Re: passwordless ssh root logins stopped working after testing dist-upgrade

["Russell L. Carter" <rcarter@pinyon.org>]

Ryan Manikowski wrote:
> On 4/6/2010 4:37 PM, Russell L. Carter wrote:

> What you're trying to do here is login to the 'root' account using your
> non-root account to initiate the ssh connection. It is reading the
> 'id_rsa.pub' pubkey file from /home/<user>/.ssh/ and this is why it is
> failing. The non-root account on the remote side (in this case, your
> localhost) does not have access to ANY files in /root/ so it will never
> work.
>
>
>
> 	 Ryan Manikowski


Ok, if that is the correct explanation, why does ssh to another
regular user account work?  Why does ssh root@<some_other_older_system>
just work?  I just performed the following steps:

On my main system I have two user accounts, 'rcarter' and 'sardine'.  I
remove the .ssh directories from 'rcarter', 'sardine', and 'root'.  I
create a new rsa key for rcarter (creates ~rcarter/.ssh) and then
ssh-copy-id -i the new key to sardine@localhost and root@localhost,
which creates a new .ssh directory with authorized_keys for each.
Then I ssh-add the new key to the agent as rcarter.

1.  $ ssh sardine@localhost logs in w/o password
2.  $ ssh root@localhost asks for password

This is reproducible on two 'testing' systems that have worked
flawlessly for at least two years each, but were both dist-upgraded
yesterday, and they now exhibit this same behavior.

HOWEVER!

I ssh-copy-id the new key created by rcarter to root on
two systems that I haven't dist-upgraded in several
weeks and then ssh root@<systemname> works fine, as it always
has.  I diffed the ssh_config and sshd_configs and the only
difference were comments. So the problem would seem to be in
sshd.

transcript:  (I removed root and sardine's .ssh dirs before)

rcarter@feyerabend> pwd
/home/rcarter/.ssh
rcarter@feyerabend> cd ..
rcarter@feyerabend> mv .ssh dot.ssh
rcarter@feyerabend> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/rcarter/.ssh/id_rsa):
Created directory '/home/rcarter/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/rcarter/.ssh/id_rsa.
Your public key has been saved in /home/rcarter/.ssh/id_rsa.pub.
The key fingerprint is:
54:06:d2:08:a4:6d:26:9e:e0:0f:01:1a:1f:67:ff:91 rcarter@feyerabend
The key's randomart image is:
+--[ RSA 2048]----+
|o ..=..o..o      |
|oo * ....+       |
|o.+ + . E        |
|.o.=   o .       |
| oo     S        |
|  o              |
|   .             |
|                 |
|                 |
+-----------------+
rcarter@feyerabend> ssh-copy-id -i sardine@localhost
sardine@localhost's password:
Now try logging into the machine, with "ssh 'sardine@localhost'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

rcarter@feyerabend> ssh-copy-id -i root@localhost
root@localhost's password:
Now try logging into the machine, with "ssh 'root@localhost'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

rcarter@feyerabend> slogin sardine@localhost
Enter passphrase for key '/home/rcarter/.ssh/id_rsa':

rcarter@feyerabend> ssh-add
Enter passphrase for /home/rcarter/.ssh/id_rsa:
Identity added: /home/rcarter/.ssh/id_rsa (/home/rcarter/.ssh/id_rsa)
rcarter@feyerabend> slogin sardine@localhost
Linux feyerabend 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr  6 16:36:06 2010 from localhost
sardine@feyerabend> exit
logout
Connection to localhost closed.
rcarter@feyerabend> slogin root@localhost
root@localhost's password:

rcarter@feyerabend>




> ]] Devision Media Services LLC [[
> 	 www.devision.us
>  ryan@devision.us | 716.771.2282
>
>
> > >      Ryan Manikowski
> > >
> > >
> > > ]] Devision Media Services LLC [[
> > >      www.devision.us
> > >  ryan@devision.us | 716.771.2282
> > >
> > >
> > > On 4/6/2010 4:06 PM, d.sastre.medina@gmail.com wrote:
> > > > On Tue, Apr 06, 2010 at 03:24:04PM -0400, Tony Nelson wrote:
> > > >  
> > > > > On 10-04-06 14:12:19, Russell L. Carter wrote:
> > > > >    
> > > > > > root@feyerabend> diff -u ssh_config ssh_config.dpkg-dist
> > > > > > --- ssh_config  2010-04-05 21:14:26.172871668 -0700
> > > > > > +++ ssh_config.dpkg-dist        2010-01-04 09:05:12.000000000 -0700
> > > > > > @@ -17,8 +17,8 @@
> > > > > >   # ssh_config(5) man page.
> > > > > >
> > > > > >   Host *
> > > > > > -ForwardAgent yes
> > > > > > -ForwardX11 yes
> > > > > > +#   ForwardAgent no
> > > > > > +#   ForwardX11 no
> > > > > >   #   ForwardX11Trusted yes
> > > > > >   #   RhostsRSAAuthentication no
> > > > > >   #   RSAAuthentication yes
> > > > > >       
> > > > > I don't see any "PermitRootLogin without-password" line in your diff.
> > > > >     
> > > > Hello,
> > > >
> > > > That would disable password login for root, but does not enable per-se
> > > > pubkey auth (AFAIK).
> > > >
> > > > man sshd_config explain this: PermitRootLogin, PubkeyAuthentication
> > > > and AuthorizedKeysFile entries.
> > > >
> > > > Regards.
> > > >
> > > >