[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

sshd PermitRootLogin problem

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: sshd PermitRootLogin problem
From: Ido Admon <rhingael_(_at_)_start_(_dot_)_no>
Date: Tue, 2 Nov 2004 20:48:50 +0200 (IST)

Hi list, In short: I set PermitRootLogin in /etc/ssh/sshd_config to 'forced-commands-only', as described in sshd_config(5), but when trying to log in (with public key auth), I'm asked for a password and not allowed in ("Permission denied, please try again."). If I comment this option (which defaults to 'PermitRootLogin yes') and HUP sshd then I'm let in without hassle (and without being asked for a password, i.e. the public key setup is ok)

So, 'forced-commands-only' doesn't work for me. Invoking the client from another machine with or without a command argument, gives me the same result: password prompt and failed login (no, typing the right password doesn't let me in).

Server is on 3.6 prerelease (September 27th) and client is on 3.6-current (October 21st). Here's the contents of sshd_config (only non-defaults), followed by the output of 'ssh -2 -vvv root_(_at_)_192_(_dot_)_168_(_dot_)_0_(_dot_)_1 date', any help appreciated:

Port 22
Protocol 2,1
ListenAddress 192.168.0.1
PermitRootLogin forced-commands-only
ClientAliveInterval 20

*kaldtnatt* ~> ssh -2 -vvv root_(_at_)_192_(_dot_)_168_(_dot_)_0_(_dot_)_1 date OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.0.1 [192.168.0.1] port 22. debug1: Connection established. debug3: Not a RSA1 key file /home/rhingael/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/rhingael/.ssh/id_rsa type 1 debug3: Not a RSA1 key file /home/rhingael/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/rhingael/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9 debug1: match: OpenSSH_3.9 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9 debug2: fd 5 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc_(_at_)_lysator_(_dot_)_liu_(_dot_)_se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc_(_at_)_lysator_(_dot_)_liu_(_dot_)_se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160_(_at_)_openssh_(_dot_)_com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160_(_at_)_openssh_(_dot_)_com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc_(_at_)_lysator_(_dot_)_liu_(_dot_)_se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc_(_at_)_lysator_(_dot_)_liu_(_dot_)_se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160_(_at_)_openssh_(_dot_)_com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160_(_at_)_openssh_(_dot_)_com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 136/256 debug2: bits set: 531/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/rhingael/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '192.168.0.1' is known and matches the RSA host key. debug1: Found key in /home/rhingael/.ssh/known_hosts:1 debug2: bits set: 520/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/rhingael/.ssh/id_rsa (0x3c022050) debug2: key: /home/rhingael/.ssh/id_dsa (0x3c020ff0) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/rhingael/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 149 debug2: input_userauth_pk_ok: fp f0:bb:a1:60:e7:85:c9:63:2d:58:1d:94:39:43:d8:f0 debug3: sign_and_send_pubkey debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Offering public key: /home/rhingael/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-dss blen 435 debug2: input_userauth_pk_ok: fp 88:ad:fa:a7:45:6e:51:80:50:c4:c8:11:cb:b0:25:cb debug3: sign_and_send_pubkey debug1: read PEM private key done: type DSA debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive root_(_at_)_192_(_dot_)_168_(_dot_)_0_(_dot_)_1's password: Permission denied, please try again.


Thanks in advance,
Ido

--
  _
 ( )	ASCII Ribbon Campaign
  X	 against HTML email
 / \

Follow-Ups:
- Re: sshd PermitRootLogin problem
  - From: Brandon Mercer

Prev by Date: Re: Insecure routing to private nets using IPSec
Next by Date: "No buffer space available" with pfsync
Previous by thread: ports
Next by thread: Re: sshd PermitRootLogin problem
Index(es):
- Date
- Thread

Visit your host, monkey.org