SSH: sshd[3771]: Authentication refused: bad ownership or modes for directory /

tmarkov · February 21, 2023, 9:03pm

I’m trying to allow ssh access to my laptop with

users.users.<username>.openssh.authorizedKeys.keys = [
      "ssh-rsa AAAA[...]/C5kw== u0_a154@localhost"
]
[...]
services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
};

The string contains the public key ~/.ssh/id_rsa.pub on the computer I’m trying to log in from. Authentication fails with the following errors:

sshd[3771]: Authentication refused: bad ownership or modes for directory /
sshd[3771]: error: PAM: Authentication failure for user from 192.168.0.204
sshd[3771]: Connection closed by authenticating user user 192.168.0.204 port 38076 [preauth]

Does anybody know why this could be? It’s very strange that it’s looking at directory /

NobbZ · February 21, 2023, 9:32pm

If / is writable by anyone else but woot, SSH considers that an error, as basically everyone could swap out /etc or other important top level folders and “fool” the authentication that way.

So / has to be root owned and 755 for SSH to work.

tmarkov · February 21, 2023, 9:51pm

That makes sense. But why is / world writable and how can I fix it? I haven’t manually set it; maybe it has something to do with being tmpfs?

# hardware-configuration.nix

  fileSystems."/" =
    {
      device = "tmpfs";
      fsType = "tmpfs";
    };

This, fileSystems."/".options = [ "umask=755" "uid=0" "gid=0" ]; doesn’t seem to work; makes the system unbootable.

NobbZ · February 21, 2023, 10:28pm

AFAIK it is not umask, but mode.

tejing · February 22, 2023, 9:54am

The root of a tmpfs is 1777 by default, because that’s a reasonable option for tmpdirs, and yes, mode is the correct option name.

Because of the sticky bit, I’m not sure it’s actually a big security hole, come to think of it… but regardless, ssh treats such strange permissions as a hard failure, in order to protect against the attacks that are possible because of it.