[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Impossible to change ownership of a file to user when user is UID 0

On Mon, May 1, 2023 at 10:44 AM Pierre Willaime
<pierre.willaime@univ-lorraine.fr> wrote:
> Hi,
> I am unable to connect via SSH without password (ssh-copy-id was launched) to a VM running Debian Stable.
> After some investigations, it is most likely a permission issue
> May  1 15:32:42 vm sshd[131848]: debug1: trying public key file /home/user/.ssh/authorized_keys
> May  1 15:32:42 vm sshd[131848]: debug1: fd 5 clearing O_NONBLOCK
> May  1 15:32:42 vm sshd[131848]: Authentication refused: bad ownership or modes for directory /home/user
> On this system (not installed by me), my user has an UID and GID of 0 in /etc/passwd. Several users share root privileges like this on the server.
> After a ssh connexion (it is working with password authentification) done as 'user'
>         $ ssh user@server
>         user@server's password: ....
> I am directly connected as root
>         root@server:~# whoami
>         root
>         root@server:~# su user
>         root@server:~# whoami
>         root
> .ssh files of user directory are owned by root
> # ls -la /home/user/.ssh/
> total 4
> drwx------ 2 root user  29  1 mai   15:38 .
> drwxr-xr-x 3 1001 user 106 11 févr. 11:10 ..
> -rw------- 1 root user 395  1 mai   15:38 authorized_keys

Perform a `chown -R user:group /home/user/*`. Then perform a `chmod -R
o-rwx /home/user/.ssh/`. (You only need to remove 'other' access).

> I tried to change the owner of the file authorized_keys (I guess if it matches the user used in ssh connexion command, it will allow the ssh connexion by keys) but chown fails silently.
>         root@server:~# chown user /home/user/.ssh/authorized_keys
>         root@server:~# ls -la /home/user/.ssh/authorized_keys
>         -rw------- 1 root user 395  1 mai   15:38 .ssh/authorized_keys
> I tried a `chattr -i` on the file, unsuccessfully.
> If I launch again ssh-copy-id with root@server instead of user@server, I can connect without password. But I would prefer to connect with my user.
> What is my best move here?

Root is usually not allowed to login via ssh. Login as a regular user,
then do something like `sudo -i` or `sudo su -`.

If you want to allow root logins, I believe your sshd_config needs to
be updated. Here's the one I set to disallow root. You should do the

$ cat /etc/ssh/sshd_config.d/20-no_root_login.conf
PermitRootLogin no

I also only allow PublicKey methods:
 cat /etc/ssh/sshd_config.d/10-pubkey_auth.conf
# Disable passwords
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
KerberosOrLocalPasswd no
GSSAPIAuthentication no
UsePAM no

# Enable public key
PubkeyAuthentication yes


Reply to: