I am stuck.
I have no problem with SFTP for them main account for a virtual host using keys.
I cannot get a ftp user to access using SSH and keys (so no SFTP with keys)
The ftp user is set to use the main site directory as their home directory and all works as expected under regular FTP.
I have gone into Virtualmin/System Customization/Custom Shells and enabled the Mailbox checkbox for /bin/sh and the ftp user has that option now when looking at the Login Permissions dropdown in the Other User Permissions section when editing that user.
I even deleted and then recreated that user with same results.
my workstation public keys are in the authorized_keys file for the domain I am working with and as I said access using GUI apps and direct shell SSH key based login works fine for the main account but fails with a Permission denied (publickey,gssapi-with-mic). for the ftp user created in Virtualmin.
What am I doing wrong?
Is there someplace else I need to put my workstation public key for the ftp user to gain access over ssh even though that user's home directory is set to the same as the main account for that vhost?
Anybody?
When dealing with keys, SSH is really particular about file permissions. If you set the homedir for this FTP user to be the same as your main admin user -- it may view the owner of the .ssh directory or authorized_keys file as being illegitimate, and that may prevent it from using those keys.
If you want to use SFTP with a key, you'd have to verify the following:
The user has to have a valid login shell, such as /bin/bash or /bin/sh
The .ssh directory and authorized_keys file must be owned by the user attempting to login
The permissions on the .ssh dir need to be "700", and the permissions for the authorized_keys file need to be "600
If all the above aren't true, it will likely deny your user access.
It will often put the exact problem into the error logs though... if the owner or permissions of a file/dir are incorrect, it should mention that in /var/log/messages, /var/log/secure, or /var/log/syslog (which one it uses depends on your distro).
-Eric
Found the issue.
Comparison data from /etc/passwd
somevhost:x:517:511::/home/somevhost:/bin/sh ftpuser.somevhost:x:517:511::/home/somevhost/public_html:/bin/sh
The ftpuser.somevhost account has their home directory as /home/somevhost/public_html so the keys in /home/somevhost/.ssh/authorized_keys do not apply.
By modifying the ftpuser.somevhost account so their home directory is /home/somevhost the existing keys work and I can use Transmit or Coda to access the site via SFTP as the ftpuser.somevhost account. I can also log in via SSH in a shell as the ftpuser.somevhost account.
I also found that keeping the ftpuser.somevhost account home directory as /home/somevhost/public_html and creating /home/somevhost/public_html/.ssh/authorized_keys file with my keys in it also allows the ftpuser access.
Is there any security risk in either of these methods? Is one preferred over the other?
Oh and thanks for your help Eric! :)
Well, I like the idea of giving "ftpuser.somevhost" a different home directory from your Virtual Server owner.
However, if you end up making a "/home/somevhost/public_html/.ssh" dir -- I think I'd place a .htaccess file in there that prevented any of it from being accessible to web browsers. While there aren't passwords and such in there, it may still be more information than you want random people having access to.
-Eric