N950 tip: enable ssh user@n950 with public key authentication

EDIT This continues to work just fine with 39-5 for me.
EDIT Seems to also work on the fresh 34-2 firmware without issues.

With aegis watching over us like a true eye in the sky, getting N950 to let you ssh in as unprivileged user with public key authentication took a bit of effort. Sure, you could ssh root@n950 and then su – user, but doesn’t the sane world do it the other way around?

Anyway, get your authorized_keys file on the device as root with sftp, or manually typing it. No, just sftp it, dude. Now aegis won’t let root see ~user/.ssh and also won’t let user see /root/.ssh contents.

# cp /root/.ssh/authorized_keys /tmp
# chmod 644 /tmp/authorized_keys
# su - user
$ cp /tmp/authorized_keys .ssh
$ exit

At this point ssh user@n950 still shouldn’t be letting you in, because apparently the account is locked by default. syslogd doesn’t by default log sshd stuff, so if you want to see this for yourself do this as root:

# echo "auth.* -/var/log/secure.log" >> /etc/syslog.conf
# stop syslogd
# start syslogd
# tail -f /var/log/syslog /var/log/secure.log

Now try ssh user@n950, this is what you should see:

==> secure.log <==
Jul 25 01:09:11 RM680 sshd[2838]: User user not allowed because account is locked
Jul 25 01:09:11 RM680 sshd[2838]: Failed none for invalid user user from 192.168.1.111 port 354
83 ssh2

Solution is to unlock the account.

EDIT Originally I thought usermod -U user would do the trick. It turns out it doesn't work out so well. aegis-loader (and possibly other parts) started puking when doing dpkg -i etc.

/home/developer $ dpkg -i conboy_0_0_1_armel.deb                               
aegis-loader: Failed parsing '/etc/passwd
...hanging forever

After a bunch of folks on #harmattan helped me get to the bottom of this, mgedim pointed out passwd seemed to work for him:

# passwd -u user

I have no idea what usermod and passwd are doing different aegis-wise. Hints welcome!

About Leho

Comments

  • ‘passwd -d user’ might be a better choice, actually, since it disables password logins but allows key logins.   on IRC confirms that it works.

    I’m a bit uneasy with passwd -u, since it sets the user’s password to an empty string.  Experiments showed that you cannot log in over ssh without a key, by trying an empty password, but still, it made me a bit uneasy.

    For the technically inclined, /etc/passwd has ‘user:*:…’ when password logins are disabled but hey logins are enabled (passwd -d user), ‘user:!:…’ (the default) when both password and key logins are disabled (passwd -l user), and ‘user::…’ when the user has no password (passwd -u user).

  • Pingback: ()

  • Certain versions of sshd, even if you only use public key authentication, require shadow entry for given user NOT to start with a ‘!’ (or to be ‘!!’). In this case the user is reported as ‘locked’.
    After trying ‘usermod -U ‘ to verify that user is unlocked and set an ordinary password for him. After that he may login through ssh/public key without a problem (assuming that your sshd_config is OK :-).