SSH keys for root

Silent Bob · 15 Mar 2007 at 13:23

I've spent all morning tying to log in to a redhat machine with the root user using a key generated by ssh-keygen. It all works fine for a non root user so there must be some setting blocking root. I'm also able to ssh in as root fine without the key (by entering the password).

One of the things i've tried is to copy the authroizedkeys2 file from the user i've got it working on to root/.ssh/ to make sure there's no typo's.

The funny thing is that it used to work and I don't recall of doing anything to change this.

Can anyone think of any settings that would stop it working that I can take a look at?

Cheers

growse · 15 Mar 2007 at 13:34

Silent Bob said:
I've spent all morning tying to log in to a redhat machine with the root user using a key generated by ssh-keygen. It all works fine for a non root user so there must be some setting blocking root. I'm also able to ssh in as root fine without the key (by entering the password).

One of the things i've tried is to copy the authroizedkeys2 file from the user i've got it working on to root/.ssh/ to make sure there's no typo's.

The funny thing is that it used to work and I don't recall of doing anything to change this.

Can anyone think of any settings that would stop it working that I can take a look at?

Cheers

Are the permissions on your private key 400?

Have you tried running ssh with maximum verbosity? (ssh -vvv host)

Have you tried running sshd as a single foreground session with maximum verbosity?

Silent Bob · 15 Mar 2007 at 14:24

Thanks for the reply.
I've checked the permissions on all the files and everything there is fine. When running the ssh client -vvv I get the following:

Code:

debug1: Offering public key: /root/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

I've read through it and couldn't realy see anything helpful. Unfortunately I'm unable to run sshd in the foreground as loads of other people use it and will get loads of angry people coming over if I cut them off

I've been reading that the /etc/securetty file says how root can login. But I guess if there was a problem there I wouldn't be able to login with root using ssh at all.

Una · 15 Mar 2007 at 15:14

Edit: Oh wait nm.

AndrewP · 15 Mar 2007 at 15:17

Looks like it doesn't like your key, a successful shared key login goes like this:

Code:

debug1: Offering public key: /home/user/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key:

Aside from double checking your local /root/.ssh/id_dsa.pub and remote /root/.ssh/authorized_keys all I can think of is your sshd_config, such as the keys file is correctly specificed and that PermitRootLogin is ok (not set to 'no', I think), but you mentioned that password login works though, so it should be.

Silent Bob · 15 Mar 2007 at 15:59

This i getting crazy now.

I've copied the authorized_keys file into .ssh/ for another user and connecting to that user works fine. Then I copied the sshd_conf file onto another machne and tried connecting to root on there. Again that works fine. I think I can rule out anything in the sshd_conf file, and anything to do with the key files or authorized_keys file. The only other thing I can think of is there must be some obscure security configuration file somewhere which disables ssh keys for the root user, but not by logging in using a password.

I've also tired connecting with a ssh client from windows using the same private key (the public key is in both the normal users and roots authorized_keys files). There i'm able to connect to a non root user but when I connect using root i get "Server refused our public key"

kiwi · 15 Mar 2007 at 16:14

are you sure the server is accepting ssh root logins? it's not uncommon to have it disabled.

Silent Bob · 15 Mar 2007 at 16:15

kiwi said:
are you sure the server is accepting ssh root logins? it's not uncommon to have it disabled.

I'm able to log in using ssh as root by typing in the pasword no problem at all.

AndrewP · 15 Mar 2007 at 16:46

A ~/.ssh/ssh_config file would override things, are there any lurking around on either end?

Silent Bob · 15 Mar 2007 at 16:53

The only ssd_config I could find was in /etc/ssh/ I'm sure it's not a problem with sshd as it was working a few weeks back and the configuration file hasn't been changed for years.

Subliminal Aura · 15 Mar 2007 at 18:40

Check the contents of authorized keys - also the permissions should be as follows.

:/root/.ssh# ls -al
total 28
drwx------ 2 root root 4096 2007-01-08 01:52 .
drwxr-xr-x 25 root root 4096 2007-03-15 18:25 ..
-rw------- 1 root root 7350 2006-11-28 13:55 authorized_keys
-rw------- 1 root root 1192 2006-11-28 15:41 id_dsa
-rw------- 1 root root 1122 2006-11-28 15:41 id_dsa.pub
-rw-r--r-- 1 root root 1694 2007-01-24 18:42 known_hosts

Authorised keys should be in the correct format as per id_dsa.pub