[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: passwordless ssh root logins stopped working after testing dist-upgrade

Ryan Manikowski wrote:
On 4/6/2010 4:37 PM, Russell L. Carter wrote:

What you're trying to do here is login to the 'root' account using your
non-root account to initiate the ssh connection. It is reading the
'id_rsa.pub' pubkey file from /home/<user>/.ssh/ and this is why it is
failing. The non-root account on the remote side (in this case, your
localhost) does not have access to ANY files in /root/ so it will never

	 Ryan Manikowski

Ok, if that is the correct explanation, why does ssh to another
regular user account work?  Why does ssh root@<some_other_older_system>
just work?  I just performed the following steps:

On my main system I have two user accounts, 'rcarter' and 'sardine'.  I
remove the .ssh directories from 'rcarter', 'sardine', and 'root'.  I
create a new rsa key for rcarter (creates ~rcarter/.ssh) and then
ssh-copy-id -i the new key to sardine@localhost and root@localhost,
which creates a new .ssh directory with authorized_keys for each.
Then I ssh-add the new key to the agent as rcarter.

1.  $ ssh sardine@localhost logs in w/o password
2.  $ ssh root@localhost asks for password

This is reproducible on two 'testing' systems that have worked
flawlessly for at least two years each, but were both dist-upgraded
yesterday, and they now exhibit this same behavior.


I ssh-copy-id the new key created by rcarter to root on
two systems that I haven't dist-upgraded in several
weeks and then ssh root@<systemname> works fine, as it always
has.  I diffed the ssh_config and sshd_configs and the only
difference were comments. So the problem would seem to be in

transcript:  (I removed root and sardine's .ssh dirs before)

rcarter@feyerabend> pwd
rcarter@feyerabend> cd ..
rcarter@feyerabend> mv .ssh dot.ssh
rcarter@feyerabend> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/rcarter/.ssh/id_rsa):
Created directory '/home/rcarter/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/rcarter/.ssh/id_rsa.
Your public key has been saved in /home/rcarter/.ssh/id_rsa.pub.
The key fingerprint is:
54:06:d2:08:a4:6d:26:9e:e0:0f:01:1a:1f:67:ff:91 rcarter@feyerabend
The key's randomart image is:
+--[ RSA 2048]----+
|o ..=..o..o      |
|oo * ....+       |
|o.+ + . E        |
|.o.=   o .       |
| oo     S        |
|  o              |
|   .             |
|                 |
|                 |
rcarter@feyerabend> ssh-copy-id -i sardine@localhost
sardine@localhost's password:
Now try logging into the machine, with "ssh 'sardine@localhost'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

rcarter@feyerabend> ssh-copy-id -i root@localhost
root@localhost's password:
Now try logging into the machine, with "ssh 'root@localhost'", and check in:


to make sure we haven't added extra keys that you weren't expecting.

rcarter@feyerabend> slogin sardine@localhost
Enter passphrase for key '/home/rcarter/.ssh/id_rsa':

rcarter@feyerabend> ssh-add
Enter passphrase for /home/rcarter/.ssh/id_rsa:
Identity added: /home/rcarter/.ssh/id_rsa (/home/rcarter/.ssh/id_rsa)
rcarter@feyerabend> slogin sardine@localhost
Linux feyerabend 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr  6 16:36:06 2010 from localhost
sardine@feyerabend> exit
Connection to localhost closed.
rcarter@feyerabend> slogin root@localhost
root@localhost's password:


]] Devision Media Services LLC [[
 ryan@devision.us | 716.771.2282

     Ryan Manikowski

]] Devision Media Services LLC [[
 ryan@devision.us | 716.771.2282

On 4/6/2010 4:06 PM, d.sastre.medina@gmail.com wrote:
On Tue, Apr 06, 2010 at 03:24:04PM -0400, Tony Nelson wrote:
On 10-04-06 14:12:19, Russell L. Carter wrote:
root@feyerabend> diff -u ssh_config ssh_config.dpkg-dist
--- ssh_config  2010-04-05 21:14:26.172871668 -0700
+++ ssh_config.dpkg-dist        2010-01-04 09:05:12.000000000 -0700
@@ -17,8 +17,8 @@
  # ssh_config(5) man page.

  Host *
-ForwardAgent yes
-ForwardX11 yes
+#   ForwardAgent no
+#   ForwardX11 no
  #   ForwardX11Trusted yes
  #   RhostsRSAAuthentication no
  #   RSAAuthentication yes
I don't see any "PermitRootLogin without-password" line in your diff.

That would disable password login for root, but does not enable per-se
pubkey auth (AFAIK).

man sshd_config explain this: PermitRootLogin, PubkeyAuthentication
and AuthorizedKeysFile entries.


Reply to: