I created a new user in plinth, did not select any groups for the user to be a member of as this user is intended to be the end point of a reverse SSH tunnel. Digging deeper I found that I had to manually add the username to
/etc/security/access.d/50freedombox.conf and set the directory permissions on the user’s
0700 as it was set to
0755 when the user’s SSH key was saved through plinth.
So, two issues that I had to resolve manually, add the user to the PAM authorization file and correct the permissions on the user’s
.ssh directory. As a seasoned Linux user the first one had me stumped for a while and the second I had dealt with before. It seems to me that both of these are bugs as the expectation of an appliance is that it should “just work”. When a user SSH key is set in plinth then the expectation of the administrator is that the user can then SSH into the box. The backend code should check each of these settings and assure they are correct.