Ryan Manikowski wrote:
On 4/6/2010 4:37 PM, Russell L. Carter wrote:
What you're trying to do here is login to the 'root' account using your
non-root account to initiate the ssh connection. It is reading the
'id_rsa.pub' pubkey file from /home/<user>/.ssh/ and this is why it is
failing. The non-root account on the remote side (in this case, your
localhost) does not have access to ANY files in /root/ so it will never
work.
Ryan Manikowski
Ok, if that is the correct explanation, why does ssh to another
regular user account work? Why does ssh root@<some_other_older_system>
just work? I just performed the following steps:
On my main system I have two user accounts, 'rcarter' and 'sardine'. I
remove the .ssh directories from 'rcarter', 'sardine', and 'root'. I
create a new rsa key for rcarter (creates ~rcarter/.ssh) and then
ssh-copy-id -i the new key to sard...@localhost and r...@localhost,
which creates a new .ssh directory with authorized_keys for each.
Then I ssh-add the new key to the agent as rcarter.
1. $ ssh sard...@localhost logs in w/o password
2. $ ssh r...@localhost asks for password
This is reproducible on two 'testing' systems that have worked
flawlessly for at least two years each, but were both dist-upgraded
yesterday, and they now exhibit this same behavior.
HOWEVER!
I ssh-copy-id the new key created by rcarter to root on
two systems that I haven't dist-upgraded in several
weeks and then ssh root@<systemname> works fine, as it always
has. I diffed the ssh_config and sshd_configs and the only
difference were comments. So the problem would seem to be in
sshd.
transcript: (I removed root and sardine's .ssh dirs before)
rcar...@feyerabend> pwd
/home/rcarter/.ssh
rcar...@feyerabend> cd ..
rcar...@feyerabend> mv .ssh dot.ssh
rcar...@feyerabend> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/rcarter/.ssh/id_rsa):
Created directory '/home/rcarter/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/rcarter/.ssh/id_rsa.
Your public key has been saved in /home/rcarter/.ssh/id_rsa.pub.
The key fingerprint is:
54:06:d2:08:a4:6d:26:9e:e0:0f:01:1a:1f:67:ff:91 rcar...@feyerabend
The key's randomart image is:
+--[ RSA 2048]----+
|o ..=..o..o |
|oo * ....+ |
|o.+ + . E |
|.o.= o . |
| oo S |
| o |
| . |
| |
| |
+-----------------+
rcar...@feyerabend> ssh-copy-id -i sard...@localhost
sard...@localhost's password:
Now try logging into the machine, with "ssh 'sard...@localhost'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
rcar...@feyerabend> ssh-copy-id -i r...@localhost
r...@localhost's password:
Now try logging into the machine, with "ssh 'r...@localhost'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
rcar...@feyerabend> slogin sard...@localhost
Enter passphrase for key '/home/rcarter/.ssh/id_rsa':
rcar...@feyerabend> ssh-add
Enter passphrase for /home/rcarter/.ssh/id_rsa:
Identity added: /home/rcarter/.ssh/id_rsa (/home/rcarter/.ssh/id_rsa)
rcar...@feyerabend> slogin sard...@localhost
Linux feyerabend 2.6.32-3-amd64 #1 SMP Wed Feb 24 18:07:42 UTC 2010 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 6 16:36:06 2010 from localhost
sard...@feyerabend> exit
logout
Connection to localhost closed.
rcar...@feyerabend> slogin r...@localhost
r...@localhost's password:
rcar...@feyerabend>
]] Devision Media Services LLC [[
www.devision.us
r...@devision.us | 716.771.2282
Ryan Manikowski
]] Devision Media Services LLC [[
www.devision.us
r...@devision.us | 716.771.2282
On 4/6/2010 4:06 PM, d.sastre.med...@gmail.com wrote:
On Tue, Apr 06, 2010 at 03:24:04PM -0400, Tony Nelson wrote:
On 10-04-06 14:12:19, Russell L. Carter wrote:
r...@feyerabend> diff -u ssh_config ssh_config.dpkg-dist
--- ssh_config 2010-04-05 21:14:26.172871668 -0700
+++ ssh_config.dpkg-dist 2010-01-04 09:05:12.000000000 -0700
@@ -17,8 +17,8 @@
# ssh_config(5) man page.
Host *
-ForwardAgent yes
-ForwardX11 yes
+# ForwardAgent no
+# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
I don't see any "PermitRootLogin without-password" line in your diff.
Hello,
That would disable password login for root, but does not enable per-se
pubkey auth (AFAIK).
man sshd_config explain this: PermitRootLogin, PubkeyAuthentication
and AuthorizedKeysFile entries.
Regards.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4bbbcfad.3040...@pinyon.org
