Re: pubkey works for user: why not root ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Benny Helms wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This does not answer your stated question, but it is good info for you to have.
 Once you get the key working, alter your sshd_config file so that root logins
must have a key, rather than a password.  WAY more secure.

  PermitRootLogin without-password

Unca Xitron


That's exactly what I plan to do!

sean
sean darcy wrote:
I can ssh for my laptop to the server as a user, but using root from
same laptop to same server fails. root can login with password. In
both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
id_rsa.pub >> authorized_keys, restart sshd on server.  On client .ssh
is 700, .ssh/id_rsa is 700. On server  .ssh is 700, authorized_keys is
644 ( same as user ).

What am I missing??

sean

On client:

[root@daddy ~]# ssh -vv intel64-office
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to intel64-office [10.10.11.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'intel64-office' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xd24640)
debug2: key: /root/.ssh/id_dsa (0xd24658)
debug2: key: /root/.ssh/identity ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/identity
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

On server:

Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
out 5 newsock 5 pipe 7 sock 8
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
after dupping: 3, 3
Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
10.10.11.69 port 33776
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
version 2.0; client software version OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
pat OpenSSH*
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
compatibility mode for protocol 2.0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
string SSH-2.0-OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
client->server aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
server->client aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "root"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_RHOST to "daddy-hp"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_TTY to "ssh"
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method password
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
authentication accepted for root
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
from 10.10.11.69 port 33776 ssh2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJ7Jo7AAoJEI4JEV90z/PrYyAP/0QGz7Vyjm7Hf3UWl3ZEp7CM
NpBZXS/kQDVWFxtK4PtQa7he1+yMEwOAXctP2pltBcGi+xVqIgqwJIjOCpCi4Y24
t81IfrfqkvI5WjXPb/FNfXV792Bel9qlOCSrXD2iN8OmYqVh484thzfUGm2KCLb6
yysvKbYnj++8GoUfmlaOQHlGCRyqfEOzP1q9rrreBF14lwAU6PA5R3z34LU8bNL0
N60fLQLtbIZ3Z6eCSA/LJqrNrdRlLVuLpu29Pk/pqGt9qBPbTFlQ+6xpTsbwjj7u
Hl9r28VKoVXaf/3Xa7w8zjErxQG8QXb9TQ1HHNVlf+x6GYfSkUjdoN0J9NAG70O4
LmZd4winf1A3Rr+ulzigZxZuPN+vvtt6lUcF5ab5P5mh1Cl++HLRzkMF5/CEccgm
0gtdPAVO+zQEztRvbxF0Si6IKTbupuYUDxvMdzTySFfRe3lRAASB12cqV3eOO3Xf
MDe5MRhGQ/Rk93huQf+dNyJ1RT1Jpg51M7ZYNnnCzCs/IqTyFaU6vWKJBz8MDOPX
dQkm7RCp+zjFmzNkMU2jOLzPVgs5N2BPRAW/LXP63ob81nq7+nYhlstWdsC8CBQp
tJlfDZjJkD6viRhbob5+d4+F0P1YZr+7WU7tTCDfVVsQmG2Glrwj7YVb1HC4Nk8F
39OBATE6IjI+0uro60kj
=t6tG
-----END PGP SIGNATURE-----



[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux