*New 11.3 series Release:
2019-10-05: XigmaNAS 11.3.0.4.6928 - released, 11.2 series are soon unsupported!

*New 12.0 series Release:
2019-10-05: XigmaNAS 12.0.0.4.6928 - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS 11.2.0.4.6881 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

Access / Public keys

Secure shell connections.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Access / Public keys

#1

Post by ernie » 14 Jun 2019 18:50

Dear All,

Is it possible to have explanation of the menu "Access / Public Keys" or a "how to " ?

I would like to use key for connection on my nas via ssh for some users.

I tried like this:
- generation of the key on the local computer
- I open key.pub
- I copy and paste the content of key.pub in "Access/Public keys" and I select the right user (same user on local computer and nas)

But when I connect to the nas on my local computer via ssh, I need always to write the password for the user.

SSH service is activated with the following options:
- Password Authentication
- Keyboard-Interactive Authentication
- Public Key Authentication
- Root Login
- Compression

Thanks for your help.
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

User avatar
ms49434
Developer
Developer
Posts: 715
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: Access / Public keys

#2

Post by ms49434 » 14 Jun 2019 21:28

ernie wrote:
14 Jun 2019 18:50
Dear All,

Is it possible to have explanation of the menu "Access / Public Keys" or a "how to " ?

I would like to use key for connection on my nas via ssh for some users.

I tried like this:
- generation of the key on the local computer
- I open key.pub
- I copy and paste the content of key.pub in "Access/Public keys" and I select the right user (same user on local computer and nas)

But when I connect to the nas on my local computer via ssh, I need always to write the password for the user.

SSH service is activated with the following options:
- Password Authentication
- Keyboard-Interactive Authentication
- Public Key Authentication
- Root Login
- Compression

Thanks for your help.
Public key authentication should work ootb for root with release 12.0.0.4.6743. The home directory of root is /root by default.
To make it work for users other than root you need script /etc/rc.d/raki revision 6745 which assigns the correct owner (the user) to the authorized_keys file.
The user must have a home directory, otherwise ~/.ssh/authorized_keys cannot be created.

btw, Release 11.2.0.4.6743 has permission 644 set for raki but it should be 755.
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

User avatar
Snufkin
Advanced User
Advanced User
Posts: 289
Joined: 01 Jul 2012 11:27
Location: Etc/GMT-3 (BSD style)
Status: Offline

Re: Access / Public keys

#3

Post by Snufkin » 14 Jun 2019 21:35

ernie wrote:
14 Jun 2019 18:50
...I need always to write the password for the user.

SSH service is activated with the following options:
- Password Authentication
- Keyboard-Interactive Authentication
...
It seems you got what you set up.
Do you want to get passwordless access with keys?
XNAS 11.3.0.4 embedded, ASUS P5B-E, Intel DC E6600, 4 GB DDR2, 2 x HGST HDN726040ALE614, 2 x WDC WD5000AAKS, Ippon Back Power Pro 400

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#4

Post by ernie » 15 Jun 2019 08:44

Snufkin wrote:
14 Jun 2019 21:35
ernie wrote:
14 Jun 2019 18:50
...I need always to write the password for the user.

SSH service is activated with the following options:
- Password Authentication
- Keyboard-Interactive Authentication
...
It seems you got what you set up.
Do you want to get passwordless access with keys?
Thanks.
I understand this option like Password-authentification OR public key authentication.
So if no public key, password.
Am I wrong ?

For user:
"The user must have a home directory, otherwise ~/.ssh/authorized_keys cannot be created."
=> yes of course

"To make it work for users other than root you need script /etc/rc.d/raki revision 6745 which assigns the correct owner (the user) to the authorized_keys file."
=> not clear for me

Thanks

Edit:
Can we use any type of keys or only RSA ? I would like to use ed25519 key.
I tested for root user:
- authorized_keys is 755 and content the key
- the authorized_keys is in .ssh of root home (/root/.ssh)

On local computer, I try connection and : Permission denied (publickey).
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

User avatar
ms49434
Developer
Developer
Posts: 715
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: Access / Public keys

#5

Post by ms49434 » 15 Jun 2019 12:05

ssh-ed25519, ssh-rsa, ssh-dss are supported and have been tested ok.
I've used the following command to create an ed25519 key:

Code: Select all

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519_root -C "root@xigmanas.local"
The content of the public key file went into Access > Public Keys and the private key into my workstations .ssh folder.
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#6

Post by ernie » 15 Jun 2019 13:08

Thanks

ssh-keygen -o ???

what is o ? Is it O (capital) for :
option
Specify a certificate option when signing a key. This option may be specified multiple times. See also the CERTIFICATES section for further details.
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#7

Post by ernie » 15 Jun 2019 19:33

Hello

Always an issue for me.

I tried like this to be sure that I can do it manually:
- local computer: connexion via ssh to nas with the local user
- local user has a home directory on the nas and I setup it in "access/ user & group" (guest profile, mount point)
- generation of key with ssh-keygen (user on local computer connected vis ssh on nas for ssh-keygen):

Code: Select all

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519_root -C "root@xigmanas.local"
- the folder /home/user/.ssh on nas contents now the different files (key.pub, key, known_hosts)
- copie of key.pub on the local computer in the file "authorized_keys in ~/.ssh/
- I checked and I see the file and the content on the local computer
- I disable "password authentication"

Permission denied

I see this:
- local computer : user = 1001 for the ID
- nas : user = 1000 for ID as 1001 is already used (user2 for a second computer)

Is it the issue ?

When it will work, I will see how to use the menu
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

biggsy
experienced User
experienced User
Posts: 80
Joined: 02 Jul 2012 10:24
Location: Sydney, Australia
Status: Offline

Re: Access / Public keys

#8

Post by biggsy » 16 Jun 2019 09:14

@ernie

In Services > SSH, I enabled "Allow public key authentication" and "Allow root to login via ssh" then clicked Apply

I generated my key for root using PuTTYgen but creating the key through ssh-keygen should give you the same,.

I pasted the public key into Access > Users and groups > Public keys > +, (root as the user) and clicked Apply.

When that was done I checked the user root and clicked "Enable selected public keys". Did you perhaps miss that step?

For me it's all working as expected.

However, as you are not doing it just for root:
ms49434 wrote:
14 Jun 2019 21:28

To make it work for users other than root you need script /etc/rc.d/raki revision 6745 which assigns the correct owner (the user) to the authorized_keys file.
The user must have a home directory, otherwise ~/.ssh/authorized_keys cannot be created.
Hope this helps.

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#9

Post by ernie » 16 Jun 2019 09:48

Thanks biggsy. I miss this point.
So I begin from scratch (I deleted all content of .ssh on xigmanas and local computer).

1) Local computer : generation of key (root)
2) I added a config file in .ssh local compuer:

Code: Select all

Host nas1
Hostname 192.168.xxx.yyy
User root
PubKeyAuthentication yes
IdentityFile /root/.ssh/key
IdentitiesOnly yes
3) on xigmanas: I pasted the public key into Access > Users and groups > Public keys (root user selected).
4) I enable the key
Capture d’écran-4.png
5) Here the configuration of SSH on xigmanas:
Capture d’écran-3.png
6) connection from local computer (root) to xigmanas : Permission denied (publickey).

If I activate password connexion: the connexion is possible with keyboarding password

Where am I wrong ?
When it will fine for root, I will see for users.

Edit:
I will investigate with debug mode (-vvv).

What about the file know-hosts on xigmanas ?

Edit 2:
Debug says at the end of the process:
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
I didn't understand why "id_ed25519" as it must be "id_ed25519_root".

Any idea ?
You do not have the required permissions to view the files attached to this post.
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

biggsy
experienced User
experienced User
Posts: 80
Joined: 02 Jul 2012 10:24
Location: Sydney, Australia
Status: Offline

Re: Access / Public keys

#10

Post by biggsy » 16 Jun 2019 11:25

I don't have very much experience using SSH from a 'nix box. Sorry I can't help you with that.
Maybe the missing "_root" in "id_ed25519_root" is some sort of parsing error?

I have to say, though, that I thought the known-hosts file was only maintained at the client end - to ensure that the server being connected to is the one expected.

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#11

Post by ernie » 16 Jun 2019 11:26

Hello

A solution is to use:

Code: Select all

ssh -i id_ed25519_root 192.168.xxx.yyy
on local computer.

I don't see why local computer search "id_ed25519" and not "id_ed25519_root".

Any advice is welcome.
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#12

Post by ernie » 16 Jun 2019 11:27

Thanks biggsy for your comments
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#13

Post by ernie » 16 Jun 2019 12:53

Other solution: I used default name for the key.
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

User avatar
ernie
Forum Moderator
Forum Moderator
Posts: 1416
Joined: 26 Aug 2012 19:09
Location: France - Val d'Oise
Status: Offline

Re: Access / Public keys

#14

Post by ernie » 22 Jun 2019 18:41

Hello,

New issue.

I would like to avoid password between my 2 nas for zrep synchronisation via ssh.

I generate ssh key on nas1. I copy and paste public key in nas 2 (Access > Public Keys) for root user.
Same for nas 1: I generate ssh key on nas 2. I copy and paste public key in nas 1 ((Access > Public Keys) for root user.

I managed the chmod command for the file 'authorized_keys'.

Now I have this :

Code: Select all

nas4free1: /# ssh root@192.168.xxx.yyy
root@192.168.150.25's password: 
but with option -i

Code: Select all

nas4free1: /# ssh -i /root/.ssh/nas1 192.168.xxx.yyy
Last login: Sat Jun 22 18:30:20 2019 from 192.168.xxx.yyy
Welcome to XigmaNAS!
nas4free2: ~# 
Why I have to put -i option ?

Do I need to put specific parameter in ssh services (the box 'additionnal parameter) ?

Thanks for your help.
NAS 1&2:
System: GA-6LXGH(BIOS: R01 04/30/2014) / 16 Go ECC
XigmaNAS 12.0.0.4.6766 embedded
NAS1: Xeon E3 1241@3.5GHz, 4HDD@2To/raidz2 (WD red), 3HDD@300Go/sas/raidz1 (Hitachi), 1SSD cache, Zlog on sas mirror
NAS2: G3220@3GHz, 3HDD@2To/raidz1 (Seagate), 1SSD cache, 1HDD@300Go/UFS
UPS: APC Back-UPS RS 900G
Case : Fractal Design XL R2

Extensions & services:
NAS1: OBI (Plex, extendedGUI, BTSync, zrep, rclone), nfs, UPS,
NAS2: OBI (extendedGUI, zrep (backup mode))

Cyberpower678
NewUser
NewUser
Posts: 9
Joined: 22 Jun 2019 21:26
Status: Offline

Re: Access / Public keys

#15

Post by Cyberpower678 » 22 Jun 2019 21:29

There is a minor bug I discovered that is responsible for my cases not working. Every authorized_keys file it generated made root the owner. The file must carry the user's own ID as the owner and must also carry the primary group that user is a part of. Only the owner can read and write to it, but no one is allowed to. If these conditions are not met, public key authentication will fail.

User avatar
ms49434
Developer
Developer
Posts: 715
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: Access / Public keys

#16

Post by ms49434 » 22 Jun 2019 22:04

Cyberpower678 wrote:
22 Jun 2019 21:29
There is a minor bug I discovered that is responsible for my cases not working. Every authorized_keys file it generated made root the owner. The file must carry the user's own ID as the owner and must also carry the primary group that user is a part of. Only the owner can read and write to it, but no one is allowed to. If these conditions are not met, public key authentication will fail.
Release 11.2/12.0, 6766 sets the owner of authorized_keys to the user.
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

biggsy
experienced User
experienced User
Posts: 80
Joined: 02 Jul 2012 10:24
Location: Sydney, Australia
Status: Offline

Re: Access / Public keys

#17

Post by biggsy » 23 Jun 2019 03:54

ernie wrote:
22 Jun 2019 18:41

I generate ssh key on nas1. I copy and paste public key in nas 2 (Access > Public Keys) for root user.
Same for nas 1: I generate ssh key on nas 2. I copy and paste public key in nas 1 ((Access > Public Keys) for root user.

Why I have to put -i option ?

Do I need to put specific parameter in ssh services (the box 'additionnal parameter) ?

Thanks for your help.
Hi ernie,

You didn't mention whether you also pasted the private key generated on nas1 into the Private Key field on nas1.

If you didn't, it's likely that the SSH client on nas1 doesn't know where to find its private key. You would then have to use the -i option to tell it to look in /root/.ssh/nas1.

(I'm assuming that the Private Key field in Services > SSH is for root only.)

Cyberpower678
NewUser
NewUser
Posts: 9
Joined: 22 Jun 2019 21:26
Status: Offline

Re: Access / Public keys

#18

Post by Cyberpower678 » 23 Jun 2019 21:16

ms49434 wrote:
22 Jun 2019 22:04
Cyberpower678 wrote:
22 Jun 2019 21:29
There is a minor bug I discovered that is responsible for my cases not working. Every authorized_keys file it generated made root the owner. The file must carry the user's own ID as the owner and must also carry the primary group that user is a part of. Only the owner can read and write to it, but no one is allowed to. If these conditions are not met, public key authentication will fail.
Release 11.2/12.0, 6766 sets the owner of authorized_keys to the user.
That's great but I found another bug which is more serious. Disabling and deleting do not work. While creating keys write new entries into authorized_keys as the user, deleting or disabling them will not prevent the key from working.

User avatar
ms49434
Developer
Developer
Posts: 715
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: Access / Public keys

#19

Post by ms49434 » 23 Jun 2019 21:38

Cyberpower678 wrote:
23 Jun 2019 21:16
ms49434 wrote:
22 Jun 2019 22:04
Cyberpower678 wrote:
22 Jun 2019 21:29
There is a minor bug I discovered that is responsible for my cases not working. Every authorized_keys file it generated made root the owner. The file must carry the user's own ID as the owner and must also carry the primary group that user is a part of. Only the owner can read and write to it, but no one is allowed to. If these conditions are not met, public key authentication will fail.
Release 11.2/12.0, 6766 sets the owner of authorized_keys to the user.
That's great but I found another bug which is more serious. Disabling and deleting do not work. While creating keys write new entries into authorized_keys as the user, deleting or disabling them will not prevent the key from working.
You have to manually delete the authorized_keys file.
The reason behind this behaviour is that we have users who manually create authorized_keys file. Those files would get deleted without a warning when only disabled records for that user exist in the Public Key configuration.
You will recognize the same behaviour when you delete all public keys of a user, the authorized_keys will will still exist and must be deleted manually.
I looked at all possible scenarios but I wasn't able to find a bullet-proof solution.
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

Cyberpower678
NewUser
NewUser
Posts: 9
Joined: 22 Jun 2019 21:26
Status: Offline

Re: Access / Public keys

#20

Post by Cyberpower678 » 23 Jun 2019 22:35

ms49434 wrote:
23 Jun 2019 21:38
Cyberpower678 wrote:
23 Jun 2019 21:16
ms49434 wrote:
22 Jun 2019 22:04
Cyberpower678 wrote:
22 Jun 2019 21:29
There is a minor bug I discovered that is responsible for my cases not working. Every authorized_keys file it generated made root the owner. The file must carry the user's own ID as the owner and must also carry the primary group that user is a part of. Only the owner can read and write to it, but no one is allowed to. If these conditions are not met, public key authentication will fail.
Release 11.2/12.0, 6766 sets the owner of authorized_keys to the user.
That's great but I found another bug which is more serious. Disabling and deleting do not work. While creating keys write new entries into authorized_keys as the user, deleting or disabling them will not prevent the key from working.
You have to manually delete the authorized_keys file.
The reason behind this behaviour is that we have users who manually create authorized_keys file. Those files would get deleted without a warning when only disabled records for that user exist in the Public Key configuration.
You will recognize the same behaviour when you delete all public keys of a user, the authorized_keys will will still exist and must be deleted manually.
I looked at all possible scenarios but I wasn't able to find a bullet-proof solution.
I have an idea for you then. Whenever the WebUI attempts to modify an authorized_keys file, if it finds an existing one, it will scan the file and parse all of the keys in there, and make them visible to the UI admin. If the key being added is already there, it will do nothing and tell the user the key. already exists, if it doesn't it will add it to the file and report the other keys found there. If it sees a key that is commented out, it will report that key but mark it as disabled.

When a file modification happens, it will re-parse the file, and reformat the keys to make the formatting consistent.

As for deleting, with file re-parsing/formatting happening before the action, you can now simply do a search and replace deletion operation on the file and trim excess newlines, without danger of killing manually added keys. The same applies for commenting out, ie disabling the keys.

As an added bonus, you can add a button to the UI to scan all the key files of the users and update the listing on the UI.

User avatar
ms49434
Developer
Developer
Posts: 715
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: Access / Public keys

#21

Post by ms49434 » 24 Jun 2019 00:28

Cyberpower678 wrote:
23 Jun 2019 22:35
ms49434 wrote:
23 Jun 2019 21:38
Cyberpower678 wrote:
23 Jun 2019 21:16
ms49434 wrote:
22 Jun 2019 22:04
Cyberpower678 wrote:
22 Jun 2019 21:29
There is a minor bug I discovered that is responsible for my cases not working. Every authorized_keys file it generated made root the owner. The file must carry the user's own ID as the owner and must also carry the primary group that user is a part of. Only the owner can read and write to it, but no one is allowed to. If these conditions are not met, public key authentication will fail.
Release 11.2/12.0, 6766 sets the owner of authorized_keys to the user.
That's great but I found another bug which is more serious. Disabling and deleting do not work. While creating keys write new entries into authorized_keys as the user, deleting or disabling them will not prevent the key from working.
You have to manually delete the authorized_keys file.
The reason behind this behaviour is that we have users who manually create authorized_keys file. Those files would get deleted without a warning when only disabled records for that user exist in the Public Key configuration.
You will recognize the same behaviour when you delete all public keys of a user, the authorized_keys will will still exist and must be deleted manually.
I looked at all possible scenarios but I wasn't able to find a bullet-proof solution.
I have an idea for you then. Whenever the WebUI attempts to modify an authorized_keys file, if it finds an existing one, it will scan the file and parse all of the keys in there, and make them visible to the UI admin. If the key being added is already there, it will do nothing and tell the user the key. already exists, if it doesn't it will add it to the file and report the other keys found there. If it sees a key that is commented out, it will report that key but mark it as disabled.

When a file modification happens, it will re-parse the file, and reformat the keys to make the formatting consistent.

As for deleting, with file re-parsing/formatting happening before the action, you can now simply do a search and replace deletion operation on the file and trim excess newlines, without danger of killing manually added keys. The same applies for commenting out, ie disabling the keys.

As an added bonus, you can add a button to the UI to scan all the key files of the users and update the listing on the UI.
Many thanks for the idea but unfortunately authorized_keys is not that straight forward. A parser would be required to extract the key from the string.
Source: FreeBSD sshd, section authorized_keys file format.

With Sourceforge commit 6772 I have now implemented a more stringent solution which rewrites the authorized_keys files when a record (public key) is added, modified, enabled or disabled and which deletes an authorized_keys file of a user when a public key is deleted (it will be recreated as needed in the next step).
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

Post Reply

Return to “SSH”