Troubleshooting SSH Key Authentication Failures on FreeBSD: Missing Privilege Separation Directory


10 views

When attempting SSH connections to a FreeBSD 10.3 server from an Ubuntu 16.04 client, users encounter authentication failures despite correct key configurations:

debug1: key_load_public: No such file or directory
debug1: identity file /home/manuth/.ssh/dqar-rsa-cert type -1
ssh_exchange_identification: Connection closed by remote host

The critical server log reveals:

Nov 7 13:51:32 dqar sshd [11316]: fatal: Missing privilege separation directory: /var/empty

FreeBSD's SSH daemon requires a specific directory structure for security isolation. The error indicates:

  • /var/empty directory missing or inaccessible
  • Privilege separation failure preventing SSH key processing
  • Server-side configuration issue overriding client authentication

On the FreeBSD server, execute:

sudo mkdir -p /var/empty
sudo chown root:wheel /var/empty
sudo chmod 711 /var/empty
sudo service sshd restart

After server fixes, verify client configuration:

# ~/.ssh/config example for troubleshooting
Host r2d2.manuth.life
  HostName 103.12.163.90
  User manuth
  Port 900
  IdentityFile ~/.ssh/dqar-rsa
  IdentitiesOnly yes
  LogLevel DEBUG3

For persistent issues, use this diagnostic sequence:

ssh -vvv -i ~/.ssh/dqar-rsa manuth@r2d2.manuth.life -p 900
sudo tail -f /var/log/auth.log # On FreeBSD server
ls -la /var/empty # Verify directory existence

Ensure proper file permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/*.pub
chmod 644 ~/.ssh/config

When attempting SSH authentication with explicitly defined identity files, the connection gets abruptly closed with the following server-side error:

Nov 7 13:51:32 dqar sshd [11316]: fatal: Missing privilege separation directory: /var/empty

The core issue stems from FreeBSD's privilege separation mechanism in OpenSSH. The /var/empty directory is a critical security component that:

  • Acts as a chroot jail for unprivileged operations
  • Must exist with specific permissions (0711)
  • Is created during OpenSSH installation but might get deleted accidentally

Before proceeding with the solution, verify the directory status:

# Check if directory exists
ls -ld /var/empty

# Verify permissions (should show drwx--x--x)
stat -f "%Sp %N" /var/empty

For FreeBSD 10.3 systems, execute these commands as root:

# Create the directory with correct permissions
mkdir -p /var/empty
chmod 711 /var/empty
chown root:wheel /var/empty

# Restart sshd service
service sshd restart

After applying the fix, verify your SSH client configuration remains correct:

# Sample ~/.ssh/config for reference
host r2d2.manuth.life
  HostName 103.12.163.90
  IdentityFile ~/.ssh/dqar-rsa
  Port 900
  IdentitiesOnly yes
  ForwardX11 yes
  UserKnownHostsFile ~/.ssh/known_hosts
  StrictHostKeyChecking yes

For persistent issues, enable verbose output on both sides:

# Client-side debugging
ssh -vvv r2d2.manuth.life -p 900

# Server-side logging (FreeBSD)
tail -f /var/log/auth.log

When dealing with privilege separation:

  • Never run sshd as root without separation
  • Regularly audit system directories
  • Consider implementing additional security measures like Fail2Ban