Re: Configuration for root logins

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On Sun, 14 Jul 2024, Thomas Köller wrote:

> Hi,
> 
> I am trying to configure OpenSSH to allow root logins, without success so far.
> So I could really use some advice.
> 
> This is my server configuration:
> 
> AllowUsers = thomas root
> AuthenticationMethods hostbased,publickey
> ExposeAuthInfo = no
> ForceCommand none
> GSSAPIAuthentication no
> HostbasedAcceptedAlgorithms ssh-ed25519
> HostbasedAuthentication yes
> HostbasedUsesNameFromPacketOnly yes
> HostKey /etc/ssh/host_key_sarkovy.koeller.dyndns.org_ed25519
> IgnoreRhosts yes
> IgnoreUserKnownHosts yes
> KerberosAuthentication no
> ListenAddress = 192.168.0.1
> ListenAddress = fd46:1ffa:d8e0::1
> LogLevel VERBOSE
> PasswordAuthentication no
> PermitEmptyPasswords no
> PermitRootLogin yes
> PermitTTY yes
> PermitTunnel no
> PermitUserRC yes
> PubkeyAuthentication yes
> PubkeyAcceptedAlgorithms ssh-ed25519
> UseDNS = no
> X11Forwarding no
> 
> For now, the client machine is on a static IP address, just for testing using
> my in-house network. But later the client machines will be on dynamic IP
> addresses, which is why I have 'HostbasedUsesNameFromPacketOnly yes'. With
> this setup I can log into my regular user account 'thomas', so hostbased
> authentication at least seems to be configured correctly. But root logins are
> rejected like this:
> 
> root@htpc:~# ssh sarkovy
> root@sarkovy: Permission denied (hostbased).
> 
> I created a /root/.shosts file containing
> 
> fd46:1ffa:d8e0::2 root
> htpc.koeller.dyndns.org root
> 
> to no avail. Enabling debug output on both the server and the client did not
> produce anything hinting at the reason why logins are failing, or at least I
> have been unable to spot anything like that.

hostbased authentication can be tricky to debug, and basically impossible
without logs from both the client and server.

Did you set EnableSSHKeysign in the client's /etc/ssh/ssh_config ?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux