SSH w/ root and keypair authentication problem
I'm trying to create a backup script that will, when run, connect to
another computer, and rsync all of its partitions into the local computer.
In order to be able to rsync properly and copy all the files, the user
logging in must be root. However, this poses a problem, as
PermitRootLogin was "no" in sshd_config. So here is how I went about
trying to solve the problem.
First, some names. The source computer is called "dh3". The target
computer is "dh2".
On dh2, I ran:
ssh-keygen -t rsa1
ssh-keygen -t rsa
ssh-keygen -t dsa
I chose the default values for all three, so I have 3 key files in
/root/.ssh/, id_rsa, id_dsa, and identity, each with a corresponding
.pub file. For each key, I chose an empty passphrase.
Then, I coped the .pub files to dh3, and concatenated them all into
/root/.ssh/authorized_keys.
The authorized_keys file contains the three public keys, delimited by
endlines.
Here are the contents of sshd_config on dh3:
dh3:~/.ssh# cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd(8) manpage for defails
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2,1
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 600
PermitRootLogin forced-commands-only
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user
PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
Subsystem sftp /usr/lib/sftp-server
Note the use of PermitRootLogin forced-commands-only which should allow
me to ssh in as root, using my keys, as long as I run a command afterwards.
The actual command being run on dh2 (as root) is something to the effect of:
ssh dh3.doggus.com rsync .....
Doing that, or substituting any command instead of rsync, results in dh3
asking me for a password for root@dh3. With the various -v options, more
information is displayed, but I can't really understand any of it.
Why isn't this keypair scheme working?
Some ideas:
1) dh2 is behind a router, whereas dh3 is not. Not sure how this would
affect ssh.
2) The format of authorized_keys on dh3 is incorrect somehow.
Any ideas would be greatly appreciated. Thanks!
-Adar Dembo
PS: I'm not subscribed to debian-user, so please reply directly back to me.
Reply to: