Sshd PermissionDenied on authorized_keys

a4blue · April 9, 2024, 2:37pm

Hi,

i got a problem with ssh login , the systemd service has the following message:
Could not open user 'a4blue' authorized keys '/etc/ssh/authorized_keys.d/a4blue': Permission denied

the file has the following permissions:

total 4,0K
drwxr-xr-x 2 root root  60  9. Apr 14:29 .
drwx------ 3 root root 220  9. Apr 14:29 ..
-r--r--r-- 1 root root  82  9. Apr 14:29 a4blue

i have also impermanence setup with following root:

fileSystems."/" = {
    device = "none";
    fsType = "tmpfs";
    options = ["defaults" "size=4G" "mode=755"];
  };

Any hint what it could be is welcome

phaer · April 9, 2024, 3:27pm

What are the permissions on the authorized_keys.d directory? Are both r and x set?

a4blue · April 9, 2024, 4:07pm

drwxr-xr-x  2 root root   60  9. Apr 16:43 authorized_keys.d

yes, r and x are set

illustris · April 9, 2024, 6:12pm

Comparing with my machine, the permissions for /etc/ssh seem to be wrong. It should be 755, not 700. I tested by changing my /etc/ssh to 700. It causes the same issue.

a4blue · April 9, 2024, 6:19pm

just tested it, sadly it still says “Permission denied”.
I also tried switching between Nixos unstable and 23.11 and also between the default kernel and latest (had no effect)

I am now inclined to reinstall to see if it persists

aanderse · April 9, 2024, 6:30pm

before you do that try setting ssh log level to debug… sometimes that helps

a4blue · April 9, 2024, 7:00pm

Here is the log, i hope this helps, but i will now try to reinstall using nearly the same configuration

debug3: mm_answer_keyallowed: entering
debug1: temporarily_use_uid: 1000/100 (e=0/0)
debug1: trying public key file /home/a4blue/.ssh/authorized_keys
debug1: Could not open user 'a4blue' authorized keys '/home/a4blue/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/100 (e=0/0)
debug1: trying public key file /etc/ssh/authorized_keys.d/a4blue
Could not open user 'a4blue' authorized keys '/etc/ssh/authorized_keys.d/a4blue': Permission denied
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: ED25519 key is not allowed

a4blue · April 10, 2024, 11:20am

Okay i think that i found the issue:
I had the folder /etc/ssh/ on chmod 0700, but after i changed it to 0755 it now works (bear in mind that the private keys need to be 0700)

Probably the logic was the following:

check / => allowed
check /etc => allowed
check /etc/ssh => permission denied, abort
but what i thought was follwing:
check /etc/ssh/authorized.keys.d/a4blue => allowed
or alternatively
check /etc/ssh/authorized.keys.d/ => allowed
find and check /etc/ssh/authorized-keys.d/a4blue => allowed

I will rebuild my system later this day again and see if this really was the problem

a4blue · April 11, 2024, 11:20am

i can now confim that the /etc/ssh/ folder permission was the issue, thank you all for giving me feedback