Bug 27821
| Summary: | can't do RSA login via ssh to root account | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Archie Cobbs <archie> |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.3-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
I'm doing this with both RSA and DSA keys under stock FreeBSD 4.3 without a problem. The RSA public key is in /root/.ssh/authorized_keys, the DSA public key is in /root/.ssh/authorized_keys2, both my RSA and DSA keys are loaded in my ssh-agent, and root logins "just work". mango% uname -a FreeBSD mango.attlabs.att.com 4.3-RC FreeBSD 4.3-RC #1: Wed Apr 18 10:33:41 PDT 2001 root@mango.attlabs.att.com:/usr/obj/usr/src/sys/MANGO i386 mango% ssh -v -l root cubix01 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). ... debug: Trying RSA authentication via agent with 'William C. Fenner' debug: Received RSA challenge from server. debug: Sending response to RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. ... Last login: Fri Jun 1 14:06:57 2001 from mango.attlabs.at Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.3-RELEASE (CUBIX) #1: Tue Apr 24 16:14:26 GMT 2001 This system is part of HA178's network lab. Please contact Bill Fenner <fenner@research.att.com> if you have any questions. _ _ ___ _ ___ _ _| |__ (_)_ __/ _ \/ | / __| | | | '_ \| \ \/ / | | | | | (__| |_| | |_) | |> <| |_| | | \___|\__,_|_.__/|_/_/\_\\___/|_| cubix01# ... mango% ssh -v -2 -l root cubix01 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). ... debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: trying DSA agent key /home/fenner/.ssh/id_dsa-cubix debug: ssh-userauth2 successfull: method publickey ... Last login: Fri Jun 1 14:09:12 2001 from mango.attlabs.at Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.3-RELEASE (CUBIX) #1: Tue Apr 24 16:14:26 GMT 2001 This system is part of HA178's network lab. Please contact Bill Fenner <fenner@research.att.com> if you have any questions. _ _ ___ _ ___ _ _| |__ (_)_ __/ _ \/ | / __| | | | '_ \| \ \/ / | | | | | (__| |_| | |_) | |> <| |_| | | \___|\__,_|_.__/|_/_/\_\\___/|_| cubix01# Bill Fenner wrote: > I'm doing this with both RSA and DSA keys under stock FreeBSD 4.3 without > a problem. The RSA public key is in /root/.ssh/authorized_keys, the > DSA public key is in /root/.ssh/authorized_keys2, both my RSA and DSA > keys are loaded in my ssh-agent, and root logins "just work". Hmm.. it looks like the problem doesn't have to do with root anymore, instead ssh is trying to use my ${HOME}/.ssh/identity instead of the identity I've chosen for the agent via ssh-add.. e.g., here's a trace Notice below it's trying to use the 'archie@bubba.whistle.com' RSA identity instead of the one I specified (~archie/ambit/rsakey/ambitkey). I even tried using the '-i' flag.. The /etc/ssh/sshd_config file on the remote machine is the standard one with 'RSAAuthentication yes' in it. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com bubba 118 eval `ssh-agent` Agent pid 61927 bubba 119 env|grep SSH SSH_AUTH_SOCK=/tmp/ssh-g47PGWOn/agent.61926 SSH_AGENT_PID=61927 bubba 120 ssh-add ~archie/ambit/rsakey/ambitkey Need passphrase for /home/archie/ambit/rsakey/ambitkey Enter passphrase for /home/archie/ambit/rsakey/ambitkey: Identity added: /home/archie/ambit/rsakey/ambitkey (/home/archie/ambit/rsakey/ambitkey) bubba 121 ssh-add -l 1024 31:ea:a7:af:40:dc:34:f5:84:78:df:46:2b:f1:a5:a2 /home/archie/ambit/rsakey/ambitkey bubba 122 ssh -v vernier@192.168.10.2 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug: Connecting to (null) [192.168.10.2] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host '192.168.10.2' is known and matches the RSA host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: RSA authentication using agent refused. debug: Trying RSA authentication with key 'archie@bubba.whistle.com' debug: Server refused our