ssh root w/o password
 

Hi all,

After a brief look at Fedora 15, I reinstalled Fedora 14. Before doing so, I backed up my /etc and /root directories. When F14 was back up and running, I copied the old sshd_config to /etc/ssh, restored /root, and restarted sshd.

sshd_config contains the line PermitRootLogin yes. Even so, now every time I try to ssh as root to the system I get prompted for a password. This interferes with some cron jobs which need root access. This was working on the previous setup.

What could be interfering here?

FWIW, below are my current sshd_config settings. Thanks for any ideas.

Hello,

If you had password-less SSH working before then I assume you've set it up previously with SSL key pair. Did you repeat that part in order to have the same functionality on your newly installed system? The PermitRootLogin line only allows root to login through SSH, which is a pretty bad idea for security reasons. In case you don't have your key pair backed up, you'll need to create them again.

Kind regards,

Eric

I didn't regenerate the client RSA keys; those are for outgoing connections, right?

As I indicated above, I restored /root/.ssh, which contains the authorized_keys file with the public keys from the remote hosts, which, AFAIK, is what I need to enable password-less root logins. But apparently not.

Hi,

If you restored the .ssh directory for root then it should work I assume. Have you checked if the correct permissions after restoring have been maintained/reset? Can you connect with more verbosity and post the output:
Kind regards,

Eric

The option "PermitRootLogin without-password" allows root logins but doesn't allow password authentication. This allows you to use public key authentication for root, while regular users use password authentication.

However read the paragraph above UsePAM in sshd_config:
You may also need to examine your /etc/pam.d/ssh file.

---
There are some other things that can cause pubkey authentication to fail. Such as having too permissive permissions in .ssh/; .ssh/id_rsa or $HOME/.

---
I once had problem because the form of host in "AllowUsers user@host" didn't match the entry in /etc/hosts. One was host.domain and the other was host. It seemed to matter which entry was first in the /etc/hosts entry.

Yes, that is what's needed. Somehow your backup/restore process introduced a problem (probably permissions or ownership). One quick way to get to the bottom of this is to tail /var/log/secure while attempting to log in.

I believe I have solved it: after disabling selinux, it worked.

After my fresh install of F14, three things weren't working: dropbox, a Samsung printer driver, and root sshd. All three started working when I shut off selinux.

Note to self: first step after new install: NUKE SELINUX.

Hi,

Glad you got it solved. Please mark your thread as solved too. And if you want to have some added security to your system, then configure SELinux instead of just nuking it :)

Kind regards,

Eric

Done!

Eric, I realize this may not be the proper place for long dicussion of the pros and cons of SELinux... but: I am running Fedora as a desktop system, safely behind NAT and a firewall, and I have never been convinced that SELinux would be worth the trouble. If I was running this system as a web server that would be entirely different matter of course.

Hi,

You're right in your statement concerning SELinux on a desktop environment! I just pointed out the fact that you 'could' configure it instead of just deactivating it. As with a lot of things concerning Linux, it comes down to choices: the choices you make.

Kind regards,

Eric

Another thread: http://www.linuxquestions.org/questi...t-user-851896/