SSH key authentication - can only login as root



I have a problem with logging in using keys (on Debian).

Logging from machine CLIENT to SERVER works, but only, if we log in as user root.

Example 1 - login from CLIENT - "checkuser" on SERVER has uid != 0 - doesn't work.
checkuser has UID 1001, just like /home/checkuser/*

$ ssh -l checkuser -i id_rsa 192.168.11.83 -v
(...)
checkuser@xxxxxxxxxxxxxxx's password:

Server log:

Sep 6 11:56:12 thecus sshd[18730]: debug1: Client protocol version 2.0; client software version OpenSSH_4.3
Sep 6 11:56:12 thecus sshd[18730]: debug1: match: OpenSSH_4.3 pat OpenSSH*
Sep 6 11:56:12 thecus sshd[18730]: debug1: Enabling compatibility mode for protocol 2.0
Sep 6 11:56:12 thecus sshd[18730]: debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-3
Sep 6 11:56:13 thecus sshd[18730]: Failed none for checkuser from 192.168.11.81 port 54204 ssh2
Sep 6 11:56:13 thecus sshd[18730]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 6 11:56:13 thecus sshd[18730]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys
Sep 6 11:56:13 thecus sshd[18730]: debug1: restore_uid: 0/0
Sep 6 11:56:13 thecus sshd[18730]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 6 11:56:13 thecus sshd[18730]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys2
Sep 6 11:56:13 thecus sshd[18730]: debug1: restore_uid: 0/0


Example 2 - login from CLIENT - "checkuser" on SERVER has uid == 0 - works.
checkuser has UID 0, just like /home/checkuser/*

$ ssh -l checkuser -i id_rsa 192.168.11.83 -v
(...)
root@thecus:~#

Server log:

Sep 6 11:54:34 thecus sshd[18688]: debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-3
Sep 6 11:54:35 thecus sshd[18688]: Failed none for checkuser from 192.168.111.181 port 54164 ssh2
Sep 6 11:54:35 thecus sshd[18688]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Sep 6 11:54:35 thecus sshd[18688]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys
Sep 6 11:54:35 thecus sshd[18688]: debug1: matching key found: file /home/checkuser/.ssh/authorized_keys, line 1
Sep 6 11:54:35 thecus sshd[18688]: Found matching RSA key: 70:a6:fc:89:e7:d8:f9:67:e6:86:27:6e:ee:63:61:5e
Sep 6 11:54:35 thecus sshd[18688]: debug1: restore_uid: 0/0
Sep 6 11:54:35 thecus sshd[18688]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Sep 6 11:54:35 thecus sshd[18688]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys
Sep 6 11:54:35 thecus sshd[18688]: debug1: matching key found: file /home/checkuser/.ssh/authorized_keys, line 1
Sep 6 11:54:35 thecus sshd[18688]: Found matching RSA key: 70:a6:fc:89:e7:d8:f9:67:e6:86:27:6e:ee:63:61:5e
Sep 6 11:54:35 thecus sshd[18688]: debug1: restore_uid: 0/0
Sep 6 11:54:35 thecus sshd[18688]: debug1: ssh_rsa_verify: signature correct
Sep 6 11:54:35 thecus sshd[18688]: Accepted publickey for checkuser from 192.168.111.181 port 54164 ssh2
Sep 6 11:54:35 thecus sshd[18688]: debug1: monitor_child_preauth: checkuser has been authenticated by privileged process
Sep 6 11:54:35 thecus sshd[18688]: debug1: Entering interactive session for SSH2.


Unfortunately, I'm unable to debug the problem.
There are no entries in sshd_config which allow/disallow logging in of certain users.


--
Tomasz Chmielewski
http://wpkg.org



Relevant Pages

  • Re: RDP Sessions not "disconnecting"
    ... You can logon to the Console as Admin and Disconnect instead of logging off and this will leave Admin logged on to Synch Act and will leave 2 more Remote slots open. ... The other choice is to disconnect from a normal session as Admin instead of Logging off and when you connect again you will resume your session. ... server based apps - she also hits it from remote. ...
    (microsoft.public.windows.server.sbs)
  • Re: NDR delivery delayed errors keep coming, any advice?
    ... I have turned on the logging as you requested, and when I get a DNR 4.4.7, I ... The sending server tried to ... Delivery status notifications in Exchange Server and in Small Business ... The SMTP logging files are located in ...
    (microsoft.public.windows.server.sbs)
  • Re: Login Errors Seem to indicate we are being hacked?
    ... As an example, my Sonicwall keeps a log that I can read from the regular UI, as well as having the ability to report to a syslog server or e-mail out the log info. ... thing on the box using that authentication package. ... The SMTP or IIS logs should answer everything. ... I'm not familiar with that particular router or its logging capabilities, ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange 2007 distribution group creation
    ... I checked this and they all have level 1 diagnostic logging. ... your DCs that your Exchange server talks to. ... universal distribution group in exchange management console. ...
    (microsoft.public.exchange.admin)
  • Re: RDP Sessions not "disconnecting"
    ... and insists remotely loggin on to server verses ... his Desktop to hit these 3rd party apps (ACT, Quickbooks, etc.) when he's on ... RDP connection WITHOUT logging off. ... session there, or at least "disconnected" which i'm thinking uses up one of ...
    (microsoft.public.windows.server.sbs)