Introduction
In one of our previous articles we demonstrated how to setup chrooted sftp accounts. You may have certain application users which need to connect to the sftp server to transfer files in an automated manner without manual intervention. An enterprise infrastructure may comprise of many scripts as well which might need to transfer files to the sftp server in an automated fashion without having the need to enter credentials. Configuration of password less authentication for chrooted sftp user accounts is similar to that of ssh user accounts but involves an additional step. In this article we will demonstrate how to setup passwordless authentication for a chrooted sftp user account. In order to make this post easy to follow for our readers and maintain continuity we will setup passwordless sftp authentication for the chrooted sftp user named sahil which we created in our earlier article where we explained the setting up of chrooted sftp users.
Step 1: Ensure destination user credentials are working
Before we setup passwordless authentication let’s first try to login to the server as the user sahil with it’s password to make sure that the user account is working and has been setup correctly.
[root@linuxnix ~]# sftp sahil@linuxnix Connecting to linuxnix... sahil@linuxnix's password: sftp> ls sftp> pwd Remote working directory: /myhome sftp> quit [root@linuxnix ~]#
Step 2: Setup ssh keys for the source user
For the purpose of this demonstration we’ll be using a user account named nixuser as our source account from where we will login to the user sahil in a passwordless manner.
[root@linuxnix ~]# grep nixuser /etc/passwd nixuser:x:502:503::/home/nixuser:/bin/bash [root@linuxnix ~]#
Let’s generate the required ssh keys now.
[root@linuxnix ~]# sudo su - nixuser [nixuser@linuxnix ~]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/nixuser/.ssh/id_dsa): Created directory '/home/nixuser/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/nixuser/.ssh/id_dsa. Your public key has been saved in /home/nixuser/.ssh/id_dsa.pub. The key fingerprint is: 9e:e1:5d:24:b2:5c:73:88:0d:c3:ef:56:f9:00:05:40 nixuser@linuxnix The key's randomart image is: +--[ DSA 1024]----+ | oE..o. | | .=.. | | o.*.o. | | . +.=+ | | S. ..o | | o +o. . | | +.. | | | | | +-----------------+ [nixuser@linuxnix ~]$ ls -l /home/nixuser/.ssh/id_dsa.pub -rw-r--r--. 1 nixuser nixuser 606 Jul 21 22:50 /home/nixuser/.ssh/id_dsa.pub [nixuser@linuxnix ~]$
Step 3: Create .ssh directory within the home directory of the destination user
[root@linuxnix ~]# cd /home/sahil/myhome/ [root@linuxnix myhome]# ls -l total 0 [root@linuxnix myhome]# mkdir .ssh [root@linuxnix myhome]# pwd /home/sahil/myhome [root@linuxnix myhome]# ls -ld .ssh/ drwxr-sr-x. 2 root sahil 4096 Jul 21 22:52 .ssh/ [root@linuxnix myhome]# chmod 700 .ssh/ [root@linuxnix myhome]# ls -ld .ssh/ drwx--S---. 2 root sahil 4096 Jul 21 22:52 .ssh/ [root@linuxnix myhome]#
Step 4: Copy the public ssh key from the source user to the authorized_keys file of the destination user
We will now copy the id_dsa.pub public key file of the user nixuser to the authorized_keys keys file of the user sahil as shown below.
[root@linuxnix ~]# cd ~nixuser/.ssh/ [root@linuxnix .ssh]# scp id_dsa.pub linuxnix:/home/sahil/myhome/.ssh/authorized_keys root@linuxnix's password: id_dsa.pub 100% 606 0.6KB/s 00:00 [root@linuxnix .ssh]#
Since I was aware that this is a new setup I simply copied the key file id_dsa.pub from the source system and renamed it as authorized_keys file on the destination system. In an existing setup in which a chrooted sftp user account already has some keys added in it’s authorized_keys file we would append the content of the new key into the authorized_keys file.
Step 5: Test the setup
We’ll now attempt to sftp to the system linuxnix as the user sahil
[nixuser@linuxnix ~]$ sftp sahil@linuxnix Connecting to linuxnix... The authenticity of host 'linuxnix (192.168.19.128)' can't be established. RSA key fingerprint is da:ed:4d:82:00:5c:c4:58:3f:9e:bc:52:5b:23:82:fc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'linuxnix,192.168.19.128' (RSA) to the list of known hosts. sahil@linuxnix's password: sftp> ls sftp> pwd Remote working directory: /myhome sftp> quit
As you may have observed from the above command line output we were prompted for a password even though we had completed the passwordless sftp setup. The reason for this is the non-existence of the /myhome directory which is actually mentioned as the home directory for the user sahil in its /etc/passwd file entry.
[nixuser@linuxnix ~]$ ls -ld /myhome ls: cannot access /myhome: No such file or directory [nixuser@linuxnix ~]$
The workaround for this is to create a soft link as shown below.
[root@linuxnix ~]# ln -s /home/sahil/myhome/ /myhome [root@linuxnix ~]# ls -l /myhome lrwxrwxrwx. 1 root root 19 Jul 21 23:01 /myhome -> /home/sahil/myhome/ [root@linuxnix ~]# ls -ld /home/sahil/myhome/ drwxrwsr-x. 3 sahil sahil 4096 Jul 21 23:01 /home/sahil/myhome/ [root@linuxnix ~]#
Now if we try to perform a passwordless sftp login as the user sahil it will work.
[nixuser@linuxnix ~]$ sftp sahil@linuxnix Connecting to linuxnix... sftp> pwd Remote working directory: /myhome sftp> ls sftp> quit [nixuser@linuxnix ~]$
Conclusion
This concludes our demonstration of setting up passwordless sftp authentication when the user account is setup as a chrooted user. We hope that you’ve found the article to be useful and we look forward towards your feedback and suggestions.
Sahil Suri
Latest posts by Sahil Suri (see all)
- Google Cloud basics: Activate Cloud Shell - May 19, 2021
- Create persistent swap partition on Azure Linux VM - May 18, 2021
- DNF, YUM and RPM package manager comparison - May 17, 2021
- Introduction to the aptitude package manager for Ubuntu - March 26, 2021
- zypper package management tool examples for managing packages on SUSE Linux - March 26, 2021