I cannot get public key authentication working for SSH/SFTP. I have copy/pasted the key into the User form, and the form validates it properly, but I cannot connect via SSH or SFTP without entering a password. I’m connecting from a Mac via command-line, and I am able to add the same SSH key to my Raspberry Pi running Raspbian and connect without any issues, so I know that the key is valid. When that didn’t work, I also tried using ssh-copy-id from the command line on my Mac (installed from Homebrew as Mac doesn’t have this natively) as was suggested in another message in this forum, but it won’t add the key in this manner due to the way that Rockstor manages SSH. That said, I really need to get public key SSH working. Any suggestions would be greatly appreciated!
@stealthdave Welcome to the Rockstor community.
Have you honoured the ‘constraints’ within which Rockstor manages SFTP:
i.e. as per the Secure File Transport Protocol (SFTP)
We currently allow, by default, only root via SSH, which is at least more secure than our upstream distro base.
Agreed in part, our current linux distro base of CentOS allows root ssh by default, and all other users. However our ‘in progress’ move to openSUSE should disable this root login option as per their default. And we need as a result to re-address our ssh access setup as part of that move.
Please be patient as we are a small but dedicated team and if you don’t like how we do a thing then do please fork our GPL code on GitHub and do it your way, or engage more constructively so we might make things better.
And if things are Urgent then do please reference upstreams (CentOS) docs re sshd configuration.
Some rare approaches on this forum are discouraged and I see an element of your approach that fits this bill. I would request that you please edit your original post or have it deleted. There are many helpful forum members that will gladly step up to help on such an issue and the majority of bug fixes stem from posts here as well but I personally am discouraged by the tone of your post. Hence my request. The Rockstor forum is very much moderated and I am the current moderator and it is with this hat on that I am obliged to request this change.
Hope that helps.
I apologize for letting my frustration get the better of me. I’ve been working on this for several days on my own, and none of the usual items that would cause this issue appear to be the problem.
I have honored the constraints within Rockstor’s SSH/SFTP setup, but when that did not work and I verified that similar setups do work in other *NIX environments, I tried other methods and changes to the sshd_config in order to get it to work, but to no avail. I have since reverted all of these changes back to default, but SSH Public Key authentication still does not work. I logged in as root and was able to verify that the key is present in /home/user/.ssh/authorized_keys. I have rebooted and restarted sshd numerous times, but I have been unable to get public key authorization working. Again, any suggestions would be greatly appreciated.
@stealthdave. I have not used SFTP activel, but I tried to set it up just now. For me, it seemed to work for SFTP. After creating a specific user and attaching a public key (I created a private/public key pair using PuttyGen on a windows machine), I also made this user the owner of a share that I then exported using the SFTP Ui in Rockstor. So far so good!
I verified that the authorized_keys file had the public key in the .ssh directory (single line).
In the /etc/ssh/ssh_config I added the user to the AllowUsers parameter. I assume since it’s above the Rockstor warning line, that it will not be overwritten during updates
Using FileZilla, I set up the connection using the Private Key for the user, and the connection went through without asking for additional passwords.
I actually need to update my solution that worked a bit, as I started running into random connection issues. What I also did is copied the authorized_keys to authorized_keys2 and changed the owner to also be that of the sftp user.
Additionally, I then ran the command "restorecon -FRvv /home//.ssh, though I am not really sure that it did anything worthwhile.
restarting the sshd service I get the Private Key Password request once (which can then be stored until FileZilla is closed) and now it’s connecting consistently.