Re: pubkey works for user: why not root ?



On Sun, Apr 19, 2009 at 1:15 PM, felix <felix@xxxxxx> wrote:
Sean, that's the point, I guess:

you have to check the line of sshd_config: PermitRootLogin (if "no" , then
you obviously can't ..:)
AND to add the line "AllowUsers sean root" (multiple users can be allowed,
separated by space).

Maybe this could help?

Felix


----- Original Message ----- From: "sean darcy" <seandarcy2@xxxxxxxxx>
To: "felix" <felix@xxxxxx>
Cc: <secureshell@xxxxxxxxxxxxxxxxx>
Sent: Sunday, April 19, 2009 4:48 PM
Subject: Re: pubkey works for user: why not root ?


On Sat, Apr 18, 2009 at 5:12 PM, felix <felix@xxxxxx> wrote:

Hi,
maybe it is because of possibly (probably) missing user name (i.e. root)
in
the line AllowUsers of your sshd_config?

Felix

----- Original Message ----- From: "sean darcy" <seandarcy2@xxxxxxxxx>
To: <secureshell@xxxxxxxxxxxxxxxxx>
Sent: Saturday, April 18, 2009 4:27 PM
Subject: pubkey works for user: why not root ?


I can ssh for my laptop to the server as a user, but using root from
same laptop to same server fails. root can login with password. In
both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
644 ( same as user ).

What am I missing??

sean

On client:

[root@daddy ~]# ssh -vv intel64-office
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to intel64-office [10.10.11.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:


diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:


aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:


aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:


hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:


hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:


diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:


aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:


aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:


hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:


hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'intel64-office' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xd24640)
debug2: key: /root/.ssh/id_dsa (0xd24658)
debug2: key: /root/.ssh/identity ((nil))
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information


debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/identity
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

On server:

Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
out 5 newsock 5 pipe 7 sock 8
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
after dupping: 3, 3
Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
10.10.11.69 port 33776
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
version 2.0; client software version OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
pat OpenSSH*
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
compatibility mode for protocol 2.0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
string SSH-2.0-OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid:
74/74
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT
received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
client->server aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
server->client aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
SSH2_MSG_NEWKEYS
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS
received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for
"root"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_RHOST to "daddy-hp"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_TTY to "ssh"
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method password
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
authentication accepted for root
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account:
called
Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
from 10.10.11.69 port 33776 ssh2



authorized_keys doesn't have the begin or end line:

cat authorized_keys
ssh-rsa AA...............
....NklQ== root@xxxxxxxxxxxxxxxxxxx

On both client and server, .ssh is 700:

drwx------.  2 root root   4096 2009-04-17 13:22 .ssh

The server doesn't have AllowUsers in in sshd_config, see full
sshd_config below.

Thanks for any help.

sean

sshd_config  - not changed from install of Fedora 11 beta, except for
LogLevel:

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server


But PermitRootLogin is set to the default - yes.

And I'd rather not set up AllowUsers since if I add another user, I'll
need to remember to add him.

And without AllowUsers all users can login. From the sshd_config man page:


AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users....

In any event, root can login, but only with password auth. The
problem is why not pubkey.

sean



Relevant Pages

  • Re: SSH on Fedora 16
    ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... debug3: check_host_in_hostfile: host 172.25.0.1 filename ... debug1: Next authentication method: gssapi-keyex ...
    (Fedora)
  • Re: pubkey works for user: why not root ?
    ... Subject: pubkey works for user: why not root? ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... debug1: Next authentication method: publickey ...
    (SSH)
  • Problem with some user autentification error on sshd
    ... debug1: Reading configuration data /etc/ssh/ssh_config ... debug2: kex_parse_kexinit: none,zlib ... debug3: check_host_in_hostfile: match line 3 ... debug1: Next authentication method: keyboard-interactive ...
    (SSH)
  • Bad passphrase with public key authentication
    ... I'm setting up my server to use public key authentication. ... debug1: Connection established. ... debug3: Not a RSA1 key file server_rsa_macbook.pub. ... debug2: fd 3 setting O_NONBLOCK ...
    (SSH)
  • RE: pubkey works for user: why not root ?
    ... Subject: pubkey works for user: why not root? ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... for user root service ssh-connection method publickey ...
    (SSH)