On Mon, May 1, 2023 at 10:44 AM Pierre Willaime <pierre.willa...@univ-lorraine.fr> wrote: > > Hi, > > I am unable to connect via SSH without password (ssh-copy-id was launched) to > a VM running Debian Stable. > > After some investigations, it is most likely a permission issue > > May 1 15:32:42 vm sshd[131848]: debug1: trying public key file > /home/user/.ssh/authorized_keys > May 1 15:32:42 vm sshd[131848]: debug1: fd 5 clearing O_NONBLOCK > May 1 15:32:42 vm sshd[131848]: Authentication refused: bad ownership or > modes for directory /home/user > > On this system (not installed by me), my user has an UID and GID of 0 in > /etc/passwd. Several users share root privileges like this on the server. > > After a ssh connexion (it is working with password authentification) done as > 'user' > > $ ssh user@server > user@server's password: .... > > I am directly connected as root > > root@server:~# whoami > root > root@server:~# su user > root@server:~# whoami > root > > .ssh files of user directory are owned by root > > # ls -la /home/user/.ssh/ > total 4 > drwx------ 2 root user 29 1 mai 15:38 . > drwxr-xr-x 3 1001 user 106 11 févr. 11:10 .. > -rw------- 1 root user 395 1 mai 15:38 authorized_keys
Perform a `chown -R user:group /home/user/*`. Then perform a `chmod -R o-rwx /home/user/.ssh/`. (You only need to remove 'other' access). > I tried to change the owner of the file authorized_keys (I guess if it > matches the user used in ssh connexion command, it will allow the ssh > connexion by keys) but chown fails silently. > > root@server:~# chown user /home/user/.ssh/authorized_keys > root@server:~# ls -la /home/user/.ssh/authorized_keys > -rw------- 1 root user 395 1 mai 15:38 .ssh/authorized_keys > > I tried a `chattr -i` on the file, unsuccessfully. > > If I launch again ssh-copy-id with root@server instead of user@server, I can > connect without password. But I would prefer to connect with my user. > > What is my best move here? Root is usually not allowed to login via ssh. Login as a regular user, then do something like `sudo -i` or `sudo su -`. If you want to allow root logins, I believe your sshd_config needs to be updated. Here's the one I set to disallow root. You should do the opposite: $ cat /etc/ssh/sshd_config.d/20-no_root_login.conf PermitRootLogin no I also only allow PublicKey methods: cat /etc/ssh/sshd_config.d/10-pubkey_auth.conf # Disable passwords PasswordAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no KerberosOrLocalPasswd no GSSAPIAuthentication no UsePAM no # Enable public key PubkeyAuthentication yes Jeff
