Re: pubkey works for user: why not root ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Apr 18, 2009 at 5:12 PM, felix <felix@xxxxxx> wrote:
> Hi,
> maybe it is because of possibly (probably) missing user name (i.e. root) in
> the line AllowUsers of your sshd_config?
>
> Felix
>
> ----- Original Message ----- From: "sean darcy" <seandarcy2@xxxxxxxxx>
> To: <secureshell@xxxxxxxxxxxxxxxxx>
> Sent: Saturday, April 18, 2009 4:27 PM
> Subject: pubkey works for user: why not root ?
>
>
>> I can ssh for my laptop to the server as a user, but using root from
>> same laptop to same server fails. root can login with password. In
>> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
>> id_rsa.pub >> authorized_keys, restart sshd on server.  On client .ssh
>> is 700, .ssh/id_rsa is 700. On server  .ssh is 700, authorized_keys is
>> 644 ( same as user ).
>>
>> What am I missing??
>>
>> sean
>>
>> On client:
>>
>> [root@daddy ~]# ssh -vv intel64-office
>> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Applying options for *
>> debug2: ssh_connect: needpriv 0
>> debug1: Connecting to intel64-office [10.10.11.1] port 22.
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/identity type -1
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug2: key_type_from_name: unknown key type '-----END'
>> debug1: identity file /root/.ssh/id_rsa type 1
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug2: key_type_from_name: unknown key type '-----END'
>> debug1: identity file /root/.ssh/id_dsa type 2
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
>> debug1: match: OpenSSH_5.2 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_5.2
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: kex_parse_kexinit:
>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: kex_parse_kexinit:
>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug2: dh_gen_key: priv key bits set: 128/256
>> debug2: bits set: 506/1024
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug1: Host 'intel64-office' is known and matches the RSA host key.
>> debug1: Found key in /root/.ssh/known_hosts:6
>> debug2: bits set: 532/1024
>> debug1: ssh_rsa_verify: signature correct
>> debug2: kex_derive_keys
>> debug2: set_newkeys: mode 1
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug2: set_newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug2: key: /root/.ssh/id_rsa (0xd24640)
>> debug2: key: /root/.ssh/id_dsa (0xd24658)
>> debug2: key: /root/.ssh/identity ((nil))
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No credentials cache found
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No credentials cache found
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>>
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: publickey
>> debug1: Offering public key: /root/.ssh/id_rsa
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password
>> debug1: Offering public key: /root/.ssh/id_dsa
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password
>> debug1: Trying private key: /root/.ssh/identity
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: password
>>
>> On server:
>>
>> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
>> out 5 newsock 5 pipe 7 sock 8
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
>> after dupping: 3, 3
>> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
>> 10.10.11.69 port 33776
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
>> version 2.0; client software version OpenSSH_5.2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
>> pat OpenSSH*
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
>> compatibility mode for protocol 2.0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
>> string SSH-2.0-OpenSSH_5.2
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid:
>> 74/74
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> list_hostkey_types: ssh-rsa,ssh-dss
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT
>> received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>> client->server aes128-ctr hmac-md5 none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>> server->client aes128-ctr hmac-md5 none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REQUEST received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_GROUP sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>> SSH2_MSG_KEX_DH_GEX_INIT
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REPLY sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>> SSH2_MSG_NEWKEYS
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS
>> received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for
>> "root"
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>> PAM_RHOST to "daddy-hp"
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>> PAM_TTY to "ssh"
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method publickey
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>> pkalg/pkblob are acceptable
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>> from 10.10.11.69 port 33776 ssh2
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method publickey
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>> pkalg/pkblob are acceptable
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>> from 10.10.11.69 port 33776 ssh2
>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method password
>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
>> authentication accepted for root
>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
>> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
>> from 10.10.11.69 port 33776 ssh2
>
>

authorized_keys doesn't have the begin or end line:

cat authorized_keys
ssh-rsa AA...............
....NklQ== root@xxxxxxxxxxxxxxxxxxx

On both client and server, .ssh is 700:

drwx------.  2 root root   4096 2009-04-17 13:22 .ssh

The server doesn't have AllowUsers in in sshd_config, see full
sshd_config below.

Thanks for any help.

sean

sshd_config  - not changed from install of Fedora 11 beta, except for LogLevel:

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux