Date: Wed, 27 Aug 2003 10:17:24 -0400 From: "Dave [Hawk-Systems]" <dave@hawk-systems.com> To: "freebsd-isp@FreeBSD. ORG" <freebsd-isp@FreeBSD.ORG> Subject: RE: failed root login with shared ssh key Message-ID: <DBEIKNMKGOBGNDHAAKGNOECCDOAC.dave@hawk-systems.com> In-Reply-To: <DBEIKNMKGOBGNDHAAKGNCEBHDOAC.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Have tried a few suggestions, - The source server's ssh doesn't support the -1 option to force ssh to version 1 only. - the target server is set to support RSA I believe, though I have included the /etc/ssh/sshd_config file below just in case something in there may be misconfigured It appears that the process is working fine, but it just isn't allowing the root login despite the proper authentication. Dave /// trimmed sshd_config - a few options have been uncommented to ensure that is what they are set to #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # have also tried changeing the above to ~/.ssh.... # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation no #Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server /// >posted this to questions, but getting nothing but crickets > >have several FreeBSD servers around all with varrying installs, 4.3 with a >number of patches, up to a 4.7 that is relatively new. > >Some maintenance on the servers that requires root is run from a master server >which connects to run the command(s) via SSH. The public key for >root@master_server has been distributed out to the ~root/.ssh/authorized_keys >file as per a previous thread on this type of situation. > >I am having problems with the 4.7 box in that it will not accept the key >authentication, and bounces back to asking for a password to login as root. I >cannot log in as root over ssh with a password, but that fine, i don't want or >need to. I do need to allow this server to log in using the shared public key >to this (and all the servers. > >Have checked /etc/ssh/sshd_config, and "AllowRootLogin yes" is present, and it >pretty much matches the other 4.3 to 4.5 installs. >Have checked /etc/ttys, and while all the ttyps do not specifically state >secure, neither doe they on the servers that this works fine on. > >I am sure I am forgetting something stupid, just have not been able to google >anything that is pointing me in the right direction. most puzzling is that the >same setup works fine for the other installs (albeit that I can also log in as >root using password, which I would like to secure later) > >Thanks > >Dave > >debug from SSH session (and no, df -k is not the command that requires root) <clipped, see previous message>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNOECCDOAC.dave>