Re: Impossible to change ownership of a file to user when user is UID 0

To: Pierre Willaime <pierre.willaime@univ-lorraine.fr>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: Impossible to change ownership of a file to user when user is UID 0
From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 1 May 2023 10:52:31 -0400
Message-id: <[🔎] CAH8yC8nrvmcCpfo6AR-2Ou73jJWemV7s+OuedSDyJ9CMJ+R-bg@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] 334e10a6-fb36-295c-850b-1cf18100793e@univ-lorraine.fr>
References: <[🔎] 334e10a6-fb36-295c-850b-1cf18100793e@univ-lorraine.fr>

On Mon, May 1, 2023 at 10:44 AM Pierre Willaime
<pierre.willaime@univ-lorraine.fr> wrote:
>
> Hi,
>
> I am unable to connect via SSH without password (ssh-copy-id was launched) to a VM running Debian Stable.
>
> After some investigations, it is most likely a permission issue
>
> May  1 15:32:42 vm sshd[131848]: debug1: trying public key file /home/user/.ssh/authorized_keys
> May  1 15:32:42 vm sshd[131848]: debug1: fd 5 clearing O_NONBLOCK
> May  1 15:32:42 vm sshd[131848]: Authentication refused: bad ownership or modes for directory /home/user
>
> On this system (not installed by me), my user has an UID and GID of 0 in /etc/passwd. Several users share root privileges like this on the server.
>
> After a ssh connexion (it is working with password authentification) done as 'user'
>
>         $ ssh user@server
>         user@server's password: ....
>
> I am directly connected as root
>
>         root@server:~# whoami
>         root
>         root@server:~# su user
>         root@server:~# whoami
>         root
>
> .ssh files of user directory are owned by root
>
> # ls -la /home/user/.ssh/
> total 4
> drwx------ 2 root user  29  1 mai   15:38 .
> drwxr-xr-x 3 1001 user 106 11 févr. 11:10 ..
> -rw------- 1 root user 395  1 mai   15:38 authorized_keys

Perform a `chown -R user:group /home/user/*`. Then perform a `chmod -R
o-rwx /home/user/.ssh/`. (You only need to remove 'other' access).

> I tried to change the owner of the file authorized_keys (I guess if it matches the user used in ssh connexion command, it will allow the ssh connexion by keys) but chown fails silently.
>
>         root@server:~# chown user /home/user/.ssh/authorized_keys
>         root@server:~# ls -la /home/user/.ssh/authorized_keys
>         -rw------- 1 root user 395  1 mai   15:38 .ssh/authorized_keys
>
> I tried a `chattr -i` on the file, unsuccessfully.
>
> If I launch again ssh-copy-id with root@server instead of user@server, I can connect without password. But I would prefer to connect with my user.
>
> What is my best move here?

Root is usually not allowed to login via ssh. Login as a regular user,
then do something like `sudo -i` or `sudo su -`.

If you want to allow root logins, I believe your sshd_config needs to
be updated. Here's the one I set to disallow root. You should do the
opposite:

$ cat /etc/ssh/sshd_config.d/20-no_root_login.conf
PermitRootLogin no

I also only allow PublicKey methods:
 cat /etc/ssh/sshd_config.d/10-pubkey_auth.conf
# Disable passwords
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
KerberosOrLocalPasswd no
GSSAPIAuthentication no
UsePAM no

# Enable public key
PubkeyAuthentication yes

Jeff

Reply to:

References:
- Impossible to change ownership of a file to user when user is UID 0
  - From: Pierre Willaime <pierre.willaime@univ-lorraine.fr>

Prev by Date: Re: Impossible to change ownership of a file to user when user is UID 0
Next by Date: Re: Impossible to change ownership of a file to user when user is UID 0
Previous by thread: Re: Impossible to change ownership of a file to user when user is UID 0
Next by thread: Re: Impossible to change ownership of a file to user when user is UID 0
Index(es):
- Date
- Thread