A Linux container can use an authorized_keys file outside my home directory, but ephemeral containers based on it can't. Why?

ssh filesystem lxc

In Ubuntu 12.10, I've created an LXC of type 'ubuntu' using the lxc-create utility. I then create ephemeral containers based on this container using the lxc-start-ephemeral utility, and I need to connect to those using password-less ssh. However, I need to keep their /home/ubuntu folders pristine, so I can't put the usual .ssh/authorized_keys file in there.

The 'encrypted home directory' section here tells me how to move authorized_keys out of the home directory. After I follow those instructions from inside the base container, I can ssh into the base container without giving a password.

However, when I launch an ephemeral container from the base container, I can't ssh in without a password. (Confusingly, passwordless ssh to the ephemeral container does work when authorized_keys is in its usual place in /home/ubuntu/.ssh.) How can I fix this?

Here's what ssh -v said, starting from when it accepts the host key:

debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ubuntu/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/ubuntu/.ssh/id_dsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ecdsa
debug1: Next authentication method: password

Here are the relevant portions of /var/log/auth.log on the ephemeral container:

Apr 11 00:06:52 test-temp-SNeWevO sshd[306]: Authentication refused: bad ownership or modes for directory /
Apr 11 00:06:54 test-temp-SNeWevO sshd[306]: Accepted password for ubuntu from 10.0.3.1 port 59677 ssh2
Apr 11 00:06:54 test-temp-SNeWevO sshd[306]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory
Apr 11 00:06:54 test-temp-SNeWevO sshd[306]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)

I did this test on a fresh AWS micro instance based on the standard Ubuntu 12.10 AMI, and can provide detailed instructions on how to reproduce it if that helps.


This is an old question but it still comes up in google...

Authentication refused: bad ownership or modes for directory /

is caused by the sshd service having strict permissions requirements for the directory in which authorized_keys is found, not sure how you managed to make that the root directory (/) presumably something to do with the way your configuring containers.

If you cant change the permissions of / , which seems likely in this case, you can set

StrictModes no

in sshd_config.
Provided you don't have multiple users accessing the server, doing this has little impact to security.

Related

When will Eclipse Juno (4.2) be coming to Ubuntu? [closed]
Howto create a new C++ based Ubuntu touch project in Ubuntu SDK?
How to fix Netbeans 7.4 (and Netbeans 8.0) Ugly Text and Popups in Ubuntu 13.10?
Install Network Printer Manually (Router : TP-Link TL-WR842ND)
Bumblebee and Lenovo IdeaPad Z580 with Nvidia GeForce GT 630M
Firefox not closed properly when loging out
Problem in background transparency on Terminal
Ubuntu Gnome 14.10 - desktop performance degraded when certain apps are running
"Please enter passphrase for disk"
Increase connection Timeout connect to server
How can I place the nautilus - nemo sidebar to the right?
Binary clock for top menu bar - Ubuntu 16.04