key. debug: Doing password authentication. vernier@192.168.10.2's password: bubba 123 ssh -v -i /home/archie/ambit/rsakey/ambitkey vernier@192.168.10.2 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug: Connecting to (null) [192.168.10.2] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host '192.168.10.2' is known and matches the RSA host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: RSA authentication using agent refused. debug: Bad key file /home/archie/ambit/rsakey/ambitkey. debug: Doing password authentication. vernier@192.168.10.2's password: I admit I used my one and only RSA key, but I did use a custom DSA key. I removed all the keys from my agent, then readded them with my normal DSA key first, and it tried both: mango% ssh-add -l 1024 91:30:d8:8d:e6:5d:65:3d:95:1a:81:57:41:8c:2c:3b William C. Fenner 1024 b2:79:a8:38:8a:73:db:3e:60:56:d6:83:95:72:e7:85 /home/fenner/.ssh/id_dsa 1024 ba:95:7d:6e:74:f8:ac:28:5c:29:43:96:d3:90:8a:20 /home/fenner/.ssh/id_dsa-cubix mango% ssh -v -2 -l root cubix01 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). ... debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: trying DSA agent key /home/fenner/.ssh/id_dsa debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: trying DSA agent key /home/fenner/.ssh/id_dsa-cubix debug: ssh-userauth2 successfull: method publickey ... So, maybe a workaround is to use DSA keys. Bill Bill Fenner wrote: > I admit I used my one and only RSA key, but I did use a custom DSA key. > I removed all the keys from my agent, then readded them with my normal > DSA key first, and it tried both: > > mango% ssh-add -l > 1024 91:30:d8:8d:e6:5d:65:3d:95:1a:81:57:41:8c:2c:3b William C. Fenner > 1024 b2:79:a8:38:8a:73:db:3e:60:56:d6:83:95:72:e7:85 /home/fenner/.ssh/id_dsa > 1024 ba:95:7d:6e:74:f8:ac:28:5c:29:43:96:d3:90:8a:20 /home/fenner/.ssh/id_dsa-cubix > mango% ssh -v -2 -l root cubix01 > SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. > Compiled with SSL (0x0090600f). > ... > debug: authentications that can continue: publickey,password > debug: next auth method to try is publickey > debug: trying DSA agent key /home/fenner/.ssh/id_dsa > debug: authentications that can continue: publickey,password > debug: next auth method to try is publickey > debug: trying DSA agent key /home/fenner/.ssh/id_dsa-cubix > debug: ssh-userauth2 successfull: method publickey > ... Yep, the '-2' flag is what makes it work. Oh, maybe that makes sense, I'm using a DSA key.. are they only supported by version 2? I thought that ssh+sshd would automatically negotiate version 2 but maybe I assume too much. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com OK, now it works with version 1 and an RSA (instead of DSA) key as well. Sorry for all the fuss. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com State Changed From-To: open->closed Looks like this one was solved :) |
Normally, when you use ssh-add to add your identity, and the remote accout you're logging into has your public key in it's ${HOME}/.ssh/authorized_keys file, you are allowed to ssh into that machine without providing a password. However, it seems that this doesn't work if the account you are trying to ssh into is "root", though it works for other normal accounts. That is, with the root account only, ssh asks you for the root password instead of just letting you login automatically (with the correct password, the login does then succeed). This is either a bug or at least a documentation omission, as it makes the "PermitRootLogin without-password" setting useless. Fix: None. How-To-Repeat: Set up /root/.ssh/authorized_keys with your public key on machine A and try to ssh root@A from machine B after adding your public identity via ssh-agent and ssh-add. Of course, machine B needs "PermitRootLogin yes" in /etc/ssh/sshd_config. Both machines are FreeBSD 4.3.