ssh allowing root login with no password (Solved)

[Steven Buehler]

> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Steven Buehler
> Sent: Tuesday, May 10, 2011 9:12 AM
> To: 'General Red Hat Linux discussion list'
> Subject: RE: ssh allowing root login with no password
> 
> > -----Original Message-----
> > On 05/09/11 15:18, Steven Buehler wrote:
> > > I am trying to setup our servers to only allow logins with a
> > > public/private key pair.  2 of our machines have to have root login
> > > access with ssh and the rest, we will login as another account and
> > > su to root.  I just started with this company and on their boxes
> > > which range from version 5.1 to 5.5, if I open up the firewall to
> > > allow ssh access from anywhere, I can ssh to root without a
> > > password.  The only uncommented lines in the /etc/ssh/sshd_config are
> the following:
> > >
> > >   [snip]
> > >
> > >
> > > I'm hoping that someone can lead me in the right direction as I
> > > can't figure this one out.  If this was only one machine, I would
> > > assume that it might have been hacked, but this is all of their
> > > servers and VM's that will allow me to ssh to them without a
> > > login/password and get into root.  Luckily, they have always had
> > > their (supposedly
> > > anyway) iptables set to only allow access from specific IP's.
> > >
> > >
> >
> > Change / uncomment PermitRootLogin with a value of without-password
> >
> > --
> >
> > I changed the line to read
> > PermitRootLogin without-password
> >
> > It still allows a root login without a password or key.
> >
> > Someone else suggested that there was an authorized_keys file and a
> > known hosts file.  I was able to get to these servers from my own
> > personal servers that have NEVER ssh'd to these servers before, so the
> > known hosts file from the client server was empty since it is actually
> > a fresh install
> of mine.
> > The authorized_keys file on the sshd server does have 2 keys in it.
> > Those
> 2
> > private keys are NOT on the client server, so there should be no
> > reason it
> lets
> > me in from the remote (client) server.
> >
> > I have copied over my sshd_config file from one of my personal servers
> > where I know they work and I still have the problem.
> >
> > Below is my new sshd_config file after some changes on one of the
> > servers that I need to have root login with a key and not password,
> > but it still
> allows
> > login without either.  I don't know what they did when they setup
> > these machines, but it is really ticking me off.
> >
> > Protocol 2
> > SyslogFacility AUTHPRIV
> > PermitRootLogin without-password
> > StrictModes yes
> > PubkeyAuthentication yes
> > PermitEmptyPasswords no
> > PasswordAuthentication no
> > ChallengeResponseAuthentication no
> > GSSAPIAuthentication yes
> > GSSAPICleanupCredentials yes
> > UsePAM no
> > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
> LC_MONETARY
> > LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS
> LC_TELEPHONE
> > LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding
> yes
> > Subsystem       sftp    /usr/libexec/openssh/sftp-server
> >
> > --
> >
> > Ok.  I found the problem and, to me, this looks like a bug.  There was
> > one public key that when in the authorized_keys2 (or authorized_keys)
> > file would allow a login with no private key or password.
> >
> 
> Ok, this is just plane stuped.  I created a new private/public key and put
ONLY
> this public key into the authorized_keys2 file in a test account that I
just
> created and set the permissions on the .ssh directory and
> authorized_keys2 file.
> chmod 700 .ssh
> chmod 600 .ssh/authorized_keys2
> 
> Then I tried to ssh to this account at server from one of my private servers
> and it wouldn't let me in.  That is good since I wasn't using a key from
there.  I
> then used my keys to get in from my laptop running windows7 and
> SecureCRT.  I got in as expected.  Now, I went back to my private server
and
> tried to ssh to account at server again and it let me in, but I was still not
using a
> key so it should not let me in.  Allows me in with no password.
> What is going on here?  Anybody seen this before?
> 

Strangest thing I ever saw.  The problem is solved.  The private key is the
key that I installed into my SecureCRT.  If I log into the server with that
key from SecureCRT, then login to my private server and try to ssh to the
server where the public key is installed from my private server that is in a
different tab in SecureCRT, it uses the private key on my local Windows7
laptop.  I have never seen this before.

Thank You for ALL of your help.