From owner-freebsd-isp@FreeBSD.ORG Wed Aug 27 04:59:09 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A16C16A4BF for ; Wed, 27 Aug 2003 04:59:09 -0700 (PDT) Received: from web1.nexusinternetsolutions.net (web1.nexusinternetsolutions.net [206.47.131.12]) by mx1.FreeBSD.org (Postfix) with SMTP id A125544008 for ; Wed, 27 Aug 2003 04:59:08 -0700 (PDT) (envelope-from dave@hawk-systems.com) Received: (qmail 62838 invoked from network); 27 Aug 2003 11:59:07 -0000 Received: from unknown (HELO ws1) (65.49.236.97) by web1.nexusinternetsolutions.net with SMTP; 27 Aug 2003 11:59:07 -0000 From: "Dave [Hawk-Systems]" To: "freebsd-isp@FreeBSD. ORG" Date: Wed, 27 Aug 2003 07:59:04 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: failed root login with shared ssh key X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 11:59:09 -0000 posted this to questions, but getting nothing but crickets have several FreeBSD servers around all with varrying installs, 4.3 with a number of patches, up to a 4.7 that is relatively new. Some maintenance on the servers that requires root is run from a master server which connects to run the command(s) via SSH. The public key for root@master_server has been distributed out to the ~root/.ssh/authorized_keys file as per a previous thread on this type of situation. I am having problems with the 4.7 box in that it will not accept the key authentication, and bounces back to asking for a password to login as root. I cannot log in as root over ssh with a password, but that fine, i don't want or need to. I do need to allow this server to log in using the shared public key to this (and all the servers. Have checked /etc/ssh/sshd_config, and "AllowRootLogin yes" is present, and it pretty much matches the other 4.3 to 4.5 installs. Have checked /etc/ttys, and while all the ttyps do not specifically state secure, neither doe they on the servers that this works fine on. I am sure I am forgetting something stupid, just have not been able to google anything that is pointing me in the right direction. most puzzling is that the same setup works fine for the other installs (albeit that I can also log in as root using password, which I would like to secure later) Thanks Dave debug from SSH session (and no, df -k is not the command that requires root) /// server# ssh -v target "df -k" SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to target.domain.com [123.456.789.2] port 22. debug: Allocated local port 921. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 FreeBSD-20020702 debug: no match: OpenSSH_3.4p1 FreeBSD-20020702 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'target' is known and matches the RSA host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'root@server.domain.com' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication refused. debug: Doing password authentication. root@target's password: Permission denied, please try again. root@target's password: ///