Bug 248923

Summary: .ssh/authorized_keys2 working accoding to response to a previous PR
Product: Base System Reporter: doug
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed Not A Bug    
Severity: Affects Only Me CC: emaste, markj
Priority: ---    
Version: 12.1-RELEASE   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248439

Description doug 2020-08-26 05:11:12 UTC 
I have been told this works, so I assume I am the only one affected by this error. For me and apparently only me, 12.1 will not accept a key on ssh login. So no need to fix the man page but I thought I would document these system as the sole anomaly.

Calling system: uname -a
   FreeBSD artemis.boltsys.com 11.3-RELEASE-p5 FreeBSD 11.3-RELEASE-p5 #0: Tue Nov 12 08:59:04 UTC 2019     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

ls .ssh/
./                      id_rsa                  id_rsa3
../                     id_rsa.pub              id_rsa3.pub
authorized_keys2        id_rsa2                 known_hosts
config                  id_rsa2.pub             oldkeys/

Called system: uname -a
FreeBSD freeport.boltsys.com 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC  amd64

ls .ssh
./                      config                  known_hosts
../                     id_rsa
authorized_keys2        id_rsa.pub
 ======================
On artemis:
ssh freeport
Password for doug@freeport.boltsys.com:

===============
freeport:~> mv .ssh/authorized_keys2 .ssh/authorized_keys
freeport:~> ls .ssh/
./                      config                  known_hosts
../                     id_rsa
authorized_keys         id_rsa.pub
=========================
and back to artemis

artemis:~> ssh freeport
X11 forwarding request failed on channel 0
Last login: Wed Aug 26 00:44:55 2020 from 192.168.2.102
FreeBSD 12.1-RELEASE-p8 GENERIC 

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
If you'd like to keep track of applications in the FreeBSD ports tree, take a
look at FreshPorts;

        https://www.freshports.org/

But since I am obviously making this up, you can close this one also
Comment 1 Mark Johnston freebsd_committer freebsd_triage 2020-08-26 13:19:55 UTC 
Hi, I'm sorry for closing PR 248439 abruptly - I should have waited longer for feedback.

Per that PR, the default sshd in 12.1 configuration will ignore authorized_keys2.  12.1 sets "AuthorizedKeysFile  .ssh/authorized_keys" in /etc/ssh/sshd_config, i.e., it overrides OpenSSH's default.  This seems to match the behaviour you are describing.  Are you using a non-default configuration?
Comment 2 Ed Maste freebsd_committer freebsd_triage 2021-09-08 01:42:03 UTC 
As far as I can tell your example functions as expected: you cannot connect with keys in .ssh/authorized_keys2, and can with keys in .ssh/authorized_keys.

Again, from sshd(8):

>     AuthorizedKeysFile specifies the files containing public keys for public
>     key authentication; if this option is not specified, the default is
>     ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.

But the option *is* specified in the default /etc/sshd_config file:

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

If have no AuthorizedKeysFile setting in your sshd configuration the compiled-in default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. If you *do* have an AuthorizedKeysFile in your sshd configuration (/etc/ssh/sshd_config) that takes precedence over the default compiled into sshd.
Comment 3 Ed Maste freebsd_committer freebsd_triage 2021-09-08 01:44:20 UTC 
Closing as no feedback was received in response to comment #1.