Re: SSH key authentication - can only login as root

(...)

Is this issue specific to ssh? What happens if you locally (on SERVER)
try to su -l checkuser with UID=1001? Or use ftp or telnet?

Yes, it's specific to SSH authentication with keys. Password logins work fine.
I can su:

thecus:/var/log# su -l checkuser
checkuser@thecus:~$
checkuser@thecus:~$ su
Password:
thecus:/home/checkuser#

I can login via telnet (using a password).


Also, try turning up the debug in the sshd process to try and see more
of what is happening:

# For sshd_config
LogLevel DEBUG3

We need to see what happens between the last two lines and the above
might help:
sshd[18730]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
sshd[18730]: debug1: trying public key file /home/checkuser/.ssh/
authorized_keys
sshd[18730]: debug1: restore_uid: 0/0

There is something strange with the key:

Sep 8 11:27:23 thecus sshd[23596]: Failed none for checkuser from 192.168.111.181 port 35531 ssh2
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_request_receive entering
Sep 8 11:27:23 thecus sshd[23596]: debug3: monitor_read: checking request 20
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed entering
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed: key_from_blob: 0x69b00
Sep 8 11:27:23 thecus sshd[23596]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 8 11:27:23 thecus sshd[23596]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys
Sep 8 11:27:23 thecus sshd[23596]: debug1: restore_uid: 0/0
Sep 8 11:27:23 thecus sshd[23596]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 8 11:27:23 thecus sshd[23596]: debug1: trying public key file /home/checkuser/.ssh/authorized_keys2
Sep 8 11:27:23 thecus sshd[23596]: debug1: restore_uid: 0/0
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed: key 0x69b00 is disallowed
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_request_send entering: type 21
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_request_receive entering


So, why the key is allowed if UID=0, and is disallowed if UID!=0?


Last option: you initially said that there were no options enabled in
sshd_config to deny users - what about the group options DenyGroups and
AllowGroups?

There's no option which allows/denies groups in my config.

I even used the same sshd_config file from another server, to which I can login using the same key (where "checkuser" has UID=1001), but still, I could only login if "checkuser" had UID=0.


--
Tomasz Chmielewski
http://wpkg.org

Relevant Pages

  • Re: ssh password problem
    ... using rsa public keys. ... This keyword can be followed by a list of user name patterns, ... Login is disallowed for user names that ... The allow/deny directives are processed in the following ...
    (Fedora)
  • RE: Single Sign On - Transfer of credential between webapps....
    ... You'll want to provide your own values forthe keys. ... > Change the loginUrl to be that of your login page. ... > Now, in your other applications (Webapp2 for example), you can get at the ... >> One of my website is used to login user: ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: looking for a solution
    ... "Karolski" wrote in message ... > This is my first post here, so please, be patient. ... > (giving their password and login). ... As far as security keys and web development go, I have a table of logins ...
    (comp.lang.java.programmer)
  • Re: looking for a solution
    ... > As far as security keys and web development go, I have a table of logins ... I have a specific set of keys which are represented as columns. ... > party login authenticators, I like controlling it in the application. ... and password stored into a session with perms. ...
    (comp.lang.java.programmer)
  • Filter keys on logon desktop (login screen)
    ... ctrl-alt-del to login) - by mistake, ... Now the keyboard input is filtered, it doesn't allow multiple keys action, I ... Windows shortcut that apparently can toggle the feature (hit right shift key ... do you know which files and/or registry keys are responsible for Filter Keys ...
    (microsoft.public.windowsxp.accessibility)