On Sat, Apr 18, 2009 at 5:12 PM, felix <felix@xxxxxx> wrote: > Hi, > maybe it is because of possibly (probably) missing user name (i.e. root) in > the line AllowUsers of your sshd_config? > > Felix > > ----- Original Message ----- From: "sean darcy" <seandarcy2@xxxxxxxxx> > To: <secureshell@xxxxxxxxxxxxxxxxx> > Sent: Saturday, April 18, 2009 4:27 PM > Subject: pubkey works for user: why not root ? > > >> I can ssh for my laptop to the server as a user, but using root from >> same laptop to same server fails. root can login with password. In >> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat >> id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh >> is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is >> 644 ( same as user ). >> >> What am I missing?? >> >> sean >> >> On client: >> >> [root@daddy ~]# ssh -vv intel64-office >> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009 >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: Applying options for * >> debug2: ssh_connect: needpriv 0 >> debug1: Connecting to intel64-office [10.10.11.1] port 22. >> debug1: Connection established. >> debug1: permanently_set_uid: 0/0 >> debug1: identity file /root/.ssh/identity type -1 >> debug2: key_type_from_name: unknown key type '-----BEGIN' >> debug2: key_type_from_name: unknown key type '-----END' >> debug1: identity file /root/.ssh/id_rsa type 1 >> debug2: key_type_from_name: unknown key type '-----BEGIN' >> debug2: key_type_from_name: unknown key type '-----END' >> debug1: identity file /root/.ssh/id_dsa type 2 >> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2 >> debug1: match: OpenSSH_5.2 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_5.2 >> debug2: fd 3 setting O_NONBLOCK >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug2: kex_parse_kexinit: >> >> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >> debug2: kex_parse_kexinit: >> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx >> debug2: kex_parse_kexinit: >> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx >> debug2: kex_parse_kexinit: >> >> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: >> >> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: kex_parse_kexinit: >> >> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >> debug2: kex_parse_kexinit: >> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx >> debug2: kex_parse_kexinit: >> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx >> debug2: kex_parse_kexinit: >> >> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: >> >> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96 >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: mac_setup: found hmac-md5 >> debug1: kex: server->client aes128-ctr hmac-md5 none >> debug2: mac_setup: found hmac-md5 >> debug1: kex: client->server aes128-ctr hmac-md5 none >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >> debug2: dh_gen_key: priv key bits set: 128/256 >> debug2: bits set: 506/1024 >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >> debug1: Host 'intel64-office' is known and matches the RSA host key. >> debug1: Found key in /root/.ssh/known_hosts:6 >> debug2: bits set: 532/1024 >> debug1: ssh_rsa_verify: signature correct >> debug2: kex_derive_keys >> debug2: set_newkeys: mode 1 >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug2: set_newkeys: mode 0 >> debug1: SSH2_MSG_NEWKEYS received >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug2: service_accept: ssh-userauth >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug2: key: /root/.ssh/id_rsa (0xd24640) >> debug2: key: /root/.ssh/id_dsa (0xd24658) >> debug2: key: /root/.ssh/identity ((nil)) >> debug1: Authentications that can continue: >> publickey,gssapi-with-mic,password >> debug1: Next authentication method: gssapi-with-mic >> debug1: Unspecified GSS failure. Minor code may provide more information >> No credentials cache found >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> No credentials cache found >> >> debug1: Unspecified GSS failure. Minor code may provide more information >> >> >> debug2: we did not send a packet, disable method >> debug1: Next authentication method: publickey >> debug1: Offering public key: /root/.ssh/id_rsa >> debug2: we sent a publickey packet, wait for reply >> debug1: Authentications that can continue: >> publickey,gssapi-with-mic,password >> debug1: Offering public key: /root/.ssh/id_dsa >> debug2: we sent a publickey packet, wait for reply >> debug1: Authentications that can continue: >> publickey,gssapi-with-mic,password >> debug1: Trying private key: /root/.ssh/identity >> debug2: we did not send a packet, disable method >> debug1: Next authentication method: password >> >> On server: >> >> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747. >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5 >> out 5 newsock 5 pipe 7 sock 8 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets >> after dupping: 3, 3 >> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from >> 10.10.11.69 port 33776 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol >> version 2.0; client software version OpenSSH_5.2 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2 >> pat OpenSSH* >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling >> compatibility mode for protocol 2.0 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version >> string SSH-2.0-OpenSSH_5.2 >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: >> 74/74 >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: >> list_hostkey_types: ssh-rsa,ssh-dss >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT >> received >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex: >> client->server aes128-ctr hmac-md5 none >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex: >> server->client aes128-ctr hmac-md5 none >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: >> SSH2_MSG_KEX_DH_GEX_REQUEST received >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: >> SSH2_MSG_KEX_DH_GEX_GROUP sent >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting >> SSH2_MSG_KEX_DH_GEX_INIT >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: >> SSH2_MSG_KEX_DH_GEX_REPLY sent >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting >> SSH2_MSG_NEWKEYS >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS >> received >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request >> for user root service ssh-connection method none >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for >> "root" >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting >> PAM_RHOST to "daddy-hp" >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting >> PAM_TTY to "ssh" >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request >> for user root service ssh-connection method publickey >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0 >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether >> pkalg/pkblob are acceptable >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: >> temporarily_use_uid: 0/0 (e=0/0) >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key >> file /root/.ssh/authorized_keys >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: >> temporarily_use_uid: 0/0 (e=0/0) >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key >> file /root/.ssh/authorized_keys2 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0 >> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root >> from 10.10.11.69 port 33776 ssh2 >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request >> for user root service ssh-connection method publickey >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1 >> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether >> pkalg/pkblob are acceptable >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: >> temporarily_use_uid: 0/0 (e=0/0) >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key >> file /root/.ssh/authorized_keys >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: >> temporarily_use_uid: 0/0 (e=0/0) >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key >> file /root/.ssh/authorized_keys2 >> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0 >> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root >> from 10.10.11.69 port 33776 ssh2 >> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request >> for user root service ssh-connection method password >> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2 >> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password >> authentication accepted for root >> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called >> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root >> from 10.10.11.69 port 33776 ssh2 > > authorized_keys doesn't have the begin or end line: cat authorized_keys ssh-rsa AA............... ....NklQ== root@xxxxxxxxxxxxxxxxxxx On both client and server, .ssh is 700: drwx------. 2 root root 4096 2009-04-17 13:22 .ssh The server doesn't have AllowUsers in in sshd_config, see full sshd_config below. Thanks for any help. sean sshd_config - not changed from install of Fedora 11 beta, except for LogLevel: # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO LogLevel DEBUG # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server