code:

www-data@poweredge1950:~$ ls .ssh/

authorized_keys  id_rsa  id_rsa.pub

Code:

anthony@maples-desktop:~$ ls .ssh/

authorized_keys  id_rsa  id_rsa.pub  known_hosts  known_hosts.old

Nothing in logs (as root) tail /var/log/messages
Or grep ssh /var/log/*

What are the permissions of /var/www ?

Code:

www-data@poweredge1950:~$ ls -la /var/www/

total 52

drwxrwxr-x  4 www-data www-data 4096 May 23 16:35 .

drwxr-xr-x 13 root    root    4096 Dec 14 16:36 ..

-rw-rw-r--  1 www-data www-data 5590 May 23 17:07 .bash_history

-rw-rw-r--  1 www-data www-data  46 May 22 23:38 .bashrc

drwxrwxr-x  5 www-data www-data 4096 May 23 16:13 html

-rw-rw-r--  1 www-data www-data  177 Sep 19  2015 index.html

-rw-rw-r--  1 www-data www-data  62 Nov 25 09:09 .lesshst

-rw-rw-r--  1 www-data www-data  48 May 23 15:09 old-index.php

drwx------  2 www-data www-data 4096 May 23 16:35 .ssh

-rw-rw-r--  1 www-data www-data 7957 May 23 16:35 .viminfo

-rw-rw-r--  1 www-data www-data  26 May 22 23:50 .vimrc

Nothing shows up in either of the commands you suggested for the logs:

Code:

root@poweredge1950:~# tail /var/log/messages

May 22 07:20:50 poweredge1950 kernel: [3329018.057841] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)

May 22 07:25:45 poweredge1950 kernel: [3329313.077694] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)

May 22 07:50:50 poweredge1950 kernel: [3330818.073325] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)

May 22 08:50:45 poweredge1950 kernel: [3334413.188655] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)

May 22 09:35:50 poweredge1950 kernel: [3337118.226140] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)

May 22 20:40:38 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 22 20:41:08 2016 [try http://www.rsyslog.com/e/2007 ]

May 23 06:30:54 poweredge1950 rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="688" x-info="http://www.rsyslog.com"] rsyslogd was HUPed

May 23 06:39:01 poweredge1950 rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]

May 23 06:39:01 poweredge1950 rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]

May 23 15:03:46 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Mon May 23 15:04:16 2016 [try http://www.rsyslog.com/e/2007 ]

The other command only came up with a lot of "Accepted pubkey for anthony from 192.168.0.101...", dpkg logs from when I installed it, and popcon logs.

However, I checked the end of auth.log, which contained something worth mentioning (immediately after I tried SSHing to www-data@192.168.0.100):

Code:

root@poweredge1950:~# tail /var/log/auth.log

May 23 17:38:25 poweredge1950 systemd-logind[598]: New session 3740 of user anthony.

May 23 17:38:30 poweredge1950 su[14666]: Successful su for root by anthony

May 23 17:38:30 poweredge1950 su[14666]: + /dev/pts/2 anthony:root

May 23 17:38:30 poweredge1950 su[14666]: pam_unix(su:session): session opened for user root by anthony(uid=1000)

May 23 17:38:52 poweredge1950 sshd[14671]: Authentication refused: bad ownership or modes for directory /var/www

May 23 17:38:52 poweredge1950 sshd[14671]: Connection closed by 192.168.0.101 [preauth]

May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session opened for user root by (uid=0)

May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session closed for user root

May 23 17:44:16 poweredge1950 sshd[14749]: Authentication refused: bad ownership or modes for directory /var/www

May 23 17:44:16 poweredge1950 sshd[14749]: Connection closed by 192.168.0.101 [preauth]

I'm not sure what this means, though; I don't see anything unusual with the permissions (as listed above).

Quote:

Originally Posted by maples (Post 5549858)

I'm not sure what this means, though; I don't see anything unusual with the permissions (as listed above).

I think it's the culprit, permissions too permissive :/

Try chmod 755 /var/www

www-data has a nologin shell, I'll bet is jamming you up.

Code:

grep www-data /etc/passwd

Also, if you have keys, then why allow "ssh www-data@server" without one?

Quote:

Originally Posted by keefaz (Post 5549859)

I think it's the culprit, permissions too permissive :/

Try chmod 755 /var/www

That did it! I can now SSH as www-data, and sshfs is now working as expected.

I wonder why it refuses to let you login when group has write permission?

Thanks for all the help! :D

Quote:

Originally Posted by Habitual (Post 5549888)

www-data has a nologin shell, I'll bet is jamming you up.

Code:

grep www-data /etc/passwd

Also, if you have keys, then why allow "ssh www-data@server" without one?

That was something that I had done long ago (otherwise I wouldn't have been able to give the output from www-data in the replies above):

Code:

root@poweredge1950:~# grep www-data /etc/passwd

www-data:x:33:33:www-data:/var/www:/bin/bash

And yes, I am using SSH keys. /etc/ssh/sshd_config has "PasswordAuthentication" set to "no"; it's been that way since the day I set it up.

Quote:

Originally Posted by maples (Post 5549933)

That did it! I can now SSH as www-data, and sshfs is now working as expected.

I wonder why it refuses to let you login when group has write permission?

It's so the key used for authentication cannot be overwritten by others.

Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term.

What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data.