0

I have a system user syncoid as

$ cat /etc/passwd
syncoid:x:993:990::/var/lib/syncoid:/run/current-system/sw/bin/nologin

with the following ssh config:

$ cat /var/lib/syncoid/.ssh/config
Host eve
  User other
  HostName 192.168.10.1
  ProxyJump jumphost
  IdentityFile /var/lib/syncoid/.ssh/eve-syncoid
Host jumphost
  ForwardAgent yes
  User me
  HostName 192.168.1.1
  IdentityFile /var/lib/syncoid/.ssh/eve-syncoid

I can connect and login to jumphost with sudo -u syncoid ssh jumphost. However, a connection to the server eve with sudo -u syncoid ssh -vvv eve results in

OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /var/lib/syncoid/.ssh/config
debug1: /var/lib/syncoid/.ssh/config line 1: Applying options for eve
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 5: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.10.1 is address
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -vvv -W '[%h]:%p' jumphost
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/var/lib/syncoid/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/var/lib/syncoid/.ssh/known_hosts2'
debug1: Executing proxy command: exec ssh -vvv -W '[192.168.10.1]:22' jumphost
debug1: identity file /var/lib/syncoid/.ssh/eve-syncoid type 0
debug1: identity file /var/lib/syncoid/.ssh/eve-syncoid-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: kex_exchange_identification: banner line 0: This account is currently not available.
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Do I need a regular user with a shell to perform a ProxyJump?

Edit:

  • A login to eve without ProxyJump over VPN works, so everything is correct with the keys and the config.
  • I created a normal user with the same keys/config and there the ProxyJump works.
Improve this question
4
  • Did you solve this? I have literally the same problem, also with syncoid and also with a NixOS client. Commented Feb 19, 2022 at 9:41
  • 1
    @phry See my answer. Commented Feb 20, 2022 at 10:04
  • 1
    I found out too. There's a more "correct way" of doing it though - I'll add an answer too :) Commented Feb 20, 2022 at 11:37
  • 1
    Agreed, I mark yours as solutions Commented Feb 20, 2022 at 17:50

2 Answers 2

Reset to default
1

This is actually not a ProxyJump problem - the service is a hardened systemd service with a limited RootDirectory, so it cannot access the private ssh key.

The folder with the private key has to be added to the BindReadonlyPaths following this github comment

config.services.syncoid.service.serviceConfig.BindReadOnlyPaths = [ 
  "/var/lib/syncoid/.ssh" 
];

Following the comment further this will be solved by this pull request in the future.

Improve this answer
1

This was actually a problem with the syncoid service definition in NixOS being too restrictive. I had to overwrite

systemd.services."syncoid-rpool-user-home" = {
    serviceConfig = {
      ProtectHome = lib.mkForce false;
      StateDirectory = lib.mkForce "";
      RootDirectory = lib.mkForce "";
    };
};
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.