LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 05-29-2011, 06:04 AM   #1
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 347

Rep: Reputation: 31
ssh root w/o password


Hi all,

After a brief look at Fedora 15, I reinstalled Fedora 14. Before doing so, I backed up my /etc and /root directories. When F14 was back up and running, I copied the old sshd_config to /etc/ssh, restored /root, and restarted sshd.

sshd_config contains the line PermitRootLogin yes. Even so, now every time I try to ssh as root to the system I get prompted for a password. This interferes with some cron jobs which need root access. This was working on the previous setup.

What could be interfering here?

FWIW, below are my current sshd_config settings. Thanks for any ideas.

Code:
# cat /etc/ssh/sshd_config  | grep -v  "#" | grep -v ^$
SyslogFacility AUTHPRIV
PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem	sftp	/usr/libexec/openssh/sftp-server
 
Old 05-29-2011, 06:28 AM   #2
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hello,

If you had password-less SSH working before then I assume you've set it up previously with SSL key pair. Did you repeat that part in order to have the same functionality on your newly installed system? The PermitRootLogin line only allows root to login through SSH, which is a pretty bad idea for security reasons. In case you don't have your key pair backed up, you'll need to create them again.

Kind regards,

Eric
 
Old 05-29-2011, 06:42 AM   #3
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 347

Original Poster
Rep: Reputation: 31
I didn't regenerate the client RSA keys; those are for outgoing connections, right?

As I indicated above, I restored /root/.ssh, which contains the authorized_keys file with the public keys from the remote hosts, which, AFAIK, is what I need to enable password-less root logins. But apparently not.
 
Old 05-29-2011, 07:47 AM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hi,

If you restored the .ssh directory for root then it should work I assume. Have you checked if the correct permissions after restoring have been maintained/reset? Can you connect with more verbosity and post the output:
Code:
ssh -vv username@host
Kind regards,

Eric
 
Old 05-29-2011, 08:16 AM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
The option "PermitRootLogin without-password" allows root logins but doesn't allow password authentication. This allows you to use public key authentication for root, while regular users use password authentication.

However read the paragraph above UsePAM in sshd_config:
Quote:
Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
You may also need to examine your /etc/pam.d/ssh file.

---
There are some other things that can cause pubkey authentication to fail. Such as having too permissive permissions in .ssh/; .ssh/id_rsa or $HOME/.

---
I once had problem because the form of host in "AllowUsers user@host" didn't match the entry in /etc/hosts. One was host.domain and the other was host. It seemed to matter which entry was first in the /etc/hosts entry.
 
Old 05-29-2011, 11:47 AM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by Kropotkin
As I indicated above, I restored /root/.ssh, which contains the authorized_keys file with the public keys from the remote hosts, which, AFAIK, is what I need to enable password-less root logins. But apparently not.
Yes, that is what's needed. Somehow your backup/restore process introduced a problem (probably permissions or ownership). One quick way to get to the bottom of this is to tail /var/log/secure while attempting to log in.
 
Old 06-02-2011, 07:31 PM   #7
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 347

Original Poster
Rep: Reputation: 31
I believe I have solved it: after disabling selinux, it worked.

After my fresh install of F14, three things weren't working: dropbox, a Samsung printer driver, and root sshd. All three started working when I shut off selinux.

Note to self: first step after new install: NUKE SELINUX.
 
Old 06-03-2011, 01:55 AM   #8
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Quote:
Originally Posted by Kropotkin View Post
Note to self: first step after new install: NUKE SELINUX.
Hi,

Glad you got it solved. Please mark your thread as solved too. And if you want to have some added security to your system, then configure SELinux instead of just nuking it

Kind regards,

Eric
 
Old 06-03-2011, 04:54 AM   #9
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Fedora, Mint, FreeBSD, Android
Posts: 347

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by EricTRA View Post
Please mark your thread as solved too.
Done!

Quote:
And if you want to have some added security to your system, then configure SELinux instead of just nuking it
Eric, I realize this may not be the proper place for long dicussion of the pros and cons of SELinux... but: I am running Fedora as a desktop system, safely behind NAT and a firewall, and I have never been convinced that SELinux would be worth the trouble. If I was running this system as a web server that would be entirely different matter of course.
 
Old 06-03-2011, 05:14 AM   #10
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hi,

You're right in your statement concerning SELinux on a desktop environment! I just pointed out the fact that you 'could' configure it instead of just deactivating it. As with a lot of things concerning Linux, it comes down to choices: the choices you make.

Kind regards,

Eric
 
Old 06-04-2011, 01:16 PM   #11
confconf
LQ Newbie
 
Registered: Dec 2010
Posts: 16

Rep: Reputation: 0
Another thread: http://www.linuxquestions.org/questi...t-user-851896/
 
  


Reply

Tags
ssh sshd root


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh without password -- non-root user Sanford Stein Linux - Newbie 18 03-31-2010 01:10 PM
change root password over ssh noir911 Linux - Server 2 01-06-2009 03:33 PM
ssh root login with null password ust Linux - Software 4 04-14-2008 03:06 AM
root password doesn't work for ssh linuxuser00 Linux - Newbie 5 01-31-2007 12:05 PM
Get password of root from SSH? Gerardoj Linux - General 4 08-09-2003 12:07 PM


All times are GMT -5. The time now is 04:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration