SSH errors and permissions

xy16644 · Feb 1, 2014

I use public keys to authenticate with OpenSSH/ I don't allow passwords. When I look in the /var/log/auth.log logfile I have the following errors:

Code:

pam_ssh_agent_auth: Authentication refused: bad ownership or modes for file /usr/home/user/.ssh/authorized_keys
pam_ssh_agent_auth: matching key found: file /home/user/.ssh/authorized_keys, line 1
pam_ssh_agent_auth: Found matching RSA key: 0c:64:1e:49:97:3a:d0:a1:09:0c:e0:25:67:fb:c8:4a
pam_ssh_agent_auth: Authenticated: `user' as `user' using /home/user/.ssh/authorized_keys

I have checked the permissions in my home directory and they are as follows:

Code:

drwxr-xr-x   6 user user    17B Jan 24 18:01 user/ 
drwx------  2 user user     3B Jan  1 17:32 .ssh/
-rw-------  1 user user   390B Jan  4 14:47 authorized_keys

After following all the articles online about permissions I still can't get rid of that error when authenticating. Any ideas? What I find interesting is that it authenticates me fine with the key in /home/user/.ssh/authorized_keys but it complains about /usr/home/user/.ssh/authorized_keys?

The other issue I have is, when I restart the SSH service I get the following:

Code:

Performing sanity check on sshd configuration.
Could not load host key: /etc/ssh/ssh_host_rsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.

I had a look in /etc/ssh and have the following:

Code:

-rw-r--r--   1 root  wheel   236K Sep 27 11:34 moduli
-rw-r--r--   1 root  wheel   1.7K Jan 21 17:43 ssh_config
-rw-------   1 root  wheel   668B Jan  1 12:25 ssh_host_dsa_key
-rw-r--r--   1 root  wheel   612B Jan  1 12:25 ssh_host_dsa_key.pub
-rw-------   1 root  wheel   227B Jan  1 12:25 ssh_host_ecdsa_key
-rw-r--r--   1 root  wheel   184B Jan  1 12:25 ssh_host_ecdsa_key.pub
-rw-------   1 root  wheel   539B Jan  1 12:25 ssh_host_key
-rw-r--r--   1 root  wheel   344B Jan  1 12:25 ssh_host_key.pub
-rw-------   1 root  wheel   1.6K Jan  1 12:25 ssh_host_rsa_key
-rw-r--r--   1 root  wheel   404B Jan  1 12:25 ssh_host_rsa_key.pub
-rw-r--r--   1 root  wheel   4.8K Feb  1 10:07 sshd_config

In sshd_config I have:

Code:

ListenAddress 192.168.0.240
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
SyslogFacility AUTH
LogLevel DEBUG
LoginGraceTime 15
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
Ciphers aes256-ctr
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
AllowUsers user
AllowAgentForwarding yes
AllowTcpForwarding yes
PrintLastLog yes
TCPKeepAlive yes
Subsystem   sftp    /usr/libexec/sftp-server
HPNDisabled no
HPNBufferSize 2048
UseDNS no

The funny thing is I can SSH into the server fine and Putty says I am connected using SSH 2 so why the errors when I restart the service?

worldi · Feb 1, 2014

xy16644 said:
The other issue I have is, when I restart the SSH service I get the following:

Code:

Performing sanity check on sshd configuration. Could not load host key: /etc/ssh/ssh_host_rsa_key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting.

...
The funny thing is I can SSH into the server fine and Putty says I am connected using SSH 2 so why the errors when I restart the service?

How can you ssh into the box when sshd is not running?

xy16644 · Feb 1, 2014

I'm not sure but I am running SSH:

Code:

ps aux | grep ssh
root      1396   0.0  0.0  60816   2708  -  Is   10:05PM    0:00.00 /usr/sbin/sshd
root     85428   0.0  0.0  86084   6784  -  Is    9:48AM    0:00.02 sshd: user[priv] (sshd)
user 85430   0.0  0.0  86084   6676  -  S     9:48AM    0:00.10 sshd: user@pts/0 (sshd)
root     86138   0.0  0.0  18728   1892  0  S+   12:26PM    0:00.00 grep ssh

Putty says this:

Code:

