ssh allowing root login with no password

[Steven Buehler]

> -----Original Message-----
> On 05/09/11 15:18, Steven Buehler wrote:
> > I am trying to setup our servers to only allow logins with a
> > public/private key pair.  2 of our machines have to have root login
> > access with ssh and the rest, we will login as another account and su
> > to root.  I just started with this company and on their boxes which
> > range from version 5.1 to 5.5, if I open up the firewall to allow ssh
> > access from anywhere, I can ssh to root without a password.  The only
> > uncommented lines in the /etc/ssh/sshd_config are the following:
> >
> >   [snip]
> >
> >
> > I'm hoping that someone can lead me in the right direction as I can't
> > figure this one out.  If this was only one machine, I would assume
> > that it might have been hacked, but this is all of their servers and
> > VM's that will allow me to ssh to them without a login/password and
> > get into root.  Luckily, they have always had their (supposedly
> > anyway) iptables set to only allow access from specific IP's.
> >
> >
> 
> Change / uncomment PermitRootLogin with a value of without-password
> 
> --
> 
> I changed the line to read
> PermitRootLogin without-password
> 
> It still allows a root login without a password or key.
> 
> Someone else suggested that there was an authorized_keys file and a
> known hosts file.  I was able to get to these servers from my own personal
> servers that have NEVER ssh'd to these servers before, so the known hosts
> file from the client server was empty since it is actually a fresh install
of mine.
> The authorized_keys file on the sshd server does have 2 keys in it.  Those
2
> private keys are NOT on the client server, so there should be no reason it
lets
> me in from the remote (client) server.
> 
> I have copied over my sshd_config file from one of my personal servers
> where I know they work and I still have the problem.
> 
> Below is my new sshd_config file after some changes on one of the servers
> that I need to have root login with a key and not password, but it still
allows
> login without either.  I don't know what they did when they setup these
> machines, but it is really ticking me off.
> 
> Protocol 2
> SyslogFacility AUTHPRIV
> PermitRootLogin without-password
> StrictModes yes
> PubkeyAuthentication yes
> PermitEmptyPasswords no
> PasswordAuthentication no
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UsePAM no
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
> LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS
> LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL
> X11Forwarding yes
> Subsystem       sftp    /usr/libexec/openssh/sftp-server
> 
> --
> 
> Ok.  I found the problem and, to me, this looks like a bug.  There was one
> public key that when in the authorized_keys2 (or authorized_keys) file
> would allow a login with no private key or password.
> 

Ok, this is just plane stuped.  I created a new private/public key and put
ONLY this public key into the authorized_keys2 file in a test account that I
just created and set the permissions on the .ssh directory and
authorized_keys2 file.
chmod 700 .ssh
chmod 600 .ssh/authorized_keys2

Then I tried to ssh to this account at server from one of my private servers
and it wouldn't let me in.  That is good since I wasn't using a key from
there.  I then used my keys to get in from my laptop running windows7 and
SecureCRT.  I got in as expected.  Now, I went back to my private server and
tried to ssh to account at server again and it let me in, but I was still not
using a key so it should not let me in.  Allows me in with no password.
What is going on here?  Anybody seen this before?