SSH key authentication - can only login as root

From: Tomasz Chmielewski <mangoo@xxxxxxxx>
Date: Wed, 06 Sep 2006 12:10:48 +0200

I have a problem with logging in using keys (on Debian).

Logging from machine CLIENT to SERVER works, but only, if we log in as user root.

Example 1 - login from CLIENT - "checkuser" on SERVER has uid != 0 - doesn't work.
checkuser has UID 1001, just like /home/checkuser/*

$ ssh -l checkuser -i id_rsa 192.168.11.83 -v
(...)
checkuser@xxxxxxxxxxxxxxx's password:

Server log:

Sep 6 11:56:12 thecus sshd[18730]: debug1: Client protocol version 2.0; client software version OpenSSH_4.3
Sep 6 11:56:12 thecus sshd[18730]: debug1: match: OpenSSH_4.3 pat OpenSSH*
Sep 6 11:56:12 thecus sshd[18730]: debug1: Enabling compatibility mode for protocol 2.0
Sep 6 11:56:12 thecus sshd[18730]: debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-3
Sep 6 11:56:13 thecus sshd[18730]: Failed none for checkuser from 192.168.11.81 port 54204 ssh2
Sep 6 11:56:13 thecus sshd[18730]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 6 11:56:13 thecus sshd[18730]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys
Sep 6 11:56:13 thecus sshd[18730]: debug1: restore_uid: 0/0
Sep 6 11:56:13 thecus sshd[18730]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 6 11:56:13 thecus sshd[18730]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys2
Sep 6 11:56:13 thecus sshd[18730]: debug1: restore_uid: 0/0

Example 2 - login from CLIENT - "checkuser" on SERVER has uid == 0 - works.
checkuser has UID 0, just like /home/checkuser/*

$ ssh -l checkuser -i id_rsa 192.168.11.83 -v
(...)
root@thecus:~#

Server log:

Sep 6 11:54:34 thecus sshd[18688]: debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-3
Sep 6 11:54:35 thecus sshd[18688]: Failed none for checkuser from 192.168.111.181 port 54164 ssh2
Sep 6 11:54:35 thecus sshd[18688]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Sep 6 11:54:35 thecus sshd[18688]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys
Sep 6 11:54:35 thecus sshd[18688]: debug1: matching key found: file /home/checkuser/.ssh/authorized_keys, line 1
Sep 6 11:54:35 thecus sshd[18688]: Found matching RSA key: 70:a6:fc:89:e7:d8:f9:67:e6:86:27:6e:ee:63:61:5e
Sep 6 11:54:35 thecus sshd[18688]: debug1: restore_uid: 0/0
Sep 6 11:54:35 thecus sshd[18688]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Sep 6 11:54:35 thecus sshd[18688]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys
Sep 6 11:54:35 thecus sshd[18688]: debug1: matching key found: file /home/checkuser/.ssh/authorized_keys, line 1
Sep 6 11:54:35 thecus sshd[18688]: Found matching RSA key: 70:a6:fc:89:e7:d8:f9:67:e6:86:27:6e:ee:63:61:5e
Sep 6 11:54:35 thecus sshd[18688]: debug1: restore_uid: 0/0
Sep 6 11:54:35 thecus sshd[18688]: debug1: ssh_rsa_verify: signature correct
Sep 6 11:54:35 thecus sshd[18688]: Accepted publickey for checkuser from 192.168.111.181 port 54164 ssh2
Sep 6 11:54:35 thecus sshd[18688]: debug1: monitor_child_preauth: checkuser has been authenticated by privileged process
Sep 6 11:54:35 thecus sshd[18688]: debug1: Entering interactive session for SSH2.

Unfortunately, I'm unable to debug the problem.
There are no entries in sshd_config which allow/disallow logging in of certain users.

--
Tomasz Chmielewski
http://wpkg.org

Follow-Ups:
- Re: SSH key authentication - can only login as root
  - From: Greg Wooledge

Prev by Date: RE: openssh: Enabling sftp, but disabling ssh?
Next by Date: Re: openssh: Enabling sftp, but disabling ssh?
Previous by thread: openssh: Enabling sftp, but disabling ssh?
Next by thread: Re: SSH key authentication - can only login as root
Index(es):
- Date
- Thread

Relevant Pages

Re: RDP Sessions not "disconnecting"
... You can logon to the Console as Admin and Disconnect instead of logging off and this will leave Admin logged on to Synch Act and will leave 2 more Remote slots open. ... The other choice is to disconnect from a normal session as Admin instead of Logging off and when you connect again you will resume your session. ... server based apps - she also hits it from remote. ...
(microsoft.public.windows.server.sbs)
Re: NDR delivery delayed errors keep coming, any advice?
... I have turned on the logging as you requested, and when I get a DNR 4.4.7, I ... The sending server tried to ... Delivery status notifications in Exchange Server and in Small Business ... The SMTP logging files are located in ...
(microsoft.public.windows.server.sbs)
Re: RDP Sessions not "disconnecting"
... and insists remotely loggin on to server verses ... his Desktop to hit these 3rd party apps (ACT, Quickbooks, etc.) when he's on ... RDP connection WITHOUT logging off. ... session there, or at least "disconnected" which i'm thinking uses up one of ...
(microsoft.public.windows.server.sbs)
Re: Cannot get IMAP to work
... Click Diagnostics Logging tab. ... > Microsoft engineers can only focus on one issue per thread. ... > The SBS public newsgroup only focuses on SBS related technical issues, ... I assume that if it does not work from the server itself, ...
(microsoft.public.windows.server.sbs)
Re: error 8
... Monitoring, get the Logging tab, then on the left hand in the Task pane, ... can control to log to MSDE, or simple text files, you can also by pressing ... MSDE is actually a stripped down version of SQL Server, in SQL Server world, ...
(microsoft.public.isa)