2014-02-01 09:48:31	Looking up host "192.168.0.240"
2014-02-01 09:48:31	Connecting to 192.168.0.240 port 22
2014-02-01 09:48:31	Server version: SSH-2.0-OpenSSH_6.4_hpn13v11 FreeBSD-20131111
2014-02-01 09:48:31	Using SSH protocol version 2
2014-02-01 09:48:31	We claim version: SSH-2.0-PuTTY_Release_0.63
2014-02-01 09:48:31	Doing Diffie-Hellman group exchange
2014-02-01 09:48:31	Doing Diffie-Hellman key exchange with hash SHA-256
2014-02-01 09:48:31	Host key fingerprint is:
2014-02-01 09:48:31	ssh-rsa 2048 4b:e9:12:1a:a3:08:01:2v:f5:d2:18:27:b4:10:7f:00
2014-02-01 09:48:31	Initialised AES-256 SDCTR client->server encryption
2014-02-01 09:48:31	Initialised HMAC-SHA-256 client->server MAC algorithm
2014-02-01 09:48:31	Initialised AES-256 SDCTR server->client encryption
2014-02-01 09:48:31	Initialised HMAC-SHA-256 server->client MAC algorithm
2014-02-01 09:48:31	Pageant is running. Requesting keys.
2014-02-01 09:48:31	Pageant has 4 SSH-2 keys
2014-02-01 09:48:31	Trying Pageant key #1
2014-02-01 09:48:31	Sending Pageant's response
2014-02-01 09:48:31	Access granted
2014-02-01 09:48:31	Opening session as main channel
2014-02-01 09:48:31	Opened main channel
2014-02-01 09:48:31	Requesting OpenSSH-style agent forwarding
2014-02-01 09:48:31	Agent forwarding enabled
2014-02-01 09:48:31	Allocated pty (ospeed 38400bps, ispeed 38400bps)
2014-02-01 09:48:31	Started a shell/command
2014-02-01 10:48:31	Initiating key re-exchange (timeout)
2014-02-01 10:48:31	Doing Diffie-Hellman group exchange
2014-02-01 10:48:31	Doing Diffie-Hellman key exchange with hash SHA-256
2014-02-01 10:48:31	Initialised AES-256 SDCTR client->server encryption
2014-02-01 10:48:31	Initialised HMAC-SHA-256 client->server MAC algorithm
2014-02-01 10:48:31	Initialised AES-256 SDCTR server->client encryption
2014-02-01 10:48:31	Initialised HMAC-SHA-256 server->client MAC algorithm
2014-02-01 11:48:31	Initiating key re-exchange (timeout)
2014-02-01 11:48:31	Doing Diffie-Hellman group exchange
2014-02-01 11:48:31	Doing Diffie-Hellman key exchange with hash SHA-256
2014-02-01 11:48:31	Initialised AES-256 SDCTR client->server encryption
2014-02-01 11:48:31	Initialised HMAC-SHA-256 client->server MAC algorithm
2014-02-01 11:48:31	Initialised AES-256 SDCTR server->client encryption
2014-02-01 11:48:31	Initialised HMAC-SHA-256 server->client MAC algorithm

Also service sshd status gives:

Code:

sshd is running as pid 1396.

worldi · Feb 1, 2014

Ah, OK. sshd does not let you lock yourself out easily: it did not reload, the "exiting" part was from the config check. You better not stop it...

I looks like there's a problem with your RSA keys. file /etc/ssh/ssh_host_rsa* should return something like this:

Code:

/etc/ssh/ssh_host_rsa_key:     PEM RSA private key
/etc/ssh/ssh_host_rsa_key.pub: OpenSSH RSA public key

xy16644 · Feb 1, 2014

Its no problem if the service stops. I have console access.

What do I need to do to fix the problem with the RSA keys?

file /etc/ssh/ssh_host_rsa* returns:

Code:

/etc/ssh/ssh_host_rsa_key:     PEM RSA private key
/etc/ssh/ssh_host_rsa_key.pub: OpenSSH RSA public key

worldi · Feb 1, 2014

Move the existing RSA "keys" to a safe place (just in case) then run service sshd keygen.

xy16644 · Feb 1, 2014

That seems to have done the trick. Now when I restart the SSH service with service sshd restart I get:

Code:

Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 1408.
Performing sanity check on sshd configuration.
Starting sshd.

So thanks for that.

I'm still getting plenty of these though in the /var/log/auth.log

Code:

pam_ssh_agent_auth: Authentication refused: bad ownership or modes for file /usr/home/user/.ssh/authorized_keys
pam_ssh_agent_auth: matching key found: file /home/user/.ssh/authorized_keys, line 1
pam_ssh_agent_auth: Found matching RSA key: 0b:85:1f:39:17:3a:w0:b1:09:0b:e0:25:67:fb:c8:4a
pam_ssh_agent_auth: Authenticated: `user' as `user' using /home/user/.ssh/authorized_keys

Any ideas? I have checked the directory permissions.

kpa · Feb 1, 2014

Have you changed the permissions of directories /usr or /usr/home from the defaults in any way? This is how they should be:

Code:

freebsd10 ~ % ls -ld /usr /usr/home 
drwxr-xr-x  16 root  wheel  512 Jan 20 10:27 /usr
drwxr-xr-x   3 root  wheel  512 Oct 13 20:38 /usr/home
freebsd10 ~ %

xy16644 · Feb 1, 2014

Nope.

Code:

drwxr-xr-x  16 root  wheel    16B Jan 21 16:28 /usr
drwxr-xr-x   3 root  wheel     3B Jan  1 12:27 /usr/home

worldi · Feb 1, 2014

Uhm, this one's weird. Any chance that both, /home and /usr/home, are directories (and sshd uses one and you've checked the other)? Normally /home is just a symlink to /usr/home:

Code:

% /bin/ls -ld {/usr,}/home
lrwxr-xr-x  1 root  wheel    8 Jan 16  2013 /home -> usr/home
drwxr-xr-x  3 root  wheel  512 Jan 16  2013 /usr/home
%

xy16644 · Feb 1, 2014

I don't think I've done anything strange but here is the output of /bin/ls -ld {/usr,}/home:

Code:

lrwxr-xr-x  1 root  wheel  9 Jan  1 09:25 /home -> /usr/home
drwxr-xr-x  3 root  wheel  3 Jan  1 12:27 /usr/home

I just don't understand why SSH is trying to use authorized_keys from BOTH directories (I know, its all one directory but still, weird).

I do have a ZFS dataset as follows:

Code:

zroot/usr/home                              384K   105G   300K  /usr/home

Could this be causing the issue?

xy16644 · Feb 1, 2014

Could sudo be part of this problem? I'm using sudo with pam.