Re: passwordless ssh root logins stopped working after testing dist-upgrade
Ryan Manikowski wrote:
On 4/6/2010 4:37 PM, Russell L. Carter wrote:
What you're trying to do here is login to the 'root' account using your
non-root account to initiate the ssh connection. It is reading the
'id_rsa.pub' pubkey file from /home/<user>/.ssh/ and this is why it is
failing. The non-root account on the remote side (in this case, your
localhost) does not have access to ANY files in /root/ so it will never
work.
Ryan Manikowski
Ok, if that is the correct explanation, why does ssh to another
regular user account work? Why does ssh root@<some_other_older_system>
just work? I just performed the following steps:
On my main system I have two user accounts, 'rcarter' and 'sardine'. I
remove the .ssh directories from 'rcarter', 'sardine', and 'root'. I
create a new rsa key for rcarter (creates ~rcarter/.ssh) and then
ssh-copy-id -i the new key to sardine@localhost and root@localhost,
which creates a new .ssh directory with authorized_keys for each.
Then I ssh-add the new key to the agent as rcarter.
1. $ ssh sardine@localhost logs in w/o password
2. $ ssh root@localhost asks for password
This is reproducible on two 'testing' systems that have worked
flawlessly for at least two years each, but were both dist-upgraded
yesterday, and they now exhibit this same behavior.
HOWEVER!
I ssh-copy-id the new key created by rcarter to root on
two systems that I haven't dist-upgraded in several
weeks and then ssh root@<systemname> works fine, as it always
has. I diffed the ssh_config and sshd_configs and the only
difference were comments. So the problem would seem to be in
sshd.
transcript: (I removed root and sardine's .ssh dirs before)
rcarter@feyerabend> pwd
/home/rcarter/.ssh
rcarter@feyerabend> cd ..
rcarter@feyerabend> mv .ssh dot.ssh
rcarter@feyerabend> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/rcarter/.ssh/id_rsa):
Created directory '/home/rcarter/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/rcarter/.ssh/id_rsa.
Your public key has been saved in /home/rcarter/.ssh/id_rsa.pub.
The key fingerprint is:
54:06:d2:08:a4:6d:26:9e:e0:0f:01:1a:1f:67:ff:91 rcarter@feyerabend
The key's randomart image is:
+--[ RSA 2048]----+
|o ..=..o..o |
|oo * ....+ |
|o.+ + . E |
|.o.= o . |
| oo S |
| o |
| . |
| |
| |
+-----------------+
rcarter@feyerabend> ssh-copy-id -i sardine@localhost
sardine@localhost's password:
Now try logging into the machine, with "ssh 'sardine@localhost'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
rcarter@feyerabend> ssh-copy-id -i root@localhost
root@localhost's password:
Now try logging into the machine, with "ssh 'root@localhost'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
rcarter@feyerabend> slogin sardine@localhost
Enter passphrase for key '/home/rcarter/.ssh/id_rsa':
rcarter@feyerabend> ssh-add
Enter passphrase for /home/rcarter/.ssh/id_rsa:
Identity added: /home/rcarter/.ssh/id_rsa (/home/rcarter/.ssh/id_rsa)
rcarter@feyerabend> slogin sardine@localhost
Linux feyerabend 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 6 16:36:06 2010 from localhost
sardine@feyerabend> exit
logout
Connection to localhost closed.
rcarter@feyerabend> slogin root@localhost
root@localhost's password:
rcarter@feyerabend>
]] Devision Media Services LLC [[
www.devision.us
ryan@devision.us | 716.771.2282
Ryan Manikowski
]] Devision Media Services LLC [[
www.devision.us
ryan@devision.us | 716.771.2282
On 4/6/2010 4:06 PM, d.sastre.medina@gmail.com wrote:
On Tue, Apr 06, 2010 at 03:24:04PM -0400, Tony Nelson wrote:
On 10-04-06 14:12:19, Russell L. Carter wrote:
root@feyerabend> diff -u ssh_config ssh_config.dpkg-dist
--- ssh_config 2010-04-05 21:14:26.172871668 -0700
+++ ssh_config.dpkg-dist 2010-01-04 09:05:12.000000000 -0700
@@ -17,8 +17,8 @@
# ssh_config(5) man page.
Host *
-ForwardAgent yes
-ForwardX11 yes
+# ForwardAgent no
+# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
I don't see any "PermitRootLogin without-password" line in your diff.
Hello,
That would disable password login for root, but does not enable per-se
pubkey auth (AFAIK).
man sshd_config explain this: PermitRootLogin, PubkeyAuthentication
and AuthorizedKeysFile entries.
Regards.
Reply to: