Hello,
If this has been already posted please forgive me as an archive search did
not come up with anything.
I have been trying to setup OpenSSH 2.9p2 to allow Pubkey Authentication to
the root user. I have added 'PubkeyAuthentication yes' and set
'PermitRootLogin forced-commands-only' in my sshd_config file. I then
created a DSA keypair and copied the DSA public key into the root's
.ssh/authorized_keys2 file. Whenever I attempt to SSH as root using the DSA
public key, I am prompted for the root password (even when I specify the
private key on the command line while executing ssh .... ssh -v -2 -i
~/.ssh/id_dsa root@localhost <mailto:root@localhost> "cat /etc/shadow") I
have disabled 'forced-commands-only' and changed it to both
'without-password' and 'yes' which, in both cases, works fine with the same
command line (of course, restarting SSHD before attempting).
The full log of my commands are below.
Is there another option I am missing within the sshd_config file? Could
this be a bug in the code?
Thanks.
/----snip----/
# cat /etc/opt/openssh/sshd_config
Port 22
Protocol 2,1
HostKey /etc/opt/openssh/ssh_host_dsa_key
HostKey /etc/opt/openssh/ssh_host_rsa_key
HostKey /etc/opt/openssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin forced-commands-only
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
CheckMail yes
UseLogin no
Subsystem sftp /opt/openssh/libexec/sftp-server
# id ; diff -c ~ray/.ssh/id_dsa.pub /.ssh/authorized_keys2
uid=0(root) gid=1(other)
No differences encountered
# exit
$ /opt/openssh/bin/ssh -v -2 -i ~/.ssh/id_dsa root@localhost
<mailto:root@localhost> "cat /etc/shadow"
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/opt/openssh/ssh_config
debug1: Applying options for *
debug1: Seeded RNG with 22 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 4028 geteuid 4028 anon 1
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: temporarily_use_uid: 4028/1 (e=4028)
debug1: restore_uid
debug1: temporarily_use_uid: 4028/1 (e=4028)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /export/home/ray/.ssh/id_dsa type 2
debug1: identity file /export/home/ray/.ssh/id_dsa type 2
debug1: identity file /export/home/ray/.ssh/id_rsa2 type -1
debug1: identity file /export/home/ray/.ssh/id_rsa1 type -1
debug1: identity file /export/home/ray/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 132/256
debug1: bits set: 1040/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Forcing accepting of host key for loopback/localhost.
debug1: bits set: 1070/2049
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: next auth method to try is publickey
debug1: try pubkey: /export/home/ray/.ssh/id_dsa
debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 115e98 hint 0
debug1: read PEM private key done: type DSA
debug1: sig size 20 20
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: try pubkey: /export/home/ray/.ssh/id_dsa
debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 115eb0 hint 1
debug1: read PEM private key done: type DSA
debug1: sig size 20 20
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: try privkey: /export/home/ray/.ssh/id_rsa2
debug1: try privkey: /export/home/ray/.ssh/id_rsa1
debug1: next auth method to try is password
root@localhost's <mailto:root@localhost's> password: ^C $
$
/----snip----/
Thanks again.
__________________________________
Raymond T Sundland
Internet Security Analyst
Internet Infrastructure & Security Group
E-commerce Strategy & Delivery
Phone: 201.703.7256
Email: [EMAIL PROTECTED]
__________________________________
Merck-Medco Managed Care L.L.C.
http://www.merckmedco.com/ <http://www.merckmedco.com/>
