September 23, 2014

The ssh authorized_keys permission denied if I inject the file by mount the primary disk

Env: VM A: the target VM I want to access without password VM B: I want to access VM A from the VM Problem

Description: As I need to inject the VM B's public key into VM A's authorized_keys without root password, so I start the VM A from LiveCD then mount the disk where OS in, then create a authorized_keys file under ${mountpoint}/root/.ssh and put VM B's public key in the authorized_keys file. then I stop the VM A and remove the LiveCD, after start the VM A, I access the VM A from VM B with the command: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PasswordAuthentication=no root@9.112.224.130[/size]

I failed with error: debug1: Unspecified GSS failure. Minor code may provide more information Cannot determine realm for numeric host address debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug3: no such identity: /root/.ssh/identity debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1645 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). then I log in the VM A, back up the authorized_keys and copy another one mv authorized_keys authorized_keys_bak cp authorized_keys_bak authorized_keys and it works.

Then try it again the injection process, but at this time, I create a empty authorized_keys file before I start from LiveCD, after I start from LiveCD and mount the disk which has the OS, I only put the VM B's public key without create the authorized_keys. for this time, the VM B can access VM A after the injection.

Question: 1: All the file attribute are the same, and there is no diff, why one can but one can not

2: If I create the authorized_keys file when I mount the disk, the key will not works, is there any other difference between create from OS and create from mount?

Hello Maggie...

Hello Maggie

As far as I can understand, you are copying the /home/USER/.ssh/authorized_keys file from the disk of one virtual machine to another VM's disk. One reason why this may not be working is because of SELinux. Do you have it enabled? Check:

# /usr/sbin/getenforce
Enforcing
#

If Security Enhanced Linux is enforcing permissions, then you'll need to see the full attributes using:

# ls -lZ /home/USER/.ssh/authorized_keys
-rw-r--r--. USER USER unconfined_u:object_r:ssh_home_t:s0 /home/USER/.ssh/authorized_keys
#

You can disable SELinux either with the 'setenforce' command or by editing the /etc/selinux/config file.

If SELinux is not the issue, then I would suggest manually viewing the old file and copying the contents to the new VM's disk, then editing the authorized_keys file and pasting the public keys. The new file will keep it's context and permissions.

Like  (0 likes)
Click Here!