Hi, I've just experienced a strange problem with OpenSSH. Scenario:
/etc/ssh/sshd_config: PermitRootLogin without-password => root login with ssh keys works, as expected. I've created another user, uid 1000, on the same box, and copied root's authorized_keys file over, adjusted ownership, permissions etc... => SSH login (from the same remote user) does _NOT_ work. I've added that user to the group 'wheel' => SSH login works I've removed said user from the group 'wheel' => SSH login no longer works In sshd(8), there is no mentioning of key login requiring wheel membership. This is what a non-working login attempt looks like on the server side. SSH asks for a password (this is locked): # /usr/sbin/sshd -u0 -d -e debug1: sshd version OpenSSH_4.8 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-u0' debug1: rexec_argv[2]='-d' debug1: rexec_argv[3]='-e' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 6 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9 debug1: sshd version OpenSSH_4.8 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: inetd sockets after dupping: 4, 4 Connection from 192.168.1.6 port 37071 debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 Debian-9etch2 debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.8 debug1: permanently_set_uid: 27/27 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user admin service ssh-connection method none debug1: attempt 0 failures 0 Failed none for admin from 192.168.1.6 port 37071 ssh2 debug1: userauth-request for user admin service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /H/admin/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /H/admin/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for admin from 192.168.1.6 port 37071 ssh2 debug1: userauth-request for user admin service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug1: keyboard-interactive devs debug1: auth2_challenge: user=admin devs= debug1: kbdint_alloc: devices 'bsdauth' debug1: auth2_challenge_start: trying authentication method 'bsdauth' Connection closed by 192.168.1.6 debug1: do_cleanup debug1: do_cleanup The same thing after adding the user to the group 'wheel': # /usr/sbin/sshd -u0 -d -e debug1: sshd version OpenSSH_4.8 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-u0' debug1: rexec_argv[2]='-d' debug1: rexec_argv[3]='-e' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 6 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9 debug1: sshd version OpenSSH_4.8 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: inetd sockets after dupping: 4, 4 Connection from 192.168.1.6 port 37076 debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 Debian-9etch2 debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.8 debug1: permanently_set_uid: 27/27 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user admin service ssh-connection method none debug1: attempt 0 failures 0 Failed none for admin from 192.168.1.6 port 37076 ssh2 debug1: userauth-request for user admin service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /H/admin/.ssh/authorized_keys debug1: matching key found: file /H/admin/.ssh/authorized_keys, line 1 Found matching RSA key: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx debug1: restore_uid: 0/0 Postponed publickey for admin from 192.168.1.6 port 37076 ssh2 debug1: userauth-request for user admin service ssh-connection method publickey debug1: attempt 2 failures 1 debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /H/admin/.ssh/authorized_keys debug1: matching key found: file /H/admin/.ssh/authorized_keys, line 1 Found matching RSA key: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct Accepted publickey for admin from 192.168.1.6 port 37076 ssh2 debug1: monitor_child_preauth: admin has been authenticated by privileged process debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 28222 debug1: session_exit_message: session 0 channel 0 pid 28222 debug1: session_exit_message: release channel 0 debug1: session_by_tty: session 0 tty /dev/ttyp1 debug1: session_pty_cleanup: session 0 release /dev/ttyp1 debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug1: channel 0: free: server-session, nchannels 1 Connection closed by 192.168.1.6 debug1: do_cleanup Closing connection to 192.168.1.6 Of course, when I'm in ~admin: # ls -altR .ssh total 12 -rw------- 1 admin admin 782 Sep 10 12:19 authorized_keys drwx------ 2 admin admin 512 Sep 10 12:10 . drwx------ 3 admin admin 512 Sep 10 12:09 .. I'd rather not be forced to add every user to the 'wheel' group, only to permit key-based login. What gives? Kind regards, --Toni++
