enabling root over ssh on F11

Rick Sewill rsewill at gmail.com
Sat Sep 12 23:37:31 UTC 2009 

On Sat, 2009-09-12 at 18:18 -0500, Rick Sewill wrote: 
> On Sat, 2009-09-12 at 18:13 +0100, Aaron Gray wrote: 
> > On 12/09/2009, Todd Zullinger <tmz at pobox.com> wrote:
> > > Aaron Gray wrote:
> > >> I need to enable root access via sshd. I will be using certificates and
> > >> firewalled access.
> > >> I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
> > >
> > > This only affects login via the Gnome Display Manager.
> > >
> > >> Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
> > >
> > > This is, AFAIK, the default.  It doesn't hurt having it, but it should
> > > not be required.
> > >
> > >> Also put SELinux into Permissive mode.
> > >>
> > >> But still neither root sshd nor login work.
> > >
> > > I know that root logins via sshd work on F11, and there isn't anything
> > > special required to allow it that I am aware of.  I think you should
> > > post the details of the failure you are seeing.  Running ssh with -vvv
> > > for more verbose output might help.  Also, check /var/log/secure on
> > > the server to see if it includes any relevant information.  If you are
> > > using key based authentication, you should look for lines indicating
> > > that the ownership and permissions on your keys are incorrect.
> > 
> > Its like the password is being rejected but the password works in
> > 'su'. I am getting the following:-
> > 
> > ang at Zinc ~]$ ssh -vvv root at 192.168.0.16
> > OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 192.168.0.16 [192.168.0.16] port 22.
> > debug1: Connection established.
> > debug1: identity file /home/ang/.ssh/identity type -1
> > debug1: identity file /home/ang/.ssh/id_rsa type -1
> > debug1: identity file /home/ang/.ssh/id_dsa type -1
> > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> > debug1: match: OpenSSH_5.1 pat OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_5.2
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
> > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> > debug2: kex_parse_kexinit:
> > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit:
> > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> > debug2: kex_parse_kexinit:
> > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib at openssh.com
> > debug2: kex_parse_kexinit: none,zlib at openssh.com
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: server->client aes128-ctr hmac-md5 none
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: client->server aes128-ctr hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug2: dh_gen_key: priv key bits set: 126/256
> > debug2: bits set: 544/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: check_host_in_hostfile: filename /home/ang/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 1
> > debug1: Host '192.168.0.16' is known and matches the RSA host key.
> > debug1: Found key in /home/ang/.ssh/known_hosts:1
> > debug2: bits set: 524/1024
> > debug1: ssh_rsa_verify: signature correct
> > debug2: kex_derive_keys
> > debug2: set_newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug2: set_newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/ang/.ssh/identity ((nil))
> > debug2: key: /home/ang/.ssh/id_rsa ((nil))
> > debug2: key: /home/ang/.ssh/id_dsa ((nil))
> > debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> > debug3: start over, passed a different list publickey,gssapi-with-mic,password
> > debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> > debug3: authmethod_lookup gssapi-with-mic
> > debug3: remaining preferred: publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled gssapi-with-mic
> > debug1: Next authentication method: gssapi-with-mic
> > debug3: Trying to reverse map address 192.168.0.16.
> > debug1: Unspecified GSS failure.  Minor code may provide more information
> > No credentials cache found
> > 
> > debug1: Unspecified GSS failure.  Minor code may provide more information
> > No credentials cache found
> > 
> > debug1: Unspecified GSS failure.  Minor code may provide more information
> > 
> > 
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred: keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key: /home/ang/.ssh/identity
> > debug3: no such identity: /home/ang/.ssh/identity
> > debug1: Trying private key: /home/ang/.ssh/id_rsa
> > debug3: no such identity: /home/ang/.ssh/id_rsa
> > debug1: Trying private key: /home/ang/.ssh/id_dsa
> > debug3: no such identity: /home/ang/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup password
> > debug3: remaining preferred: ,password
> > debug3: authmethod_is_enabled password
> > debug1: Next authentication method: password
> > root at 192.168.0.16's password:
> > debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
> > debug2: we sent a password packet, wait for reply
> > debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> > Permission denied, please try again.
> > root at 192.168.0.16's password:
> > debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
> > debug2: we sent a password packet, wait for reply
> > debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> > Permission denied, please try again.
> > root at 192.168.0.16's password:
> > debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
> > debug2: we sent a password packet, wait for reply
> > debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> > debug2: we did not send a packet, disable method
> > debug1: No more authentication methods to try.
> > Permission denied (publickey,gssapi-with-mic,password).
> > 
> > Any clues ?
> > 
> > Aaron
> > 
> 
> No clues...but, please check your /etc/ssh/sshd_config file again.
> 
> Do you, by any chance, have "allowusers" or "allowgroups" or
> "denyusers" or "denygroups" in it.
> 
> I don't know how sshd will behave if you try to log into an account
> that is denied because of the above keywords.  Will sshd let you try
> to log in only to always say the password is wrong, or will sshd not
> even give you the chance to enter a password before denying you?
> 

Also, could you check the following two files on the server side
when you try to ssh in as root:
1) /var/log/messages -- I don't really know or expect anything here,
                        but is always good to check.
2) /var/log/secure -- I don't know what to expect in this file.
                      There may or may not be a message giving a clue.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090912/dbc1c7b2/attachment-0001.sig>

More information about the fedora-list mailing list