Can not login with key-exchange is chrooted sftp environment
Ángel González
keisial at gmail.com
Sat Jul 7 06:30:54 EST 2012
On 06/07/12 19:02, Raghu Udupa wrote:
> Hi,
>
> We need to allow log in based on public key generated using ssh-keygen (rsa key) for SFTP with chroot (internal sftp). I am not able to log in with just key exchange. I can login using password.
>
> I am able to log-in with out password for an ssh session unlike sftp session.
>
> Is there a way to login with key-exchange only for internal-sftp with chroot?
Are you using programs from different suites for shell session vs sftp?
Both types of session are selected after the authentication, so I find
strange that one would work while the other doesn't.
> Here is the trace
>
> OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to host port 22.
> debug1: Connection established.
> debug3: Not a RSA1 key file /usr/apps1/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
(snip)
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /usr/apps1/.ssh/id_rsa type 1
> debug3: Not a RSA1 key file /usr/apps1/.ssh/id_dsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
(snip)
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /usr/apps1/.ssh/id_dsa type 2
What's the first line of those files?
I would expect them to be something like -----BEGIN RSA PRIVATE KEY-----
or -----BEGIN DSA PRIVATE KEY-----, but it seems it's not.
Thus my suspicion that they are in a format of a different suite.
If sftp can't load the key, it would obviously not be able to login.
(snip)
> debug1: Authentications that can continue: publickey
> debug3: start over, passed a different list publickey
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /usr/apps1/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey
However, here it is sending a key... (which is rejected by the server)
> debug1: Offering public key: /usr/apps1/.ssh/id_dsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey
and the second one is rejected, too.
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey).
> Couldn't read packet: Connection reset by peer
>
> Thanks,
> Raghu
What's in the server logs for the rejection? The interesting stuff
about rejected keys (eg. the file is group-writable) is logged there.
Although if you can get an interactive session, it be right. Can
you login through sftp if you disable the chroot?
More information about the openssh-unix-dev
mailing list