login
Search
Hi,
I've just experienced a strange problem with OpenSSH. Scenario:
/etc/ssh/sshd_config: PermitRootLogin without-password
=> root login with ssh keys works, as expected.
I've created another user, uid 1000, on the same box, and copied root's
authorized_keys file over, adjusted ownership, permissions etc...=> SSH login (from the same remote user) does _NOT_ work.
I've added that user to the group 'wheel'
=> SSH login works
I've removed said user from the group 'wheel'
=> SSH login no longer works
In sshd(8), there is no mentioning of key login requiring wheel
membership.This is what a non-working login attempt looks like on the server
side. SSH asks for a password (this is locked):# /usr/sbin/sshd -u0 -d -e
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-e'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.1.6 port 37071
debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.8
debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user admin service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for admin from 192.168.1.6 port 37071 ssh2
debug1: userauth-request for user admin service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for admin from 192.168.1.6 port 37071 ssh2
debug1: userauth-request for user admin service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=admin devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
Connection closed by 192.168.1.6
debug1: do_cleanup
debug1: do_cleanupThe same thing after adding the user to the group 'wheel':
# /usr/sbin/sshd -u0 -d -e
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-e'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.1.6 port 37076
debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.8
debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user admin service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for admin from 192.168.1.6 port 37076 ssh2
debug1: userauth-request for user admin service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys
debug1: matching key found: file /H/admin/.ssh/authorized_keys, line 1
Found matching RSA key: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
debug1: restore_uid: 0/0
Postponed publickey for admin from 192.168.1.6 port 37076 ssh2
debug1: userauth-request for user admin service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys
debug1: matching key found: file /H/admin/.ssh/authorized_keys, line 1
Found matching RSA key: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
Accepted publickey for admin from 192.168.1.6 port 37076 ssh2
debug1: monitor_child_preauth: admin has been authenticated by privileged process
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/ttyp1
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 28222
debug1: session_exit_message: session 0 channel 0 pid 28222
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/ttyp1
debug1: session_pty_cleanup: session 0 release /dev/ttyp1
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 192.168.1.6
debug1: do_cleanup
Closing connection to 192.168.1.6Of course, when I'm in ~admin:
# ls -altR .ssh
total 12
-rw------- 1 admin admin 782 Sep 10 12:19 authorized_keys
drwx------ 2 admin admin 512 Sep 10 12:10 .
drwx------ 3 admin admin 512 Sep 10 12:09 ..I'd rather not be forced to add every user to the 'wheel' group, only
to permit key-based login.What gives?
Kind regards,
--Toni++
| Greg KH | [GIT PATCH] driver core patches against 2.6.24 |
| James Bottomley | Re: Integration of SCST in the mainstream Linux kernel |
| Stephen Rothwell | Re: Announce: Linux-next (Or Andrew's dream :-)) |
| Arjan van de Ven | Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning |
| Patrick McHardy | Re: [GIT]: Networking |
| Gerrit Renker | [PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side) |
| Jarek Poplawski | [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
| Eric W. Biederman | Re: namespace support requires network modules to say "GPL" |
git: | |
