Solved sshd_config AuthorizedKeysCommand not working

1. I append the following lines to sshd_config:
Code:
Match User git
AllowUsers git
AuthorizedKeysCommand /usr/local/bin/keylist %u
AuthorizedKeysCommandUser git
AuthorizedKeysFile none
AuthenticationMethods publickey
PermitRootLogin no
PasswordAuthentication no
PermitTTY no
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
PermitOpen none
PermitTunnel no
X11Forwarding no

2. /usr/local/bin/keylist code as follow:
Bash:
#!/bin/sh

[ $# -ne 1 ] && { echo "Usage: $0 userid" >&2; exit 1; }

case "$1" in
    jjolie)
        # this is just a joke; don't take this seriously, and if you
        # do, make sure you have some sort of cache in case your
        # internet goes kaputt
        curl -sf https://api.github.com/users/jjolie/keys |
        jq -r '.[].key'
        ;;
    *)
        keyfile="/tmp/$1.pub"
        [ -f $keyfile ] && cat $keyfile
        ;;
esac

ls -l /usr/local/bin/keylist
Code:
-rwxr-xr-x  1 root  wheel  413 Apr 23 14:53 /usr/local/bin/keylist

3. adduser add git user as general

4. upload ssh pub key to 10.0.0.2 /tmp/git.pub
ls -l /tmp/git.pub
Code:
-rw-r--r--  1 root  wheel  400 Apr 23 15:30 /tmp/git.pub

5. run /usr/sbin/sshd -ddd -f /etc/ssh/sshd_config

6. ssh -T git@10.0.0.2

the ssh client show info:
Code:
git@10.0.0.2: Permission denied (publickey).

the sshd show errors:

Code:
debug3: subprocess: AuthorizedKeysCommand command "/usr/local/bin/keylist git" running as git (flags 0x6)
Unsafe AuthorizedKeysCommand "/usr/local/bin/keylist": bad ownership or modes for directory /         
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed                   
Failed publickey for git from 10.0.0.1 port 59070 ssh2: RSA SHA256:wRcl3ZZtnX9lIH//ye8HrAhC5aNZPa7FWcNp7fwlgg0
these actions on the FreeBSD 12.0-RELEASE r341666 GENERIC amd64。
 
1. I append the following lines to sshd_config:
Apache config:
Match User git
AllowUsers git
AuthorizedKeysCommand /usr/local/bin/keylist %u
AuthorizedKeysCommandUser git
AuthorizedKeysFile none
AuthenticationMethods publickey
PermitRootLogin no
PasswordAuthentication no
PermitTTY no
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
PermitOpen none
PermitTunnel no
X11Forwarding no

2. /usr/local/bin/keylist code as follow:
Bash:
#!/bin/sh

[ $# -ne 1 ] && { echo "Usage: $0 userid" >&2; exit 1; }

case "$1" in
    jjolie)
        # this is just a joke; don't take this seriously, and if you
        # do, make sure you have some sort of cache in case your
        # internet goes kaputt
        curl -sf https://api.github.com/users/jjolie/keys |
        jq -r '.[].key'
        ;;
    *)
        keyfile="/tmp/$1.pub"
        [ -f $keyfile ] && cat $keyfile
        ;;
esac

ls -l /usr/local/bin/keylist
Code:
-rwxr-xr-x  1 root  wheel  413 Apr 23 14:53 /usr/local/bin/keylist

3. adduser add git user as general

4. upload ssh pub key to 10.0.0.2 /tmp/git.pub
ls -l /tmp/git.pub
Code:
-rw-r--r--  1 root  wheel  400 Apr 23 15:30 /tmp/git.pub

5. run /usr/sbin/sshd -ddd -f /etc/ssh/sshd_config

6. ssh -T git@10.0.0.2

the sshd show errors:
debug3: subprocess: AuthorizedKeysCommand command "/usr/local/bin/keylist git" running as git (flags 0x6)
Unsafe AuthorizedKeysCommand "/usr/local/bin/keylist": bad ownership or modes for directory /
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed
Failed publickey for git from 10.0.0.1 port 59070 ssh2: RSA SHA256:wRcl3ZZtnX9lIH//ye8HrAhC5aNZPa7FWcNp7fwlgg0


these actions on the FreeBSD 12.0-RELEASE r341666 GENERIC amd64。

sshd_config()

Code:
     AuthorizedKeysCommand
             Specifies a program to be used to look up the user's public keys.
             The program must be owned by root, not writable by group or
             others and specified by an absolute path.  Arguments to
             AuthorizedKeysCommand accept the tokens described in the TOKENS
             section.  If no arguments are specified then the username of the
             target user is used.

             The program should produce on standard output zero or more lines
             of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)).  If a
             key supplied by AuthorizedKeysCommand does not successfully
             authenticate and authorize the user then public key
             authentication continues using the usual AuthorizedKeysFile
             files.  By default, no AuthorizedKeysCommand is run.

     AuthorizedKeysCommandUser
             Specifies the user under whose account the AuthorizedKeysCommand
             is run.  It is recommended to use a dedicated user that has no
             other role on the host than running authorized keys commands.  If
             AuthorizedKeysCommand is specified but AuthorizedKeysCommandUser
             is not, then sshd(8) will refuse to start.
 
getfacl / get info:
Code:
# file: /                                                                                              
# owner: 150                                                                                          
# group: 150                                                                                          
            owner@:rwxp--aARWcCos:-------:allow                                                        
            group@:r-x---a-R-c--s:-------:allow                                                        
         everyone@:r-x---a-R-c--s:-------:allow

chown root:wheel / resolved the "Unsafe AuthorizedKeysCommand "/usr/local/bin/keylist": bad ownership or modes for directory /" error

150 is not in the /etc/passwd in jail, it's the host cbsd UID
 
these actions in the jail which is created by cbsd,

Hey. I am participating in the CBSD project, and I’m interested in fixing it. Do I understand correctly that you are using the jail baserw=1 (read / write for root) here?
 
Hey. I am participating in the CBSD project, and I’m interested in fixing it. Do I understand correctly that you are using the jail baserw=1 (read / write for root) here?
Yes, I set baserw=1 for jails.
 
Back
Top