LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-23-2016, 04:54 PM   #1
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Rep: Reputation: 265Reputation: 265Reputation: 265
Stuck on SSH public key authentication for www-data


I have a web server and a desktop. I would like to be able to mount /var/www/html/ from the webserver to a directory on my desktop using sshfs.

I have a user 'anthony' on both the server and the desktop. I can SSH between the desktop and server with public key authentication (password login is disabled).
From there, I can 'su' to www-data (I have set a password for the www-data user).

Code:
anthony@maples-desktop:~$ ssh 192.168.0.100

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon May 23 16:25:50 2016 from 192.168.0.101
anthony@poweredge1950:~$ su www-data
Password: 
www-data@poweredge1950:/home/anthony$ cd
www-data@poweredge1950:~$
As you can see, public key authentication is working properly.

I thought that I could just copy my id_rsa.pub from my desktop into /var/www/.ssh/authorized_keys on the server. But it's not working like I thought it would:
Code:
ssh www-data@192.168.0.100
Permission denied (publickey).
Here's the verbose output:
Code:
$ ssh www-data@192.168.0.100 -v
OpenSSH_6.7p1 Debian-5+deb8u2, OpenSSL 1.0.1k 8 Jan 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.100 [192.168.0.100] port 22.
debug1: Connection established.
debug1: identity file /home/anthony/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/anthony/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u2
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u2 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA <SNIP>
debug1: Host '192.168.0.100' is known and matches the ECDSA host key.
debug1: Found key in /home/anthony/.ssh/known_hosts:9
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/anthony/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/anthony/.ssh/id_dsa
debug1: Trying private key: /home/anthony/.ssh/id_ecdsa
debug1: Trying private key: /home/anthony/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
When that didn't work, I tried copying /home/anthony/.ssh/authorized_keys to /var/www/.ssh/authorized_keys (in case I had somehow incorrectly copied my public key) but that still didn't work.

I've checked, and I'm using the correct home directory for www-data:
Code:
www-data@poweredge1950:/home/anthony$ cd
www-data@poweredge1950:~$ pwd
/var/www
www-data@poweredge1950:~$ echo $HOME
/var/www
I do not have "AllowUsers" set in my /etc/ssh/sshd_config

I didn't know if I needed a keypair for www-data, so I generated that, and that didn't fix it either.

I checked that the permissions for authorized_keys is the same as the user 'anthony':
Code:
www-data@poweredge1950:~$ cd .ssh/
www-data@poweredge1950:~/.ssh$ pwd
/var/www/.ssh
www-data@poweredge1950:~/.ssh$ ls -la
total 20
drwx------ 2 www-data www-data 4096 May 23 16:35 .
drwxrwxr-x 4 www-data www-data 4096 May 23 16:35 ..
-rw-rw-r-- 1 www-data www-data  404 May 23 16:35 authorized_keys
-rw------- 1 www-data www-data 1675 May 23 16:34 id_rsa
-rw-r--r-- 1 www-data www-data  404 May 23 16:34 id_rsa.pub
So what I'm not understanding is why it's not allowing me to log in? I have my desktop's public key in www-data's authorized_keys on the server. It's not a problem with SSH, I can ssh from anthony@maples-desktop to anthony@poweredge1950 without any problem.
 
Old 05-23-2016, 05:02 PM   #2
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)
 
Old 05-23-2016, 05:07 PM   #3
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by keefaz View Post
/var/www/.ssh/authorized_keys permissions should be set to owner rw (chmod 600 /var/www/.ssh/authorized_keys)
That didn't work either. I changed the permissions, but even after I restarted the SSH server, "ssh www-data@192.168.0.100" still gave me "Permission denied (publickey)."
 
Old 05-23-2016, 05:10 PM   #4
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
authorized_keys file contains anthony@maples-desktop's id_rsa.pub content?
 
Old 05-23-2016, 05:13 PM   #5
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by keefaz View Post
authorized_keys file contains anthony@maples-desktop's id_rsa.pub content?
Yes. Right now, that's all it contains:
Code:
www-data@poweredge1950:~$ md5sum .ssh/authorized_keys 
9815696ed24521e7ab23d8ad23f35960  .ssh/authorized_keys


anthony@maples-desktop:~$ md5sum .ssh/id_rsa.pub 
9815696ed24521e7ab23d8ad23f35960  .ssh/id_rsa.pub
 
Old 05-23-2016, 05:20 PM   #6
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
Quote:
Originally Posted by maples View Post
Yes. Right now, that's all it contains:
Code:
www-data@poweredge1950:~$ md5sum .ssh/authorized_keys 
9815696ed24521e7ab23d8ad23f35960  .ssh/authorized_keys


anthony@maples-desktop:~$ md5sum .ssh/id_rsa.pub 
9815696ed24521e7ab23d8ad23f35960  .ssh/id_rsa.pub
Same content

At this point, you don't see differences comparing ~/.ssh directories for both www-data and anthony users ? Not using authorized_keys2 in anthony's .ssh for example?
 
Old 05-23-2016, 05:23 PM   #7
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Nope, nothing like that:
Code:
www-data@poweredge1950:~$ ls .ssh/
authorized_keys  id_rsa  id_rsa.pub
Code:
anthony@maples-desktop:~$ ls .ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts  known_hosts.old
 
Old 05-23-2016, 05:31 PM   #8
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
Nothing in logs (as root) tail /var/log/messages
Or grep ssh /var/log/*
 
Old 05-23-2016, 05:37 PM   #9
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
What are the permissions of /var/www ?
 
Old 05-23-2016, 05:45 PM   #10
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Code:
www-data@poweredge1950:~$ ls -la /var/www/
total 52
drwxrwxr-x  4 www-data www-data 4096 May 23 16:35 .
drwxr-xr-x 13 root     root     4096 Dec 14 16:36 ..
-rw-rw-r--  1 www-data www-data 5590 May 23 17:07 .bash_history
-rw-rw-r--  1 www-data www-data   46 May 22 23:38 .bashrc
drwxrwxr-x  5 www-data www-data 4096 May 23 16:13 html
-rw-rw-r--  1 www-data www-data  177 Sep 19  2015 index.html
-rw-rw-r--  1 www-data www-data   62 Nov 25 09:09 .lesshst
-rw-rw-r--  1 www-data www-data   48 May 23 15:09 old-index.php
drwx------  2 www-data www-data 4096 May 23 16:35 .ssh
-rw-rw-r--  1 www-data www-data 7957 May 23 16:35 .viminfo
-rw-rw-r--  1 www-data www-data   26 May 22 23:50 .vimrc
Nothing shows up in either of the commands you suggested for the logs:
Code:
root@poweredge1950:~# tail /var/log/messages
May 22 07:20:50 poweredge1950 kernel: [3329018.057841] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 07:25:45 poweredge1950 kernel: [3329313.077694] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)
May 22 07:50:50 poweredge1950 kernel: [3330818.073325] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 08:50:45 poweredge1950 kernel: [3334413.188655] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 1 (2462/0 MHz)
May 22 09:35:50 poweredge1950 kernel: [3337118.226140] wlan0: AP <MAC address> changed bandwidth, new config is 2462 MHz, width 2 (2452/0 MHz)
May 22 20:40:38 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 22 20:41:08 2016 [try http://www.rsyslog.com/e/2007 ]
May 23 06:30:54 poweredge1950 rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="688" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
May 23 06:39:01 poweredge1950 rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]
May 23 06:39:01 poweredge1950 rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]
May 23 15:03:46 poweredge1950 rsyslogd-2007: action 'action 17' suspended, next retry is Mon May 23 15:04:16 2016 [try http://www.rsyslog.com/e/2007 ]
The other command only came up with a lot of "Accepted pubkey for anthony from 192.168.0.101...", dpkg logs from when I installed it, and popcon logs.

However, I checked the end of auth.log, which contained something worth mentioning (immediately after I tried SSHing to www-data@192.168.0.100):
Code:
root@poweredge1950:~# tail /var/log/auth.log
May 23 17:38:25 poweredge1950 systemd-logind[598]: New session 3740 of user anthony.
May 23 17:38:30 poweredge1950 su[14666]: Successful su for root by anthony
May 23 17:38:30 poweredge1950 su[14666]: + /dev/pts/2 anthony:root
May 23 17:38:30 poweredge1950 su[14666]: pam_unix(su:session): session opened for user root by anthony(uid=1000)
May 23 17:38:52 poweredge1950 sshd[14671]: Authentication refused: bad ownership or modes for directory /var/www
May 23 17:38:52 poweredge1950 sshd[14671]: Connection closed by 192.168.0.101 [preauth]
May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session opened for user root by (uid=0)
May 23 17:39:01 poweredge1950 CRON[14675]: pam_unix(cron:session): session closed for user root
May 23 17:44:16 poweredge1950 sshd[14749]: Authentication refused: bad ownership or modes for directory /var/www
May 23 17:44:16 poweredge1950 sshd[14749]: Connection closed by 192.168.0.101 [preauth]
I'm not sure what this means, though; I don't see anything unusual with the permissions (as listed above).
 
Old 05-23-2016, 05:48 PM   #11
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760Reputation: 760
Quote:
Originally Posted by maples View Post
I'm not sure what this means, though; I don't see anything unusual with the permissions (as listed above).
I think it's the culprit, permissions too permissive :/

Try chmod 755 /var/www

Last edited by keefaz; 05-23-2016 at 05:51 PM.
 
1 members found this post helpful.
Old 05-23-2016, 07:22 PM   #12
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
www-data has a nologin shell, I'll bet is jamming you up.
Code:
grep www-data /etc/passwd
Also, if you have keys, then why allow "ssh www-data@server" without one?

Last edited by Habitual; 05-23-2016 at 07:24 PM.
 
Old 05-23-2016, 09:54 PM   #13
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by keefaz View Post
I think it's the culprit, permissions too permissive :/

Try chmod 755 /var/www
That did it! I can now SSH as www-data, and sshfs is now working as expected.

I wonder why it refuses to let you login when group has write permission?

Thanks for all the help!

Last edited by maples; 05-23-2016 at 09:58 PM.
 
Old 05-23-2016, 09:56 PM   #14
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Quote:
Originally Posted by Habitual View Post
www-data has a nologin shell, I'll bet is jamming you up.
Code:
grep www-data /etc/passwd
Also, if you have keys, then why allow "ssh www-data@server" without one?
That was something that I had done long ago (otherwise I wouldn't have been able to give the output from www-data in the replies above):
Code:
root@poweredge1950:~# grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/bash
And yes, I am using SSH keys. /etc/ssh/sshd_config has "PasswordAuthentication" set to "no"; it's been that way since the day I set it up.
 
Old 05-23-2016, 10:09 PM   #15
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,082
Blog Entries: 3

Rep: Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169Reputation: 3169
Quote:
Originally Posted by maples View Post
That did it! I can now SSH as www-data, and sshfs is now working as expected.

I wonder why it refuses to let you login when group has write permission?
It's so the key used for authentication cannot be overwritten by others.

Also, the user and group www-data are for privilege separation and should not have write access to anything in the web server's document root, except for special exceptions regarding individual files in certain CMSs. Adding write permission for www-data, as shown in #10 above, breaks the security model and is likely end up costing you in the medium to long term.

What problem were you trying to solve? If it was shared access to the web server's document root or other files, then a special group should be made for that and write access given to that new group instead of www-data.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh public key authentication teacup Linux - Networking 4 11-28-2011 12:27 AM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 09:33 AM
Public key authentication with ssh elnacho12 Linux - Networking 3 12-18-2007 09:38 AM
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 12:06 PM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 07:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration