After generating ssh keys, I have tried to login but, I am getting a message Permission denied (publickey). This seems to be an error in access permissions.
After generating ssh keys for logging into cluster, when i give the command below from the terminal
$> ls -l ~/.ssh/id_*
I should get in return:
-rw------- 1 git git 751 Mar 1 20:16 /home/username/.ssh/id_rsa
-rw-r--r-- 1 git git 603 Mar 1 20:16 /home/username/.ssh/id_rsa.pub
Instead I am getting:
-rw-r--rw- 1 ubuntu ubuntu 3381 févr. 15 18:35 /home/ubuntu.ssh/id_rsa
-rw-r--rw- 1 ubuntu ubuntu 737 févr. 15 18:35 /home/ubuntu/.ssh/id_rsa.pub
Hence login fails with message:
Permission denied (publickey).
Related
Using:
podman version 4.2.0
AlmaLinux 8.7
I've created an image based on redhat/ubi8 with the following Dockerfile:
FROM docker.io/redhat/ubi8
RUN dnf install -y gcc-c++ cmake python39 openssh git
RUN useradd -ms /bin/bash foobar -g users
USER foobar
WORKDIR /home/foobar/
RUN mkdir -p .ssh
$ docker build -t mount_test_image .
I run the image from a directory that contains a directory ssh, and I want to mount that directory to /home/foobar/.ssh with ownership of foobar.users
$ ls -l
-rw-r--r--. 1 host_user users 269 Dec 7 09:10 Dockerfile
drwxrwxr-x. 2 host_user users 18 Dec 2 10:41 ssh
docker run -it -d --rm --mount type=bind,src=ssh,target=/home/foobar/.ssh --name=mount_test mount_test_image
However when I enter the container via
docker exec -it mount_test '/bin/sh'
The home directory looks like this:
drwx------. 1 foobar users 18 Dec 7 17:10 .
drwxr-xr-x. 1 root root 21 Dec 7 17:10 ..
-rw-r--r--. 1 foobar users 18 Jun 20 11:31 .bash_logout
-rw-r--r--. 1 foobar users 141 Jun 20 11:31 .bash_profile
-rw-r--r--. 1 foobar users 376 Jun 20 11:31 .bashrc
drwxrwxr-x. 2 root root 18 Dec 2 18:41 .ssh
I obviously get a "permission denied" when trying to access that directory.
sh-4.4$ ls /home/foobar/.ssh
ls: cannot open directory '/home/foobar/.ssh': Permission denied
I tried changing the ownership of the directory on the host to match the uid of the container user, but then it just looks like this:
drwxrwxr-x. 2 nobody root 18 Dec 2 18:41 .ssh
My host user uid:gid is 501:100 and the container user is 1000:100. Right now I'm just trying to generate an ssh key to upload to bitbucket, but this seems like a simple feature a container should be have. All the tutorials and examples just stop after the --mount command instruction and say "there ya go!". What good is the mount point if you can't read/write it?
EDIT:
I tried on Archlinux using docker instead of podman and it works like one would expect with both -v and --mount. The owner of the mounted directory in the container matches the uid and gid of the host. Is this then a bug in podman or is it just done differently?
You are using a non-root user (foobar) in a rootless container. You must use --userns=keep-id for the container user to see the mounted volumes.
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#using-volumes
I am new to cygwin. I have problems to use ssh there.
When I try using it I get the following error:
$ ssh -i /home/Sebastian/.ssh/id_rsa user#domain
Warning: Identity file /home/Sebastian/.ssh/id_rsa not accessible: No such file or directory.
user#domain: Permission denied (publickey).
permissions are set as following:
drwx------+ 1 Sebastian Kein 0 Dec 31 15:06 /home/Sebastian/.ssh
-rw------- 1 Sebastian Kein 1766 Oct 11 22:24 /home/Sebastian/.ssh/id_rsa
I mounted / to C:\programs\cygwin64
part 2, I added some changes:
I removed all world and group permissions on id_rsa in Windows 10
The following works now:
> ssh -i .ssh/id_rsa user#domain
Any other way to access the id_rsa file fails (/home/Sebastian/.ssh/id_rsa or ~/.ssh/id_rsa) for example. Neither does rsync with ssh work
Does anyone have an idea whats wrong here?
The plus in drwx------+ suggests there is extended ACL.
What you can try is to do a backup of /etc/fstab, then change the line to :
none /cygdrive cygdrive binary,noacl,posix=0,user 0 0
and restart Windows and try ssh again.
I cannot find a way to use the running SSH server on GH Actions.
When I try to connect to 127.0.0.1 via ssh, there is a server, and responds, but
somehow ignores the configuration files in .ssh (or whatever the case may be).
Here is what script I used (the general setup does not seem to influence the results):
ssh-keygen -t ed25519 -f ~/.ssh/whatever -N ''
cat > ~/.ssh/config <<EOF
Host host.example
User $USER
HostName 127.0.0.1
IdentityFile ~/.ssh/whatever
EOF
echo -n 'from="127.0.0.1" ' | cat - ~/.ssh/whatever.pub > ~/.ssh/authorized_keys
ssh -o 'StrictHostKeyChecking no' host.example id
I am not satisfied with the results, since I cannot reproduce the log locally
(every machine I have behaves normally, i.e. allows to execute the command).
Generating public/private ed25519 key pair.
Created directory '/home/runner/.ssh'.
Your identification has been saved in /home/runner/.ssh/whatever.
Your public key has been saved in /home/runner/.ssh/whatever.pub.
The key fingerprint is:
SHA256:2ZCprVg5rZXp0IguQlCanUVTlCX7IFt2TPTnimdk0gM runner#fv-az60
The key's randomart image is:
+--[ED25519 256]--+
| ..+o+++ |
| = o ..= + |
|+ o . = E . . |
|. * # O o |
| . o B S * . |
|. . o B = o |
|. . o o o + |
| . . o |
| |
+----[SHA256]-----+
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
runner#127.0.0.1: Permission denied (publickey,password).
##[error]Process completed with exit code 255.
This is a permissions issue. By default, the permissions on the home folder in the container are too broad for the ssh daemon to accept (world/others read/write), so the server-side rejects your connection. Removing world/others read/write permission on your home directory fixes ths issue.
To fix, add the following to your script, just before the ssh call. This command removes the others read/write permission on the home directory:
chmod og-rw ~
Evidence:
name: ssh-example
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Run a multi-line script
run: |
ssh-keygen -t ed25519 -f ~/.ssh/whatever -N ''
cat > ~/.ssh/config <<EOF
Host host.example
User $USER
HostName 127.0.0.1
IdentityFile ~/.ssh/whatever
EOF
echo -n 'from="127.0.0.1" ' | cat - ~/.ssh/whatever.pub > ~/.ssh/authorized_keys
echo "Before fixing permissions on authorized_keys, notice home directory is world read/write"
ls -la ~/.ssh
ssh -o 'StrictHostKeyChecking no' host.example id || echo "ssh failed as expected... trying to fix permissions"
chmod og-rw ~
echo "After fixing permissions on home folder ~ ..."
ls -la ~/.ssh
ssh -o 'StrictHostKeyChecking no' host.example id
Output from the Github Action:
Generating public/private ed25519 key pair.
Created directory '/home/runner/.ssh'.
Your identification has been saved in /home/runner/.ssh/whatever.
Your public key has been saved in /home/runner/.ssh/whatever.pub.
The key fingerprint is:
SHA256:vKl342+LK4YP7Kj00Eqm1Jnst/7ED3Pzu/6TPOiHoUc runner#fv-az76
The key's randomart image is:
+--[ED25519 256]--+
| |
| |
| |
| . |
| S |
| o.o.. o E |
| .==. o*ooo = . |
|.=.+ +ooO.==.* |
|. oo=o==.=B#Boo |
+----[SHA256]-----+
Before fixing permissions on authorized_keys, notice home directory is world read/write
total 24
drwx------ 2 runner docker 4096 Feb 23 21:58 .
drwxrwxrwx 8 runner docker 4096 Feb 23 21:58 ..
-rw-r--r-- 1 runner docker 113 Feb 23 21:58 authorized_keys
-rw-r--r-- 1 runner docker 89 Feb 23 21:58 config
-rw------- 1 runner docker 411 Feb 23 21:58 whatever
-rw-r--r-- 1 runner docker 96 Feb 23 21:58 whatever.pub
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
runner#127.0.0.1: Permission denied (publickey,password).
ssh failed as expected... trying to fix permissions
After fixing permissions on home folder ~ ...
total 28
drwx------ 2 runner docker 4096 Feb 23 21:58 .
drwx--x--x 8 runner docker 4096 Feb 23 21:58 ..
-rw-r--r-- 1 runner docker 113 Feb 23 21:58 authorized_keys
-rw-r--r-- 1 runner docker 89 Feb 23 21:58 config
-rw-r--r-- 1 runner docker 222 Feb 23 21:58 known_hosts
-rw------- 1 runner docker 411 Feb 23 21:58 whatever
-rw-r--r-- 1 runner docker 96 Feb 23 21:58 whatever.pub
uid=1001(runner) gid=115(docker) groups=115(docker)
Permission Denied can be caused by multiple reasons.
this is code from github repo
if (options.control_master == SSHCTL_MASTER_ASK ||
options.control_master == SSHCTL_MASTER_AUTO_ASK) {
if (!ask_permission("Allow shared connection to %s? ", host)) {
debug2("%s: session refused by user", __func__);
reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
"Permission denied");
this is caused by refused connection
probable causes.
sshd daemon i.e. ssh server is not running
user has no permission to ssh.
only root has permission to ssh.
check
# systemctl status sshd.service |grep Active
also check
# cat /etc/ssh/sshd_config
I don't think .ssh permissions are issue.
as they are created by user.
user permission mask is mostly 755. which is why not having permission for same user
to its own .ssh directory is highly unlikely.
Do let me know if problem persists.
I'm trying to setup a minecraft server for my kid and screen is giving me fits. I've been following this tutorial and I've already consulted this AskUbuntu answer. I'm running on Ubuntu 16.04.5 x64. I have created the following Service file and linked it to /etc/systemd/system/minecraft.service.
[Unit]
Description=Minecraft Server
Documentation=
Wants=network.target
After=network.target
[Service]
User=minecraft
Group=minecraft
Nice=5
EnvironmentFile=-/var/minecraft/unit.conf
KillMode=none
SuccessExitStatus=0 1
ProtectHome=true
ProtectSystem=full
PrivateDevices=true
NoNewPrivileges=true
PrivateTmp=true
InaccessibleDirectories=/root /sys /srv -/opt /media -/lost+found
ReadWriteDirectories=/var/minecraft/server /usr/bin/screen
WorkingDirectory=/var/minecraft/server
#ExecStartPre= /usr/bin/screen -dmS Minecraft
ExecStart= /usr/bin/screen -dm -S Minecraft '/usr/bin/java -Xmx1500M -Xms1024M -jar /var/minecraft/server/craftbukkit-1.13.jar'
ExecStop=/usr/bin/screen -S minecraft -p 0 -X stuff "stop^M"
[Install]
WantedBy=multi-user.target
When I monitor the service startup, I get the following in the journalctl logs:
Aug 05 14:55:41 spigot-1 systemd[1]: Started Minecraft Server.
Aug 05 14:55:41 spigot-1 screen[9869]: No screen session found.
Per the SO post I referenced, I already changed the permissions in /var/run/screen. This is the current setup:
root#spigot-1:/var/minecraft/server# ls -alR /var/run/screen/
/var/run/screen/:
total 0
drwxrwxrwx 4 root root 80 Aug 5 14:12 .
drwxr-xr-x 23 root root 860 Aug 5 14:11 ..
drwx------ 2 minecraft minecraft 40 Aug 5 14:55 S-minecraft
drwx------ 2 root root 40 Aug 5 14:50 S-root
/var/run/screen/S-minecraft:
total 0
drwx------ 2 minecraft minecraft 40 Aug 5 14:55 .
drwxrwxrwx 4 root root 80 Aug 5 14:12 ..
/var/run/screen/S-root:
total 0
drwx------ 2 root root 40 Aug 5 14:50 .
drwxrwxrwx 4 root root 80 Aug 5 14:12 ..
** Debug Notes **
You'll see the commented ExecStartPre command in there... all that happens if I try to start the screen session with that command is I get a second 'No screen session found' error.
I can launch the server from the command line using 'screen -dmS Minecraft [..]' and reattach. I can do this both as root and as the 'minecraft' user.
Any help would be greatly appreciated
I don't have Ubuntu to hand, but I tried something similar on Fedora 24 and had a similar error. To investigate I added an strace to the screen command and removed PrivateTmp so that I could get the trace output.
ExecStart=/bin/strace -o /tmp/s -f screen -dm -S me bash -c 'sleep 999'
In the output I found that at the end, screen was trying to open a pseudo-tty and failed to do so:
open("/dev/ptmx", O_RDWR) = -1 EACCES (Permission denied)
...
write(1, "No more PTYs.\r\nSorry, could not "..., 52) = 52
I added some ls -l /dev commands to the Unit to see what the effect of the PrivateDevices=true option had been. There was indeed a /dev/ptmx file, but unlike my real /dev it was a symbolic link to /dev/pts/ptmx, instead of just being the special character device. For some reason on my system I have:
$ ls -l /dev/ptmx /dev/pts/ptmx
crw-rw-rw- 1 root tty 5, 2 Aug 6 14:29 /dev/ptmx
c--------- 1 root root 5, 2 Jun 27 08:29 /dev/pts/ptmx
(This is probably a bug depending on the version of systemd and udev.)
So when /dev/ptmx is replaced in the private namespace by a symbolic link to /dev/pts/ptmx, you can no longer open a new pty. A simple fix for testing was sudo chmod a+rw /dev/pts/ptmx which indeed made the Unit work and start the screen process.
This may not be the case for you, but you could undertake a similar debug method to try to find the problem.
I want to be able to read and write ttyACM device, particularly Arduino Leonardo board under Fedora.
I made a following rule:
SUBSYSTEM=="tty", ATTRS{idVendor}=="2341", ATTRS{idProduct}=="8036", SYMLINK+="arduino", MODE="0660", GROUP="plugdev"
Symlink is created but I do not have permission to read the device:
[nexy#shire ~]$ cat /dev/arduino
cat: /dev/arduino: Permission denied
Showing ls gives the following:
[nexy#shire ~]$ ls -l /dev/arduino /dev/ttyACM0
lrwxrwxrwx. 1 root root 7 Dec 18 15:25 /dev/arduino -> ttyACM0
crw-rw----. 1 root dialout 166, 0 Dec 18 15:25 /dev/ttyACM0
When I change mode to 0666 then it works. I belong to the group plugdev:
[nexy#shire ~]$ sudo groups nexy
nexy : nexy wheel plugdev
You might have to log out and log back in or restart your computer if you just added yourself to the group recently.