On Sun, Apr 19, 2009 at 1:15 PM, felix <felix@xxxxxx> wrote:
> Sean, that's the point, I guess:
>
> you have to check the line of sshd_config: PermitRootLogin (if "no" , then
> you obviously can't ..:)
> AND to add the line "AllowUsers sean root" (multiple users can be allowed,
> separated by space).
>
> Maybe this could help?
>
> Felix
>
>
> ----- Original Message ----- From: "sean darcy" <seandarcy2@xxxxxxxxx>
> To: "felix" <felix@xxxxxx>
> Cc: <secureshell@xxxxxxxxxxxxxxxxx>
> Sent: Sunday, April 19, 2009 4:48 PM
> Subject: Re: pubkey works for user: why not root ?
>
>
> On Sat, Apr 18, 2009 at 5:12 PM, felix <felix@xxxxxx> wrote:
>>
>> Hi,
>> maybe it is because of possibly (probably) missing user name (i.e. root)
>> in
>> the line AllowUsers of your sshd_config?
>>
>> Felix
>>
>> ----- Original Message ----- From: "sean darcy" <seandarcy2@xxxxxxxxx>
>> To: <secureshell@xxxxxxxxxxxxxxxxx>
>> Sent: Saturday, April 18, 2009 4:27 PM
>> Subject: pubkey works for user: why not root ?
>>
>>
>>> I can ssh for my laptop to the server as a user, but using root from
>>> same laptop to same server fails. root can login with password. In
>>> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
>>> id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
>>> is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
>>> 644 ( same as user ).
>>>
>>> What am I missing??
>>>
>>> sean
>>>
>>> On client:
>>>
>>> [root@daddy ~]# ssh -vv intel64-office
>>> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: Applying options for *
>>> debug2: ssh_connect: needpriv 0
>>> debug1: Connecting to intel64-office [10.10.11.1] port 22.
>>> debug1: Connection established.
>>> debug1: permanently_set_uid: 0/0
>>> debug1: identity file /root/.ssh/identity type -1
>>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>>> debug2: key_type_from_name: unknown key type '-----END'
>>> debug1: identity file /root/.ssh/id_rsa type 1
>>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>>> debug2: key_type_from_name: unknown key type '-----END'
>>> debug1: identity file /root/.ssh/id_dsa type 2
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
>>> debug1: match: OpenSSH_5.2 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_5.2
>>> debug2: fd 3 setting O_NONBLOCK
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit: first_kex_follows 0
>>> debug2: kex_parse_kexinit: reserved 0
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit: first_kex_follows 0
>>> debug2: kex_parse_kexinit: reserved 0
>>> debug2: mac_setup: found hmac-md5
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug2: mac_setup: found hmac-md5
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>> debug2: dh_gen_key: priv key bits set: 128/256
>>> debug2: bits set: 506/1024
>>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>> debug1: Host 'intel64-office' is known and matches the RSA host key.
>>> debug1: Found key in /root/.ssh/known_hosts:6
>>> debug2: bits set: 532/1024
>>> debug1: ssh_rsa_verify: signature correct
>>> debug2: kex_derive_keys
>>> debug2: set_newkeys: mode 1
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug2: set_newkeys: mode 0
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug2: service_accept: ssh-userauth
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug2: key: /root/.ssh/id_rsa (0xd24640)
>>> debug2: key: /root/.ssh/id_dsa (0xd24658)
>>> debug2: key: /root/.ssh/identity ((nil))
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-with-mic,password
>>> debug1: Next authentication method: gssapi-with-mic
>>> debug1: Unspecified GSS failure. Minor code may provide more information
>>> No credentials cache found
>>>
>>> debug1: Unspecified GSS failure. Minor code may provide more information
>>> No credentials cache found
>>>
>>> debug1: Unspecified GSS failure. Minor code may provide more information
>>>
>>>
>>> debug2: we did not send a packet, disable method
>>> debug1: Next authentication method: publickey
>>> debug1: Offering public key: /root/.ssh/id_rsa
>>> debug2: we sent a publickey packet, wait for reply
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-with-mic,password
>>> debug1: Offering public key: /root/.ssh/id_dsa
>>> debug2: we sent a publickey packet, wait for reply
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-with-mic,password
>>> debug1: Trying private key: /root/.ssh/identity
>>> debug2: we did not send a packet, disable method
>>> debug1: Next authentication method: password
>>>
>>> On server:
>>>
>>> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
>>> out 5 newsock 5 pipe 7 sock 8
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
>>> after dupping: 3, 3
>>> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
>>> 10.10.11.69 port 33776
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
>>> version 2.0; client software version OpenSSH_5.2
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
>>> pat OpenSSH*
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
>>> compatibility mode for protocol 2.0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
>>> string SSH-2.0-OpenSSH_5.2
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid:
>>> 74/74
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> list_hostkey_types: ssh-rsa,ssh-dss
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT
>>> received
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>>> client->server aes128-ctr hmac-md5 none
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>>> server->client aes128-ctr hmac-md5 none
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> SSH2_MSG_KEX_DH_GEX_REQUEST received
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> SSH2_MSG_KEX_DH_GEX_GROUP sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>>> SSH2_MSG_KEX_DH_GEX_INIT
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> SSH2_MSG_KEX_DH_GEX_REPLY sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>>> SSH2_MSG_NEWKEYS
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS
>>> received
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method none
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for
>>> "root"
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>>> PAM_RHOST to "daddy-hp"
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>>> PAM_TTY to "ssh"
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method publickey
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>>> pkalg/pkblob are acceptable
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys2
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>>> from 10.10.11.69 port 33776 ssh2
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method publickey
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>>> pkalg/pkblob are acceptable
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys2
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>>> from 10.10.11.69 port 33776 ssh2
>>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method password
>>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
>>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
>>> authentication accepted for root
>>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account:
>>> called
>>> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
>>> from 10.10.11.69 port 33776 ssh2
>>
>>
>
> authorized_keys doesn't have the begin or end line:
>
> cat authorized_keys
> ssh-rsa AA...............
> ....NklQ== root@xxxxxxxxxxxxxxxxxxx
>
> On both client and server, .ssh is 700:
>
> drwx------. 2 root root 4096 2009-04-17 13:22 .ssh
>
> The server doesn't have AllowUsers in in sshd_config, see full
> sshd_config below.
>
> Thanks for any help.
>
> sean
>
> sshd_config - not changed from install of Fedora 11 beta, except for
> LogLevel:
>
> # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> #Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # Disable legacy (protocol version 1) support in the server for new
> # installations. In future the default will change to require explicit
> # activation of protocol 1
> Protocol 2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
> LogLevel DEBUG
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> PasswordAuthentication yes
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> #UsePAM no
> UsePAM yes
>
> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #ShowPatchLevel no
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> #ChrootDirectory none
>
> # no default banner path
> #Banner none
>
> # override default of no subsystems
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # ForceCommand cvs server
>
But PermitRootLogin is set to the default - yes.
And I'd rather not set up AllowUsers since if I add another user, I'll
need to remember to add him.
And without AllowUsers all users can login. From the sshd_config man page:
AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users....
In any event, root can login, but only with password auth. The
problem is why not pubkey.
sean
