2

Foreword: I believe I did my homework. I tried checking the ownership/modes of the relevant files, but I'm still getting the error.

I'm trying to start an SFTP server on GNU/Linux. I made a new user called sftp_server, created /home/sftp_server/.ssh, and filled /home/sftp_server/.ssh/sshd_config with:

AuthorizedKeysFile /home/sftp_server/.ssh/authorized_keys
HostKey /home/sftp_server/.ssh/server_key
Subsystem       sftp internal-sftp

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

Port 2222
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

Then I added the client's public key to /home/sftp_server/.ssh/authorized_keys.

I ran server as sftp_server:

sftp_server@system ~> /usr/bin/sshd -f /home/sftp_server/.ssh/sshd_config -D -d

and it launches successfully with

debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1i  8 Dec 2020
…
Server listening on 0.0.0.0 port 2222.

But my attempt to connect to this server from the client with

user@DESKTOP:~$ sftp -P 2222 192.168.0.102

fails (on the server side) with:

…
Authentication refused: bad ownership or modes for file /home/sftp_server/.ssh/authorized_keys
debug1: restore_uid: (unprivileged)
Failed publickey for user from 192.168.0.103 port 64450 ssh2: ED25519 SHA256:...
Connection closed by authenticating user user 192.168.0.103 port 64450 [preauth]
…

UPDATE: Logging in as sftp_server doesn't help either.

user@DESKTOP:~$ sftp -P 2222 [email protected]

fails on the server side with the same error message.

This is a server-side message, so I'm assuming the server is failing to access the authorized_keys file properly.

The existing questions

both advises that I should set ownership/modes properly, like:

$ sudo chmod 0700 /home/sftp_server/.ssh
$ sudo chmod 0600 /home/sftp_server/.ssh/authorized_keys

But I've already applied these.

[root@system user]# ls -al /home
…
drwxr-xr-x   7 sftp_server root        4096 Mar 24 15:07 sftp_server
…

[root@system user]# ls -al /home/sftp_server
drwxr-xr-x 7 sftp_server root       4096 Mar 24 15:07 .
drwxr-xr-x 6 root        root       4096 Nov 17  2018 ..
…
drwx------ 2 sftp_server sftp_users 4096 Mar 24 14:53 .ssh
…

[root@system user]# ls -al /home/sftp_server/.ssh
…
drwx------ 2 sftp_server sftp_users 4096 Mar 24 14:53 .
drwxr-xr-x 7 sftp_server root       4096 Mar 24 15:07 ..
-rw------- 1 sftp_server sftp_users  162 Mar 24 14:15 authorized_keys
-rw-r--r-- 1 sftp_server sftp_users  410 Mar 24 14:53 sshd_config
…

I'm thinking that

  • drwxr-xr-x (755) for /home/sftp_server
  • drwx------ (700) for /home/sftp_server/.ssh
  • -rw------- (600) for /home/sftp_server/.ssh/authorized_keys

are the correct modes, and they all correctly have sftp_server set as the file owner.

This leaves me puzzled and frustrated for the bad ownership or modes for file error message.

I'd appreciate any help or hint. Thanks!

Minoru
  • 128
  • 3
  • 1
    But you login as *user* thus shouldn't *user* be owner of `authorized_keys`? – Jiri B Mar 24 '21 at 08:55
  • Thanks for pointing out, I clarified the question. Logging in as `sftp_server` results in the same error. – Minoru Mar 24 '21 at 12:16
  • @LinuxSecurityFreak Could you elaborate? What directory does `..` refer to? At least in my `ls` snippet, all `..` directories already have the `drwxr-xr-x` modes, I think? – Minoru Mar 24 '21 at 12:25
  • It refers to _(going to) upper directory_ as for my understanding or the upper directory itsself, have never fiddled with this specifically. = The group should not be root I assume. – Vlastimil Burián Mar 24 '21 at 12:26
  • @LinuxSecurityFreak I know what `..` means, I asked what directory you referred to. What file/directory do you suggest to change? `/home` or `/home/sftp_server` or `/home/sftp_server/.ssh`? Which property of that file/directory? By the way, I tried changing the group of `/home/sftp_server` but it had no effect. I also doubt it's the group, because the error says "bad ownership or modes." – Minoru Mar 24 '21 at 12:50
  • `ls -l /home/sftp_server/.ssh/server_key` ? – ilkkachu Mar 24 '21 at 13:02
  • You are not showing all output, as @ilkkachu wrote, where is `server_key`? Anyway, the setup you want works fine, I just tested it. BTW, `debug1: restore_uid: (unprivileged)` shows you are running this SSH daemon as ordinary user - `sftp_server`. What distro do you use? – Jiri B Mar 24 '21 at 13:09
  • I know it doesn't complain about `server_key`. But AFAIK, it should test that one too, so it occurred to me you might want to check that too. – ilkkachu Mar 24 '21 at 13:13
  • Sorry but as you are confused what info you give us, then I bet it is some PEBKAC issue, see it works https://gist.github.com/jirib/e0ec851d47813bb091b754d71e83e786 If you are desperate set *StrictMode* to false (`man sshd_config`). – Jiri B Mar 24 '21 at 13:18
  • Can you add `ls -ld / /home` to your question, please (permissions for `/` and `/home` themselves). I suspect it may be a permissions/ownership issue up the chain of directories from `~/.ssh/authorized_keys` – roaima Mar 24 '21 at 13:46
  • I tried to dig at the code to see what it does, but as far as I can see, it a) only checks for write permissions, read access should be ok, b) problems with directories should get a different error message: https://github.com/openssh/openssh-portable/blob/V_8_4/misc.c (Debian has a patch to allow group-writable files if the group is one where the user is the sole member; this is to support per-user groups and a `002` umask.) Based on the code, the settings here look ok to me... – ilkkachu Mar 24 '21 at 13:49

1 Answers1

-1

Your sftp command is wrong. It should be like this:

sftp -P 2222 [email protected]

With your current command, you are logging in to the server with user user, which doesn't exist on server side.

Far Had
  • 1
  • 1
    That's not the problem. As the error message says, the server thinks the file `/home/sftp_server/.ssh/authorized_keys` is (somehow) wrong. I edited the question to clarify that adding `sftp_server@` on the client side doesn't help. – Minoru Mar 24 '21 at 12:15