[SOLVED] Stuck on SSH public key authentication for www-data
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Stuck on SSH public key authentication for www-data
I have a web server and a desktop. I would like to be able to mount /var/www/html/ from the webserver to a directory on my desktop using sshfs.
I have a user 'anthony' on both the server and the desktop. I can SSH between the desktop and server with public key authentication (password login is disabled).
From there, I can 'su' to www-data (I have set a password for the www-data user).
Code:
anthony@maples-desktop:~$ ssh 192.168.0.100
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon May 23 16:25:50 2016 from 192.168.0.101
anthony@poweredge1950:~$ su www-data
Password:
www-data@poweredge1950:/home/anthony$ cd
www-data@poweredge1950:~$
As you can see, public key authentication is working properly.
I thought that I could just copy my id_rsa.pub from my desktop into /var/www/.ssh/authorized_keys on the server. But it's not working like I thought it would:
$ ssh www-data@192.168.0.100 -v
OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1k 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22.
debug1: Connection established.
debug1: identity file /home/anthony/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u2
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA <SNIP>
debug1: Host '192.168.0.100' is known and matches the ECDSA host key.
debug1: Found key in /home/anthony/.ssh/known_hosts:9
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/anthony/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/anthony/.ssh/id_dsa
debug1: Trying private key: /home/anthony/.ssh/id_ecdsa
debug1: Trying private key: /home/anthony/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
When that didn't work, I tried copying /home/anthony/.ssh/authorized_keys to /var/www/.ssh/authorized_keys (in case I had somehow incorrectly copied my public key) but that still didn't work.
I've checked, and I'm using the correct home directory for www-data:
Code:
www-data@poweredge1950:/home/anthony$ cd
www-data@poweredge1950:~$ pwd
/var/www
www-data@poweredge1950:~$ echo $HOME
/var/www
I do not have "AllowUsers" set in my /etc/ssh/sshd_config
I didn't know if I needed a keypair for www-data, so I generated that, and that didn't fix it either.
I checked that the permissions for authorized_keys is the same as the user 'anthony':
Code:
www-data@poweredge1950:~$ cd .ssh/
www-data@poweredge1950:~/.ssh$ pwd
/var/www/.ssh
www-data@poweredge1950:~/.ssh$ ls -la
total 20
drwx------ 2 www-data www-data 4096 May 23 16:35 .
drwxrwxr-x 4 www-data www-data 4096 May 23 16:35 ..
-rw-rw-r-- 1 www-data www-data 404 May 23 16:35 authorized_keys
-rw------- 1 www-data www-data 1675 May 23 16:34 id_rsa
-rw-r--r-- 1 www-data www-data 404 May 23 16:34 id_rsa.pub
So what I'm not understanding is why it's not allowing me to log in? I have my desktop's public key in www-data's authorized_keys on the server. It's not a problem with SSH, I can ssh from anthony@maples-desktop to anthony@poweredge1950 without any problem.
/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)
That didn't work either. I changed the permissions, but even after I restarted the SSH server, "ssh www-data@192.168.0.100" still gave me "Permission denied (publickey)."
At this point, you don't see differences comparing ~/.ssh directories for both www-data and anthony users ? Not using authorized_keys2 in anthony's .ssh for example?
www-data@poweredge1950:~$ ls -la /var/www/
total 52
drwxrwxr-x 4 www-data www-data 4096 May 23 16:35 .
drwxr-xr-x 13 root root 4096 Dec 14 16:36 ..
-rw-rw-r-- 1 www-data www-data 5590 May 23 17:07 .bash_history
-rw-rw-r-- 1 www-data www-data 46 May 22 23:38 .bashrc
drwxrwxr-x 5 www-data www-data 4096 May 23 16:13 html
-rw-rw-r-- 1 www-data www-data 177 Sep 19 2015 index.html
-rw-rw-r-- 1 www-data www-data 62 Nov 25 09:09 .lesshst
-rw-rw-r-- 1 www-data www-data 48 May 23 15:09 old-index.php
drwx------ 2 www-data www-data 4096 May 23 16:35 .ssh
-rw-rw-r-- 1 www-data www-data 7957 May 23 16:35 .viminfo
-rw-rw-r-- 1 www-data www-data 26 May 22 23:50 .vimrc
Nothing shows up in either of the commands you suggested for the logs:
Code:
root@poweredge1950:~# tail /var/log/messages
May 22 07:20:50 poweredge1950 kernel: [3329018.057841] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 07:25:45 poweredge1950 kernel: [3329313.077694] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)
May 22 07:50:50 poweredge1950 kernel: [3330818.073325] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 08:50:45 poweredge1950 kernel: [3334413.188655] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)
May 22 09:35:50 poweredge1950 kernel: [3337118.226140] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 20:40:38 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 22 20:41:08 2016 [try http://www.rsyslog.com/e/2007 ]
May 23 06:30:54 poweredge1950 rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="688" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
May 23 06:39:01 poweredge1950 rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]
May 23 06:39:01 poweredge1950 rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]
May 23 15:03:46 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Mon May 23 15:04:16 2016 [try http://www.rsyslog.com/e/2007 ]
The other command only came up with a lot of "Accepted pubkey for anthony from 192.168.0.101...", dpkg logs from when I installed it, and popcon logs.
However, I checked the end of auth.log, which contained something worth mentioning (immediately after I tried SSHing to www-data@192.168.0.100):
Code:
root@poweredge1950:~# tail /var/log/auth.log
May 23 17:38:25 poweredge1950 systemd-logind[598]: New session 3740 of user anthony.
May 23 17:38:30 poweredge1950 su[14666]: Successful su for root by anthony
May 23 17:38:30 poweredge1950 su[14666]: + /dev/pts/2 anthony:root
May 23 17:38:30 poweredge1950 su[14666]: pam_unix(su:session): session opened for user root by anthony(uid=1000)
May 23 17:38:52 poweredge1950 sshd[14671]: Authentication refused: bad ownership or modes for directory /var/www
May 23 17:38:52 poweredge1950 sshd[14671]: Connection closed by 192.168.0.101 [preauth]
May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session opened for user root by (uid=0)
May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session closed for user root
May 23 17:44:16 poweredge1950 sshd[14749]: Authentication refused: bad ownership or modes for directory /var/www
May 23 17:44:16 poweredge1950 sshd[14749]: Connection closed by 192.168.0.101 [preauth]
I'm not sure what this means, though; I don't see anything unusual with the permissions (as listed above).
That did it! I can now SSH as www-data, and sshfs is now working as expected.
I wonder why it refuses to let you login when group has write permission?
It's so the key used for authentication cannot be overwritten by others.
Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term.
What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
