From owner-freebsd-questions@FreeBSD.ORG Tue Aug 26 15:19:54 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DA0516A4C0 for ; Tue, 26 Aug 2003 15:19:54 -0700 (PDT) Received: from web1.nexusinternetsolutions.net (web1.nexusinternetsolutions.net [206.47.131.12]) by mx1.FreeBSD.org (Postfix) with SMTP id E44AA43FCB for ; Tue, 26 Aug 2003 15:19:52 -0700 (PDT) (envelope-from dave@hawk-systems.com) Received: (qmail 16660 invoked from network); 26 Aug 2003 22:19:49 -0000 Received: from unknown (HELO ws1) (65.49.236.97) by web1.nexusinternetsolutions.net with SMTP; 26 Aug 2003 22:19:49 -0000 From: "Dave [Hawk-Systems]" To: Date: Tue, 26 Aug 2003 18:19:47 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: failed root login with shared ssh key X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2003 22:19:54 -0000 have several FreeBSD servers around all with varrying installs, 4.3 with a number of patches, up to a 4.7 that is relatively new. Some maintenance on the servers that requires root is run from a master server which connects to run the command(s) via SSH. The public key for root@master_server has been distributed out to the ~root/.ssh/authorized_keys file. I am having problems with the 4.7 box in that it will not accept the key authentication, and bounces back to asking for a password to login as root. I cannot log in as root over ssh with a password, but that fine, i don't want or need to. I do need to allow this server to log in using the shared public key to this (and all the servers. Have checked /etc/ssh/sshd_config, and "AllowRootLogin yes" is present, and it pretty much matches the other 4.3 to 4.5 installs. Have checked /etc/ttys, and while all the ttyps do not specifically state secure, neither doe they on the servers that this works fine on. I am sure I am forgetting something stupid, just have not been able to google anything that is pointing me in the right direction. Thanks Dave debug from SSH session (and no, df -k is not the command that requires root) /// server# ssh -v target "df -k" SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to target.domain.com [123.456.789.2] port 22. debug: Allocated local port 921. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 FreeBSD-20020702 debug: no match: OpenSSH_3.4p1 FreeBSD-20020702 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'target' is known and matches the RSA host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'root@server.domain.com' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication refused. debug: Doing password authentication. root@target's password: Permission denied, please try again. root@target's password: