Mailing List Archive

Remove the 1st and last lines .. The ones marked begin and end should not be included in the key.

Eric Malenfant


----- Original Message -----
From: sean darcy [seandarcy2@gmail.com]
Sent: 04/18/2009 10:27 AM AST
To: secureshell@securityfocus.com
Subject: pubkey works for user: why not root ?



I can ssh for my laptop to the server as a user, but using root from
same laptop to same server fails. root can login with password. In
both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
644 ( same as user ).

What am I missing??

sean

On client:

[root@daddy ~]# ssh -vv intel64-office
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to intel64-office [10.10.11.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'intel64-office' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xd24640)
debug2: key: /root/.ssh/id_dsa (0xd24658)
debug2: key: /root/.ssh/identity ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information


debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/identity
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

On server:

Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
out 5 newsock 5 pipe 7 sock 8
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
after dupping: 3, 3
Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
10.10.11.69 port 33776
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
version 2.0; client software version OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
pat OpenSSH*
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
compatibility mode for protocol 2.0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
string SSH-2.0-OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
client->server aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
server->client aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "root"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_RHOST to "daddy-hp"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_TTY to "ssh"
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method password
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
authentication accepted for root
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
from 10.10.11.69 port 33776 ssh2

--- On Sat, 4/18/09, sean darcy <seandarcy2@gmail.com> wrote:

> I can ssh for my laptop to the server
> as a user, but using root from
> same laptop to same server fails. root can login with
> password.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'
> debug1: identity file /root/.ssh/id_rsa type 1
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'

I'd guess you have private and public keys mixed up. Verify you put the PUBLIC key on your target server. The BEGIN/END tags appear in the private key.

On Sat, Apr 18, 2009 at 5:12 PM, felix <felix@fkz.hr> wrote:
> Hi,
> maybe it is because of possibly (probably) missing user name (i.e. root) in
> the line AllowUsers of your sshd_config?
>
> Felix
>
> ----- Original Message ----- From: "sean darcy" <seandarcy2@gmail.com>
> To: <secureshell@securityfocus.com>
> Sent: Saturday, April 18, 2009 4:27 PM
> Subject: pubkey works for user: why not root ?
>
>
>> I can ssh for my laptop to the server as a user, but using root from
>> same laptop to same server fails. root can login with password. In
>> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
>> id_rsa.pub >> authorized_keys, restart sshd on server.  On client .ssh
>> is 700, .ssh/id_rsa is 700. On server  .ssh is 700, authorized_keys is
>> 644 ( same as user ).
>>
>> What am I missing??
>>
>> sean
>>
>> On client:
>>
>> [root@daddy ~]# ssh -vv intel64-office
>> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Applying options for *
>> debug2: ssh_connect: needpriv 0
>> debug1: Connecting to intel64-office [10.10.11.1] port 22.
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/identity type -1
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug2: key_type_from_name: unknown key type '-----END'
>> debug1: identity file /root/.ssh/id_rsa type 1
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug2: key_type_from_name: unknown key type '-----END'
>> debug1: identity file /root/.ssh/id_dsa type 2
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
>> debug1: match: OpenSSH_5.2 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_5.2
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: kex_parse_kexinit:
>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: kex_parse_kexinit:
>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug2: dh_gen_key: priv key bits set: 128/256
>> debug2: bits set: 506/1024
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug1: Host 'intel64-office' is known and matches the RSA host key.
>> debug1: Found key in /root/.ssh/known_hosts:6
>> debug2: bits set: 532/1024
>> debug1: ssh_rsa_verify: signature correct
>> debug2: kex_derive_keys
>> debug2: set_newkeys: mode 1
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug2: set_newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug2: key: /root/.ssh/id_rsa (0xd24640)
>> debug2: key: /root/.ssh/id_dsa (0xd24658)
>> debug2: key: /root/.ssh/identity ((nil))
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No credentials cache found
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No credentials cache found
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>>
>>
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: publickey
>> debug1: Offering public key: /root/.ssh/id_rsa
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password
>> debug1: Offering public key: /root/.ssh/id_dsa
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password
>> debug1: Trying private key: /root/.ssh/identity
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: password
>>
>> On server:
>>
>> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
>> out 5 newsock 5 pipe 7 sock 8
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
>> after dupping: 3, 3
>> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
>> 10.10.11.69 port 33776
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
>> version 2.0; client software version OpenSSH_5.2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
>> pat OpenSSH*
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
>> compatibility mode for protocol 2.0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
>> string SSH-2.0-OpenSSH_5.2
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid:
>> 74/74
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> list_hostkey_types: ssh-rsa,ssh-dss
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT
>> received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>> client->server aes128-ctr hmac-md5 none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>> server->client aes128-ctr hmac-md5 none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REQUEST received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_GROUP sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>> SSH2_MSG_KEX_DH_GEX_INIT
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REPLY sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>> SSH2_MSG_NEWKEYS
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS
>> received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for
>> "root"
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>> PAM_RHOST to "daddy-hp"
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>> PAM_TTY to "ssh"
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method publickey
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>> pkalg/pkblob are acceptable
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>> from 10.10.11.69 port 33776 ssh2
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method publickey
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>> pkalg/pkblob are acceptable
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>> from 10.10.11.69 port 33776 ssh2
>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method password
>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
>> authentication accepted for root
>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
>> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
>> from 10.10.11.69 port 33776 ssh2
>
>

authorized_keys doesn't have the begin or end line:

cat authorized_keys
ssh-rsa AA...............
....NklQ== root@intel64.localdomain

On both client and server, .ssh is 700:

drwx------. 2 root root 4096 2009-04-17 13:22 .ssh

The server doesn't have AllowUsers in in sshd_config, see full
sshd_config below.

Thanks for any help.

sean

sshd_config - not changed from install of Fedora 11 beta, except for LogLevel:

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
LogLevel DEBUG
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

On Sun, Apr 19, 2009 at 1:15 PM, felix <felix@fkz.hr> wrote:
> Sean, that's the point, I guess:
>
> you have to check the line of sshd_config: PermitRootLogin (if "no" , then
> you obviously can't ..:)
> AND to add the line "AllowUsers sean root" (multiple users can be allowed,
> separated by space).
>
> Maybe this could help?
>
> Felix
>
>
> ----- Original Message ----- From: "sean darcy" <seandarcy2@gmail.com>
> To: "felix" <felix@fkz.hr>
> Cc: <secureshell@securityfocus.com>
> Sent: Sunday, April 19, 2009 4:48 PM
> Subject: Re: pubkey works for user: why not root ?
>
>
> On Sat, Apr 18, 2009 at 5:12 PM, felix <felix@fkz.hr> wrote:
>>
>> Hi,
>> maybe it is because of possibly (probably) missing user name (i.e. root)
>> in
>> the line AllowUsers of your sshd_config?
>>
>> Felix
>>
>> ----- Original Message ----- From: "sean darcy" <seandarcy2@gmail.com>
>> To: <secureshell@securityfocus.com>
>> Sent: Saturday, April 18, 2009 4:27 PM
>> Subject: pubkey works for user: why not root ?
>>
>>
>>> I can ssh for my laptop to the server as a user, but using root from
>>> same laptop to same server fails. root can login with password. In
>>> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
>>> id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
>>> is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
>>> 644 ( same as user ).
>>>
>>> What am I missing??
>>>
>>> sean
>>>
>>> On client:
>>>
>>> [root@daddy ~]# ssh -vv intel64-office
>>> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: Applying options for *
>>> debug2: ssh_connect: needpriv 0
>>> debug1: Connecting to intel64-office [10.10.11.1] port 22.
>>> debug1: Connection established.
>>> debug1: permanently_set_uid: 0/0
>>> debug1: identity file /root/.ssh/identity type -1
>>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>>> debug2: key_type_from_name: unknown key type '-----END'
>>> debug1: identity file /root/.ssh/id_rsa type 1
>>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>>> debug2: key_type_from_name: unknown key type '-----END'
>>> debug1: identity file /root/.ssh/id_dsa type 2
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
>>> debug1: match: OpenSSH_5.2 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_5.2
>>> debug2: fd 3 setting O_NONBLOCK
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit: first_kex_follows 0
>>> debug2: kex_parse_kexinit: reserved 0
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit:
>>>
>>>
>>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit: first_kex_follows 0
>>> debug2: kex_parse_kexinit: reserved 0
>>> debug2: mac_setup: found hmac-md5
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug2: mac_setup: found hmac-md5
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>> debug2: dh_gen_key: priv key bits set: 128/256
>>> debug2: bits set: 506/1024
>>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>> debug1: Host 'intel64-office' is known and matches the RSA host key.
>>> debug1: Found key in /root/.ssh/known_hosts:6
>>> debug2: bits set: 532/1024
>>> debug1: ssh_rsa_verify: signature correct
>>> debug2: kex_derive_keys
>>> debug2: set_newkeys: mode 1
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug2: set_newkeys: mode 0
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug2: service_accept: ssh-userauth
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug2: key: /root/.ssh/id_rsa (0xd24640)
>>> debug2: key: /root/.ssh/id_dsa (0xd24658)
>>> debug2: key: /root/.ssh/identity ((nil))
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-with-mic,password
>>> debug1: Next authentication method: gssapi-with-mic
>>> debug1: Unspecified GSS failure. Minor code may provide more information
>>> No credentials cache found
>>>
>>> debug1: Unspecified GSS failure. Minor code may provide more information
>>> No credentials cache found
>>>
>>> debug1: Unspecified GSS failure. Minor code may provide more information
>>>
>>>
>>> debug2: we did not send a packet, disable method
>>> debug1: Next authentication method: publickey
>>> debug1: Offering public key: /root/.ssh/id_rsa
>>> debug2: we sent a publickey packet, wait for reply
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-with-mic,password
>>> debug1: Offering public key: /root/.ssh/id_dsa
>>> debug2: we sent a publickey packet, wait for reply
>>> debug1: Authentications that can continue:
>>> publickey,gssapi-with-mic,password
>>> debug1: Trying private key: /root/.ssh/identity
>>> debug2: we did not send a packet, disable method
>>> debug1: Next authentication method: password
>>>
>>> On server:
>>>
>>> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
>>> out 5 newsock 5 pipe 7 sock 8
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
>>> after dupping: 3, 3
>>> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
>>> 10.10.11.69 port 33776
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
>>> version 2.0; client software version OpenSSH_5.2
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
>>> pat OpenSSH*
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
>>> compatibility mode for protocol 2.0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
>>> string SSH-2.0-OpenSSH_5.2
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid:
>>> 74/74
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> list_hostkey_types: ssh-rsa,ssh-dss
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT
>>> received
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>>> client->server aes128-ctr hmac-md5 none
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>>> server->client aes128-ctr hmac-md5 none
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> SSH2_MSG_KEX_DH_GEX_REQUEST received
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> SSH2_MSG_KEX_DH_GEX_GROUP sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>>> SSH2_MSG_KEX_DH_GEX_INIT
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>>> SSH2_MSG_KEX_DH_GEX_REPLY sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>>> SSH2_MSG_NEWKEYS
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS
>>> received
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method none
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for
>>> "root"
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>>> PAM_RHOST to "daddy-hp"
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>>> PAM_TTY to "ssh"
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method publickey
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>>> pkalg/pkblob are acceptable
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys2
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>>> from 10.10.11.69 port 33776 ssh2
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method publickey
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
>>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>>> pkalg/pkblob are acceptable
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>>> temporarily_use_uid: 0/0 (e=0/0)
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>>> file /root/.ssh/authorized_keys2
>>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>>> from 10.10.11.69 port 33776 ssh2
>>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
>>> for user root service ssh-connection method password
>>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
>>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
>>> authentication accepted for root
>>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account:
>>> called
>>> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
>>> from 10.10.11.69 port 33776 ssh2
>>
>>
>
> authorized_keys doesn't have the begin or end line:
>
> cat authorized_keys
> ssh-rsa AA...............
> ....NklQ== root@intel64.localdomain
>
> On both client and server, .ssh is 700:
>
> drwx------.  2 root root   4096 2009-04-17 13:22 .ssh
>
> The server doesn't have AllowUsers in in sshd_config, see full
> sshd_config below.
>
> Thanks for any help.
>
> sean
>
> sshd_config  - not changed from install of Fedora 11 beta, except for
> LogLevel:
>
> #       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
>
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
>
> #Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # Disable legacy (protocol version 1) support in the server for new
> # installations. In future the default will change to require explicit
> # activation of protocol 1
> Protocol 2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
> LogLevel DEBUG
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile     .ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
> PasswordAuthentication yes
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes
> GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication.  Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> #UsePAM no
> UsePAM yes
>
> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #ShowPatchLevel no
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> #ChrootDirectory none
>
> # no default banner path
> #Banner none
>
> # override default of no subsystems
> Subsystem       sftp    /usr/libexec/openssh/sftp-server
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> #       X11Forwarding no
> #       AllowTcpForwarding no
> #       ForceCommand cvs server
>

But PermitRootLogin is set to the default - yes.

And I'd rather not set up AllowUsers since if I add another user, I'll
need to remember to add him.

And without AllowUsers all users can login. From the sshd_config man page:


AllowUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. If specified, login is allowed only for
user names that match one of the patterns. Only user names are
valid; a numerical user ID is not recognized. By default, login
is allowed for all users....

In any event, root can login, but only with password auth. The
problem is why not pubkey.

sean

Check sshd config on server; root may not be allowed.
Also look at /etc/securetty.

On Sat, Apr 18, 2009 at 10:27 AM, sean darcy <seandarcy2@gmail.com> wrote:
> I can ssh for my laptop to the server as a user, but using root from
> same laptop to same server fails. root can login with password. In
> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
> id_rsa.pub >> authorized_keys, restart sshd on server.  On client .ssh
> is 700, .ssh/id_rsa is 700. On server  .ssh is 700, authorized_keys is
> 644 ( same as user ).
>
> What am I missing??
>
> sean
>
> On client:
>
> [root@daddy ~]# ssh -vv intel64-office
> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to intel64-office [10.10.11.1] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/identity type -1
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'
> debug1: identity file /root/.ssh/id_rsa type 1
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'
> debug1: identity file /root/.ssh/id_dsa type 2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
> debug1: match: OpenSSH_5.2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.2
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 128/256
> debug2: bits set: 506/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'intel64-office' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:6
> debug2: bits set: 532/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /root/.ssh/id_rsa (0xd24640)
> debug2: key: /root/.ssh/id_dsa (0xd24658)
> debug2: key: /root/.ssh/identity ((nil))
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No credentials cache found
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No credentials cache found
>
> debug1: Unspecified GSS failure.  Minor code may provide more information
>
>
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: publickey
> debug1: Offering public key: /root/.ssh/id_rsa
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Offering public key: /root/.ssh/id_dsa
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Trying private key: /root/.ssh/identity
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: password
>
> On server:
>
> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
> out 5 newsock 5 pipe 7 sock 8
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
> after dupping: 3, 3
> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
> 10.10.11.69 port 33776
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
> version 2.0; client software version OpenSSH_5.2
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
> pat OpenSSH*
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
> compatibility mode for protocol 2.0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
> string SSH-2.0-OpenSSH_5.2
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> list_hostkey_types: ssh-rsa,ssh-dss
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
> client->server aes128-ctr hmac-md5 none
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
> server->client aes128-ctr hmac-md5 none
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST received
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> SSH2_MSG_KEX_DH_GEX_GROUP sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
> SSH2_MSG_KEX_DH_GEX_INIT
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> SSH2_MSG_KEX_DH_GEX_REPLY sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method none
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "root"
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
> PAM_RHOST to "daddy-hp"
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
> PAM_TTY to "ssh"
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method publickey
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
> pkalg/pkblob are acceptable
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys2
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
> from 10.10.11.69 port 33776 ssh2
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method publickey
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
> pkalg/pkblob are acceptable
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys2
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
> from 10.10.11.69 port 33776 ssh2
> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method password
> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
> authentication accepted for root
> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
> from 10.10.11.69 port 33776 ssh2
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This does not answer your stated question, but it is good info for you to have.
Once you get the key working, alter your sshd_config file so that root logins
must have a key, rather than a password. WAY more secure.

PermitRootLogin without-password

Unca Xitron


sean darcy wrote:
> I can ssh for my laptop to the server as a user, but using root from
> same laptop to same server fails. root can login with password. In
> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
> id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
> is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
> 644 ( same as user ).
>
> What am I missing??
>
> sean
>
> On client:
>
> [root@daddy ~]# ssh -vv intel64-office
> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to intel64-office [10.10.11.1] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/identity type -1
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'
> debug1: identity file /root/.ssh/id_rsa type 1
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'
> debug1: identity file /root/.ssh/id_dsa type 2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
> debug1: match: OpenSSH_5.2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.2
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 128/256
> debug2: bits set: 506/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'intel64-office' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:6
> debug2: bits set: 532/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /root/.ssh/id_rsa (0xd24640)
> debug2: key: /root/.ssh/id_dsa (0xd24658)
> debug2: key: /root/.ssh/identity ((nil))
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure. Minor code may provide more information
> No credentials cache found
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> No credentials cache found
>
> debug1: Unspecified GSS failure. Minor code may provide more information
>
>
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: publickey
> debug1: Offering public key: /root/.ssh/id_rsa
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Offering public key: /root/.ssh/id_dsa
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Trying private key: /root/.ssh/identity
> debug2: we did not send a packet, disable method
> debug1: Next authentication method: password
>
> On server:
>
> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
> out 5 newsock 5 pipe 7 sock 8
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
> after dupping: 3, 3
> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
> 10.10.11.69 port 33776
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
> version 2.0; client software version OpenSSH_5.2
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
> pat OpenSSH*
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
> compatibility mode for protocol 2.0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
> string SSH-2.0-OpenSSH_5.2
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> list_hostkey_types: ssh-rsa,ssh-dss
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
> client->server aes128-ctr hmac-md5 none
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
> server->client aes128-ctr hmac-md5 none
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST received
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> SSH2_MSG_KEX_DH_GEX_GROUP sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
> SSH2_MSG_KEX_DH_GEX_INIT
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
> SSH2_MSG_KEX_DH_GEX_REPLY sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method none
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "root"
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
> PAM_RHOST to "daddy-hp"
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
> PAM_TTY to "ssh"
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method publickey
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
> pkalg/pkblob are acceptable
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys2
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
> from 10.10.11.69 port 33776 ssh2
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method publickey
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
> pkalg/pkblob are acceptable
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys2
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
> from 10.10.11.69 port 33776 ssh2
> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
> for user root service ssh-connection method password
> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
> authentication accepted for root
> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
> from 10.10.11.69 port 33776 ssh2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJ7Jo7AAoJEI4JEV90z/PrYyAP/0QGz7Vyjm7Hf3UWl3ZEp7CM
NpBZXS/kQDVWFxtK4PtQa7he1+yMEwOAXctP2pltBcGi+xVqIgqwJIjOCpCi4Y24
t81IfrfqkvI5WjXPb/FNfXV792Bel9qlOCSrXD2iN8OmYqVh484thzfUGm2KCLb6
yysvKbYnj++8GoUfmlaOQHlGCRyqfEOzP1q9rrreBF14lwAU6PA5R3z34LU8bNL0
N60fLQLtbIZ3Z6eCSA/LJqrNrdRlLVuLpu29Pk/pqGt9qBPbTFlQ+6xpTsbwjj7u
Hl9r28VKoVXaf/3Xa7w8zjErxQG8QXb9TQ1HHNVlf+x6GYfSkUjdoN0J9NAG70O4
LmZd4winf1A3Rr+ulzigZxZuPN+vvtt6lUcF5ab5P5mh1Cl++HLRzkMF5/CEccgm
0gtdPAVO+zQEztRvbxF0Si6IKTbupuYUDxvMdzTySFfRe3lRAASB12cqV3eOO3Xf
MDe5MRhGQ/Rk93huQf+dNyJ1RT1Jpg51M7ZYNnnCzCs/IqTyFaU6vWKJBz8MDOPX
dQkm7RCp+zjFmzNkMU2jOLzPVgs5N2BPRAW/LXP63ob81nq7+nYhlstWdsC8CBQp
tJlfDZjJkD6viRhbob5+d4+F0P1YZr+7WU7tTCDfVVsQmG2Glrwj7YVb1HC4Nk8F
39OBATE6IjI+0uro60kj
=t6tG
-----END PGP SIGNATURE-----

The "-----BEGIN" and "-----END" lines are typical of keys that are formatted for the commercial SSH.COM server. There should be a parameter that you can pass to "keygen" to convert an SSH.COM key to an OpenSSH key.

Tom Pfister

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Eric_Malenfant@Mitel.com
Sent: Saturday, April 18, 2009 3:37 PM
To: sean darcy; secureshell
Subject: Re: pubkey works for user: why not root ?

Remove the 1st and last lines .. The ones marked begin and end should not be included in the key.

Eric Malenfant


----- Original Message -----
From: sean darcy [seandarcy2@gmail.com]
Sent: 04/18/2009 10:27 AM AST
To: secureshell@securityfocus.com
Subject: pubkey works for user: why not root ?



I can ssh for my laptop to the server as a user, but using root from
same laptop to same server fails. root can login with password. In
both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
644 ( same as user ).

What am I missing??

sean

On client:

[root@daddy ~]# ssh -vv intel64-office
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to intel64-office [10.10.11.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'intel64-office' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xd24640)
debug2: key: /root/.ssh/id_dsa (0xd24658)
debug2: key: /root/.ssh/identity ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information


debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/identity
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

On server:

Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
out 5 newsock 5 pipe 7 sock 8
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
after dupping: 3, 3
Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
10.10.11.69 port 33776
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
version 2.0; client software version OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
pat OpenSSH*
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
compatibility mode for protocol 2.0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
string SSH-2.0-OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
client->server aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
server->client aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "root"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_RHOST to "daddy-hp"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_TTY to "ssh"
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method password
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
authentication accepted for root
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
from 10.10.11.69 port 33776 ssh2

Benny Helms wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This does not answer your stated question, but it is good info for you to have.
> Once you get the key working, alter your sshd_config file so that root logins
> must have a key, rather than a password. WAY more secure.
>
> PermitRootLogin without-password
>
> Unca Xitron
>

That's exactly what I plan to do!

sean
> sean darcy wrote:
>> I can ssh for my laptop to the server as a user, but using root from
>> same laptop to same server fails. root can login with password. In
>> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
>> id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
>> is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
>> 644 ( same as user ).
>>
>> What am I missing??
>>
>> sean
>>
>> On client:
>>
>> [root@daddy ~]# ssh -vv intel64-office
>> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Applying options for *
>> debug2: ssh_connect: needpriv 0
>> debug1: Connecting to intel64-office [10.10.11.1] port 22.
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/identity type -1
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug2: key_type_from_name: unknown key type '-----END'
>> debug1: identity file /root/.ssh/id_rsa type 1
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug2: key_type_from_name: unknown key type '-----END'
>> debug1: identity file /root/.ssh/id_dsa type 2
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
>> debug1: match: OpenSSH_5.2 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_5.2
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: kex_parse_kexinit:
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: kex_parse_kexinit:
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug2: dh_gen_key: priv key bits set: 128/256
>> debug2: bits set: 506/1024
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug1: Host 'intel64-office' is known and matches the RSA host key.
>> debug1: Found key in /root/.ssh/known_hosts:6
>> debug2: bits set: 532/1024
>> debug1: ssh_rsa_verify: signature correct
>> debug2: kex_derive_keys
>> debug2: set_newkeys: mode 1
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug2: set_newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug2: key: /root/.ssh/id_rsa (0xd24640)
>> debug2: key: /root/.ssh/id_dsa (0xd24658)
>> debug2: key: /root/.ssh/identity ((nil))
>> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure. Minor code may provide more information
>> No credentials cache found
>>
>> debug1: Unspecified GSS failure. Minor code may provide more information
>> No credentials cache found
>>
>> debug1: Unspecified GSS failure. Minor code may provide more information
>>
>>
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: publickey
>> debug1: Offering public key: /root/.ssh/id_rsa
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
>> debug1: Offering public key: /root/.ssh/id_dsa
>> debug2: we sent a publickey packet, wait for reply
>> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
>> debug1: Trying private key: /root/.ssh/identity
>> debug2: we did not send a packet, disable method
>> debug1: Next authentication method: password
>>
>> On server:
>>
>> Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
>> out 5 newsock 5 pipe 7 sock 8
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
>> after dupping: 3, 3
>> Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
>> 10.10.11.69 port 33776
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
>> version 2.0; client software version OpenSSH_5.2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
>> pat OpenSSH*
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
>> compatibility mode for protocol 2.0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
>> string SSH-2.0-OpenSSH_5.2
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> list_hostkey_types: ssh-rsa,ssh-dss
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>> client->server aes128-ctr hmac-md5 none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
>> server->client aes128-ctr hmac-md5 none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REQUEST received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_GROUP sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
>> SSH2_MSG_KEX_DH_GEX_INIT
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
>> SSH2_MSG_KEX_DH_GEX_REPLY sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method none
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "root"
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>> PAM_RHOST to "daddy-hp"
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
>> PAM_TTY to "ssh"
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method publickey
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>> pkalg/pkblob are acceptable
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>> from 10.10.11.69 port 33776 ssh2
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method publickey
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
>> Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
>> pkalg/pkblob are acceptable
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
>> temporarily_use_uid: 0/0 (e=0/0)
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
>> file /root/.ssh/authorized_keys2
>> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
>> Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
>> from 10.10.11.69 port 33776 ssh2
>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
>> for user root service ssh-connection method password
>> Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
>> authentication accepted for root
>> Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
>> Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
>> from 10.10.11.69 port 33776 ssh2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIcBAEBAgAGBQJJ7Jo7AAoJEI4JEV90z/PrYyAP/0QGz7Vyjm7Hf3UWl3ZEp7CM
> NpBZXS/kQDVWFxtK4PtQa7he1+yMEwOAXctP2pltBcGi+xVqIgqwJIjOCpCi4Y24
> t81IfrfqkvI5WjXPb/FNfXV792Bel9qlOCSrXD2iN8OmYqVh484thzfUGm2KCLb6
> yysvKbYnj++8GoUfmlaOQHlGCRyqfEOzP1q9rrreBF14lwAU6PA5R3z34LU8bNL0
> N60fLQLtbIZ3Z6eCSA/LJqrNrdRlLVuLpu29Pk/pqGt9qBPbTFlQ+6xpTsbwjj7u
> Hl9r28VKoVXaf/3Xa7w8zjErxQG8QXb9TQ1HHNVlf+x6GYfSkUjdoN0J9NAG70O4
> LmZd4winf1A3Rr+ulzigZxZuPN+vvtt6lUcF5ab5P5mh1Cl++HLRzkMF5/CEccgm
> 0gtdPAVO+zQEztRvbxF0Si6IKTbupuYUDxvMdzTySFfRe3lRAASB12cqV3eOO3Xf
> MDe5MRhGQ/Rk93huQf+dNyJ1RT1Jpg51M7ZYNnnCzCs/IqTyFaU6vWKJBz8MDOPX
> dQkm7RCp+zjFmzNkMU2jOLzPVgs5N2BPRAW/LXP63ob81nq7+nYhlstWdsC8CBQp
> tJlfDZjJkD6viRhbob5+d4+F0P1YZr+7WU7tTCDfVVsQmG2Glrwj7YVb1HC4Nk8F
> 39OBATE6IjI+0uro60kj
> =t6tG
> -----END PGP SIGNATURE-----
>

On Sat, Apr 18, 2009 at 10:27:00AM -0400, sean darcy wrote:
> I can ssh for my laptop to the server as a user, but using root from
> same laptop to same server fails. root can login with password.

http://mywiki.wooledge.org/SshKeys

> both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
> id_rsa.pub >> authorized_keys, restart sshd on server.

Restarting sshd isn't necessary.

> On client .ssh
> is 700, .ssh/id_rsa is 700.

Client permissions probably don't matter. At least, I've never seen a
case where they do.

> On server .ssh is 700, authorized_keys is
> 644 ( same as user ).
>
> What am I missing??

The REST of the server-side permissions, most likely. Including the
permissions of /root (or whatever ~root is), and any parent directories
thereof.

> On client:
>
> [root@daddy ~]# ssh -vv intel64-office

Snip.

> On server:
[...]
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
> temporarily_use_uid: 0/0 (e=0/0)
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
> file /root/.ssh/authorized_keys
> Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0

I hate this silence in the server-side logging. Compare to what I see
when I successfully login with pubkey auth:

...
debug1: temporarily_use_uid: 563/22 (e=0/3)
debug1: trying public key file /net/home/wooledg/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /net/home/wooledg/.ssh/authorized_keys, line 1
Found matching RSA key: 9d:58:1d:f9:e5:0b:72:33:3a:93:62:e7:1e:f5:bf:df
debug1: restore_uid: 0/3
debug1: ssh_rsa_verify: signature correct
Accepted publickey for wooledg from 127.0.0.1 port 2879 ssh2
...

I would assume the gaping silence in your logs in between "trying
public key file ...authorized_keys" and "restore_uid: 0/0" is a failure
to open the public key file, though I really wish sshd would say WHY
it failed to open the public key file.

In any case, I'm betting the problem is "permissions of some parent
directory of ~/.ssh".

http://mywiki.wooledge.org/SshKeys