how does authorized_keys2 look like?
do you use command="xxx" ?
On Mon, Jul 23, 2001 at 11:34:42AM -0400, Sundland, Raymond wrote:
> Hello,
>
> If this has been already posted please forgive me as an archive search did
> not come up with anything.
>
> I have been trying to setup OpenSSH 2.9p2 to allow Pubkey Authentication to
> the root user. I have added 'PubkeyAuthentication yes' and set
> 'PermitRootLogin forced-commands-only' in my sshd_config file. I then
> created a DSA keypair and copied the DSA public key into the root's
> .ssh/authorized_keys2 file. Whenever I attempt to SSH as root using the DSA
> public key, I am prompted for the root password (even when I specify the
> private key on the command line while executing ssh .... ssh -v -2 -i
> ~/.ssh/id_dsa root@localhost <mailto:root@localhost> "cat /etc/shadow") I
> have disabled 'forced-commands-only' and changed it to both
> 'without-password' and 'yes' which, in both cases, works fine with the same
> command line (of course, restarting SSHD before attempting).
>
> The full log of my commands are below.
>
> Is there another option I am missing within the sshd_config file? Could
> this be a bug in the code?
>
> Thanks.
>
> /----snip----/
>
> # cat /etc/opt/openssh/sshd_config
> Port 22
> Protocol 2,1
> HostKey /etc/opt/openssh/ssh_host_dsa_key
> HostKey /etc/opt/openssh/ssh_host_rsa_key
> HostKey /etc/opt/openssh/ssh_host_key
> ServerKeyBits 768
> LoginGraceTime 600
> KeyRegenerationInterval 3600
> PermitRootLogin forced-commands-only
> IgnoreRhosts yes
> StrictModes yes
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd yes
> KeepAlive yes
> SyslogFacility AUTH
> LogLevel INFO
> RhostsAuthentication no
> RhostsRSAAuthentication no
> RSAAuthentication yes
> PubkeyAuthentication yes
> PasswordAuthentication yes
> PermitEmptyPasswords no
> CheckMail yes
> UseLogin no
> Subsystem sftp /opt/openssh/libexec/sftp-server
> # id ; diff -c ~ray/.ssh/id_dsa.pub /.ssh/authorized_keys2
> uid=0(root) gid=1(other)
> No differences encountered
> # exit
> $ /opt/openssh/bin/ssh -v -2 -i ~/.ssh/id_dsa root@localhost
> <mailto:root@localhost> "cat /etc/shadow"
> OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
> debug1: Reading configuration data /etc/opt/openssh/ssh_config
> debug1: Applying options for *
> debug1: Seeded RNG with 22 bytes from programs
> debug1: Seeded RNG with 3 bytes from system calls
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: restore_uid
> debug1: ssh_connect: getuid 4028 geteuid 4028 anon 1
> debug1: Connecting to localhost [127.0.0.1] port 22.
> debug1: temporarily_use_uid: 4028/1 (e=4028)
> debug1: restore_uid
> debug1: temporarily_use_uid: 4028/1 (e=4028)
> debug1: restore_uid
> debug1: Connection established.
> debug1: identity file /export/home/ray/.ssh/id_dsa type 2
> debug1: identity file /export/home/ray/.ssh/id_dsa type 2
> debug1: identity file /export/home/ray/.ssh/id_rsa2 type -1
> debug1: identity file /export/home/ray/.ssh/id_rsa1 type -1
> debug1: identity file /export/home/ray/.ssh/identity type 0
> debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2
> debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_2.9p2
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 132/256
> debug1: bits set: 1040/2049
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Forcing accepting of host key for loopback/localhost.
> debug1: bits set: 1070/2049
> debug1: ssh_rsa_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue:
> publickey,password,keyboard-interacti
> ve
> debug1: next auth method to try is publickey
> debug1: try pubkey: /export/home/ray/.ssh/id_dsa
> debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 115e98 hint 0
> debug1: read PEM private key done: type DSA
> debug1: sig size 20 20
> debug1: authentications that can continue:
> publickey,password,keyboard-interacti
> ve
> debug1: try pubkey: /export/home/ray/.ssh/id_dsa
> debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 115eb0 hint 1
> debug1: read PEM private key done: type DSA
> debug1: sig size 20 20
> debug1: authentications that can continue:
> publickey,password,keyboard-interacti
> ve
> debug1: try privkey: /export/home/ray/.ssh/id_rsa2
> debug1: try privkey: /export/home/ray/.ssh/id_rsa1
> debug1: next auth method to try is password
> root@localhost's <mailto:root@localhost's> password: ^C $
> $
>
> /----snip----/
>
> Thanks again.
>
>
> __________________________________
>
> Raymond T Sundland
> Internet Security Analyst
> Internet Infrastructure & Security Group
> E-commerce Strategy & Delivery
>
> Phone: 201.703.7256
> Email: [EMAIL PROTECTED]
> __________________________________
> Merck-Medco Managed Care L.L.C.
> http://www.merckmedco.com/ <http://www.merckmedco.com/>
>
>
