Re: enabling root over ssh on F11

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2009-09-12 at 18:13 +0100, Aaron Gray wrote: 
> On 12/09/2009, Todd Zullinger <tmz@xxxxxxxxx> wrote:
> > Aaron Gray wrote:
> >> I need to enable root access via sshd. I will be using certificates and
> >> firewalled access.
> >> I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
> >
> > This only affects login via the Gnome Display Manager.
> >
> >> Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
> >
> > This is, AFAIK, the default.  It doesn't hurt having it, but it should
> > not be required.
> >
> >> Also put SELinux into Permissive mode.
> >>
> >> But still neither root sshd nor login work.
> >
> > I know that root logins via sshd work on F11, and there isn't anything
> > special required to allow it that I am aware of.  I think you should
> > post the details of the failure you are seeing.  Running ssh with -vvv
> > for more verbose output might help.  Also, check /var/log/secure on
> > the server to see if it includes any relevant information.  If you are
> > using key based authentication, you should look for lines indicating
> > that the ownership and permissions on your keys are incorrect.
> 
> Its like the password is being rejected but the password works in
> 'su'. I am getting the following:-
> 
> ang@Zinc ~]$ ssh -vvv root@xxxxxxxxxxxx
> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.0.16 [192.168.0.16] port 22.
> debug1: Connection established.
> debug1: identity file /home/ang/.ssh/identity type -1
> debug1: identity file /home/ang/.ssh/id_rsa type -1
> debug1: identity file /home/ang/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.2
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@xxxxxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 126/256
> debug2: bits set: 544/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/ang/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host '192.168.0.16' is known and matches the RSA host key.
> debug1: Found key in /home/ang/.ssh/known_hosts:1
> debug2: bits set: 524/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/ang/.ssh/identity ((nil))
> debug2: key: /home/ang/.ssh/id_rsa ((nil))
> debug2: key: /home/ang/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug3: start over, passed a different list publickey,gssapi-with-mic,password
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug3: Trying to reverse map address 192.168.0.16.
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No credentials cache found
> 
> debug1: Unspecified GSS failure.  Minor code may provide more information
> No credentials cache found
> 
> debug1: Unspecified GSS failure.  Minor code may provide more information
> 
> 
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/ang/.ssh/identity
> debug3: no such identity: /home/ang/.ssh/identity
> debug1: Trying private key: /home/ang/.ssh/id_rsa
> debug3: no such identity: /home/ang/.ssh/id_rsa
> debug1: Trying private key: /home/ang/.ssh/id_dsa
> debug3: no such identity: /home/ang/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> root@xxxxxxxxxxxx's password:
> debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> Permission denied, please try again.
> root@xxxxxxxxxxxx's password:
> debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> Permission denied, please try again.
> root@xxxxxxxxxxxx's password:
> debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey,gssapi-with-mic,password).
> 
> Any clues ?
> 
> Aaron
> 

No clues...but, please check your /etc/ssh/sshd_config file again.

Do you, by any chance, have "allowusers" or "allowgroups" or
"denyusers" or "denygroups" in it.

I don't know how sshd will behave if you try to log into an account
that is denied because of the above keywords.  Will sshd let you try
to log in only to always say the password is wrong, or will sshd not
even give you the chance to enter a password before denying you?




Attachment: signature.asc
Description: This is a digitally signed message part

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux