2

I have one user who is able to able to login via SFTP using a public key, but can not setup any others to work the same way. I've searched for other similar questions and the solution has usually been related to ownership or permissions, but I've gone over this configuration dozens of times and everything lines up properly.

The desired result is to have a client that uses a single key pair to connect to the server using multiple accounts. With the current configuration, the contents of the authorized_keys files are identical for both users, and I am certain the the private key on the client side absolutely matches the public keys installed on the server.

The user that works:

# id ideal-dwh uid=514(ideal-dwh) gid=514(ideal-dwh) groups=514(ideal-dwh),519(sftp-users) # ls -la total 48 drwxr-xr-x 4 root sftp-users 4096 Jul 12 21:08 . drwx-----x 6 root root 4096 Jul 13 14:13 .. drwx--x--- 2 root sftp-users 4096 Jul 12 21:10 .ssh drwxr-xr-x 2 ideal-dwh sftp-users 36864 Jul 13 05:45 uploads # cd .ssh # ls -la total 16 drwx--x--- 2 root sftp-users 4096 Jul 12 21:10 . drwxr-xr-x 4 root sftp-users 4096 Jul 12 21:08 .. -rw-r--r-- 1 root sftp-users 1036 Jul 12 16:01 authorized_keys

And the user that doesn't work:

# id gapautoparts-dwh uid=524(gapautoparts-dwh) gid=524(gapautoparts-dwh) groups=524(gapautoparts-dwh),519(sftp-users) # ls -la total 48 drwxr-xr-x 4 root sftp-users 4096 Jul 13 14:13 . drwx-----x 6 root root 4096 Jul 13 14:13 .. drwx--x--- 2 root sftp-users 4096 Jul 13 14:13 .ssh drwxr-xr-x 2 gapautoparts-dwh sftp-users 36864 Jul 13 14:13 uploads # cd .ssh # ls -la total 16 drwx--x--- 2 root sftp-users 4096 Jul 13 14:13 . drwxr-xr-x 4 root sftp-users 4096 Jul 13 14:13 .. -rw-r--r-- 1 root sftp-users 1036 Jul 13 14:13 authorized_keys

sshd_config contents

LogLevel VERBOSE ... Match Group sftp-users ChrootDirectory /data/%u ForceCommand internal-sftp -d /uploads X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys

The auth.log file is blank and the secure log shows nothing related to the failed login attempts despite the log level being verbose in the config file.

The specific error I get when attempting to connect with the second user:

Status: Connecting to server... Status: Using username "gapautoparts-dwh". Status: Server refused our key Status: Access denied Error: Authentication failed. Error: Critical error: Could not connect to server Status: Disconnected from server

What I have tried so far:

Changing permissions and ownership

In researching the problem this seemed to be the most common solution. The recommended setup I usually see is to have the connecting user/group own the .ssh directory and it's contents, with 700 permissions on the .ssh directory and 600 permissions on the authorized_keys file. Changing this on the broken user that does not seem to make any difference. Furthermore, setting these owners/permissions on the working user actually breaks things.

I've tried just about every combination of ownership and permissions I can think of with no success. Changing the ownership and permissions of the currently working user to anything other than what I've already got breaks everything.

Using a different key pair

My desired result is to use a specific key pair to connect for both users, but in troubleshooting I have tried using different key pairs as well, updating the authorized_keys file as necessary.

This makes no difference for the broken user. For the working user I am able to connect using any key pairs I set up for the server and client.

Starting from scratch with a new user

The issue is not limited to the specific user I've shared in this post. I have created other users, following the same steps I used to create the working user and am unable to connect with any of them.

Setting user-specific settings in sshd_config

I have also tried adding user-specific rules to sshd_config in place of the group settings with no success. Adding the following makes no difference:

Match User gapautoparts-dwh ChrootDirectory /data/gapautoparts-dwh ForceCommand internal-sftp -d /uploads X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Improve this question
6
  • Have you checked the SSH logs on the server side? Commented Jul 13, 2021 at 14:54
  • For some reason my "auth.log" file is blank. The "secure" log does not seem to have anything relevant to the failed login attempts. Commented Jul 13, 2021 at 15:05
  • Please edit your question to add information, don't use comments for this purpose. Commented Jul 13, 2021 at 17:09
  • 1
    You have 2 users connecting with the same public key? Does this mean you're using the same key exchange for both users? As in, do you have the same private keys in their client-side .ssh folders with which to connect? Commented Jul 13, 2021 at 18:15
  • @Kahn yes, I've amended my post to clarify the private key on the client-side matches the public key installed for both users on the server. Commented Jul 14, 2021 at 4:12

1 Answer 1

Reset to default
0

The issue ended up being that the home directories were not properly set for new users.

Despite using the following command to create the user:

useradd -g sftp-users -d /data/gapautoparts-dwh/ gapautoparts-dwh

The entry in /etc/passwd was added as:

gapautoparts-dwh:x:524:524::/home/gapautoparts-dwh:/bin/bash

Why the -d flag isn't working is something else I'll have to look into, but this issue is resolved.

Improve this answer
1
  • for -d flag misbehaving, try out appending -M option to your command Commented Oct 2, 2023 at 15:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.