New user cannot SSH with key applied in plinth (bug?)

Nate · September 16, 2020, 11:22pm

I created a new user in plinth, did not select any groups for the user to be a member of as this user is intended to be the end point of a reverse SSH tunnel. Digging deeper I found that I had to manually add the username to /etc/security/access.d/50freedombox.conf and set the directory permissions on the user’s ~/.ssh to 0700 as it was set to 0755 when the user’s SSH key was saved through plinth.

So, two issues that I had to resolve manually, add the user to the PAM authorization file and correct the permissions on the user’s .ssh directory. As a seasoned Linux user the first one had me stumped for a while and the second I had dealt with before. It seems to me that both of these are bugs as the expectation of an appliance is that it should “just work”. When a user SSH key is set in plinth then the expectation of the administrator is that the user can then SSH into the box. The backend code should check each of these settings and assure they are correct.

Thanks!

njoseph · September 29, 2020, 4:59pm

There is a setting in the Security module which restricts console access to all users except those in the admin group. Your user is not in the admin group. That explains the username not being in /etc/security/access.d/50freedombox.conf and thus denied console access of all kinds including through SSH.

I don’t see the directory ~/.ssh being readable as a problem. The files inside have the correct permissions.

Nate · January 19, 2021, 1:35pm

I’ve had issues before where SSH would refuse to complete a connection due to the target ~/.ssh directory being group/world readable.