Remove the 1st and last lines .. The ones marked begin and end should not be =
included in the key.

Eric Malenfant


----- Original Message -----
From: sean darcy [***@gmail.com]
Sent: 04/18/2009 10:27 AM AST
To: ***@securityfocus.com
Subject: pubkey works for user: why not root ?



I can ssh for my laptop to the server as a user, but using root from
same laptop to same server fails. root can login with password. In
both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
644 ( same as user ).

What am I missing??

sean

On client:

[***@daddy ~]# ssh -vv intel64-office
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to intel64-office [10.10.11.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffi=
e-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,bl=
owfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu=
.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,bl=
owfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu=
.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.=
com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.=
com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffi=
e-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,bl=
owfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu=
.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,bl=
owfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.liu=
.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.=
com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-***@openssh.com,hmac-ripemd160,hmac-***@openssh.=
com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'intel64-office' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xd24640)
debug2: key: /root/.ssh/id_dsa (0xd24658)
debug2: key: /root/.ssh/identity ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information


debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/identity
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

On server:

Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
out 5 newsock 5 pipe 7 sock 8
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
after dupping: 3, 3
Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
10.10.11.69 port 33776
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
version 2.0; client software version OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
pat OpenSSH*
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
compatibility mode for protocol 2.0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
string SSH-2.0-OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
client->server aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
server->client aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "ro=
ot"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_RHOST to "daddy-hp"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_TTY to "ssh"
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=3D0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=3D0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=3D0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=3D0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method password
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
authentication accepted for root
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
from 10.10.11.69 port 33776 ssh2

I'd guess you have private and public keys mixed up. Verify you put the PUBLIC key on your target server. The BEGIN/END tags appear in the private key.

in
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysa=
tor.liu.se
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysa=
tor.liu.se
nssh.com,hmac-sha1-96,hmac-md5-96
nssh.com,hmac-sha1-96,hmac-md5-96
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysa=
tor.liu.se
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysa=
tor.liu.se
nssh.com,hmac-sha1-96,hmac-md5-96
nssh.com,hmac-sha1-96,hmac-md5-96
ion
ion
ion
t
t
r
ed
authorized_keys doesn't have the begin or end line:

cat authorized_keys
ssh-rsa AA...............
....NklQ=3D=3D ***@intel64.localdomain

On both client and server, .ssh is 700:

drwx------. 2 root root 4096 2009-04-17 13:22 .ssh

The server doesn't have AllowUsers in in sshd_config, see full
sshd_config below.

Thanks for any help.

sean

sshd_config - not changed from install of Fedora 11 beta, except for LogLe=
vel:

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=3D/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG=
ES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

n
,
2
,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lys=
ator.liu.se
cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lys=
ator.liu.se
enssh.com,hmac-sha1-96,hmac-md5-96
enssh.com,hmac-sha1-96,hmac-md5-96
,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lys=
ator.liu.se
cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lys=
ator.liu.se
enssh.com,hmac-sha1-96,hmac-md5-96
enssh.com,hmac-sha1-96,hmac-md5-96
n
n
n
nt
nt
0
or
0
1
2
ts
But PermitRootLogin is set to the default - yes.

And I'd rather not set up AllowUsers since if I add another user, I'll
need to remember to add him.

And without AllowUsers all users can login. From the sshd_config man page:


AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. Only user names ar=
e
valid; a numerical user ID is not recognized. By default, log=
in
is allowed for all users....

In any event, root can login, but only with password auth. The
problem is why not pubkey.

sean

Check sshd config on server; root may not be allowed.
Also look at /etc/securetty.
iffie-hellman-group14-sha1,diffie-hellman-group1-sha1
c,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysat=
or.liu.se
c,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysat=
or.liu.se
ssh.com,hmac-sha1-96,hmac-md5-96
ssh.com,hmac-sha1-96,hmac-md5-96
iffie-hellman-group14-sha1,diffie-hellman-group1-sha1
c,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysat=
or.liu.se
c,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysat=
or.liu.se
ssh.com,hmac-sha1-96,hmac-md5-96
ssh.com,hmac-sha1-96,hmac-md5-96
word
on
on
on
word
word
74/74
ived
WKEYS
ived
"root"
d

This does not answer your stated question, but it is good info for you to have.
Once you get the key working, alter your sshd_config file so that root logins
must have a key, rather than a password. WAY more secure.

PermitRootLogin without-password

Unca Xitron

That's exactly what I plan to do!

sean

http://mywiki.wooledge.org/SshKeys
Restarting sshd isn't necessary.
Client permissions probably don't matter. At least, I've never seen a
case where they do.
The REST of the server-side permissions, most likely. Including the
permissions of /root (or whatever ~root is), and any parent directories
thereof.
Snip.
[...]
I hate this silence in the server-side logging. Compare to what I see
when I successfully login with pubkey auth:

...
debug1: temporarily_use_uid: 563/22 (e=0/3)
debug1: trying public key file /net/home/wooledg/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /net/home/wooledg/.ssh/authorized_keys, line 1
Found matching RSA key: 9d:58:1d:f9:e5:0b:72:33:3a:93:62:e7:1e:f5:bf:df
debug1: restore_uid: 0/3
debug1: ssh_rsa_verify: signature correct
Accepted publickey for wooledg from 127.0.0.1 port 2879 ssh2
...

I would assume the gaping silence in your logs in between "trying
public key file ...authorized_keys" and "restore_uid: 0/0" is a failure
to open the public key file, though I really wish sshd would say WHY
it failed to open the public key file.

In any case, I'm betting the problem is "permissions of some parent
directory of ~/.ssh".

http://mywiki.wooledge.org/SshKeys