Authentication refused: bad ownership or modes for file /var/git/.ssh/authorized_keys

EDIT

The issue as exposed here is
solved (about files modes of the .ssh folder.

But an other issue persists so I create a new question : > Unable to login with SSH-RSA key

I can no longer connect with ssh-rsa key for a specific user, but it still work for other users.

The git user defined as follow :

# cat /etc/passwd | grep git
git:x:1002:1002:,,,:/var/git:/bin/bash

So you noticed that this is the git user thus its home is /var/git, it’s not in /home.

Now, ssh always prompt me for password :

$ ssh git@srv
git@srv's password:

I checked logs :

# tail -n 1 /var/log/auth.log
[...] Authentication refused: bad ownership or modes for file /var/git/.ssh/authorized_keys

So authorized_keys as some ownership or modes missconfiguration.
I don’t understand because here is the conf for this file :

# ls -l /var/git/.ssh/ | grep auth
-rw-rw-r-- 1 git git 394 mai   22 17:39 authorized_keys

And here is (in case…) the parent .ssh dir:

# ls -al /var/git/ | grep ssh
drwxrwxr-x  2 git  git  4096 mai   22 17:39 .ssh

And the $HOME directory :

# ls -l /var/ | grep git
drwxr-xr-x  7 git  git    4096 mai   27 10:49 git

So owners are always git, like owner groups. And files are readable so where could be the trick ?

Asked By: Rémi B.

||

The problem is the fact that file and directory permissions do not meet the requirements of StrictModes, which in OpenSSH is yes by default and should not be changed. Try setting the permissions of authorized_keys to 0600 and the .ssh directory to 0700.

# chmod 0700 .../.ssh/
# chmod 0600 .../.ssh/authorized_keys

Note that the ... will differ based on installation (e.g., in this question it is /var/git/ but for users it will be /home/username/.

Answered By: damienfrancois

For reasons of paranoia, the .ssh directory and authorized_keys must not be group-writable. I guess the thinking is, the user must be the only one with explicit control over his/her authorization. I believe a work-around for this lies with ACL. The other work around is StrictModes=no setting in sshd’s configuration file. But it would be too dangerous to do that for the sake of one user.

P.S. your ls -l /var | grep git is more concisely done as ls -ld /var/git

Answered By: Otheus

The $HOME/.ssh directory mode must be 700 and authorized_keys should be readable by the owner only, i.e. mode 600:

chmod u=rwx,g=,o= /var/git/.ssh
chmod u=rw,g=,o= /var/git/.ssh/authorized_keys

As to the private key, it must be read-write-able by the owner only:

chmod u=rw,g=,o= /var/git/.ssh/id_?sa
Answered By: user86969