SSH Permissions

I recently described the process I went through in getting my raspberry pi to serve a statically generated page, using wget on my Linux desktop running WordPress. I wrote a script to use "rsync" over ssh, but I ran into an issue: the key pair (so I could transfer without password) wasn't working. The solution:

On Raspberry Pi (Arch Linux), run:

1. systemctl stop sshd # Stop current running SSH. 2. /usr/bin/sshd -d # Start with debug mode.
From my Linux Desktop (Ubuntu), run:
3. ssh http_user@192.168.0.5

At this point, I saw the following error appear on the Raspberry Pi, running sshd in debug mode:
"Authentication refused: bad ownership or modes for directory ..."
I googled this, and found a really good link describing the problem. Not only were certain permissions required for the ".ssh" directory and it's contents, but the user's HOME directory must have appropriate permissions as well. I found that the http_user had group write permissions turned on, which was causing the problem.

Final solution:
On Raspberry Pi, run:

4. chmod 755 /home/http_user # Make the home directory writable by http_user ONLY.

Apparently, this default behavior of SSH can be over-ridden with some changes to /etc/ssh/sshd_config, but it would decrease the security of the system.

After some additional testing, I found that running my "push-html.sh," which runs ssh over rsync, was what caused the permissions of my http_user's directory to be changed so that group write permissions were enabled. The root cause: the directory on my Linux-Desktop that was being pushed over to the Raspberry Pi had permissions 775, so whenever I copied it over, the permissions on my http_user's directory changed to 775 too. Subsequently, running ssh over rsync, a password would be required because of the incorrect permissions on the http_user home directory, as mentioned above.

Comments !