SSH: Cannot Connect as Root to Remote System
 

Before I screw everything up by allowing legacy root connections with keys and no passphrase, I'm a little at a loss about what to do.

For years I have been generating keys with ssh-keygen with no passphrase. I copy the public key to another server, copy the public key from that server to this server and happily connect as root. The recent upgrade of SSH put a stop to that.

So, OK, can I generate keys with ssh-keygen and no passphrase and do what I've been doing with the new version? Is there a particular method for ssh-keygen? Is there a preferred encryption choice?

I'm particularly interested in doing so because I have jobs that update servers from a master server with no passphrase, just the encrypted keys and I don't want to override the newer configuration unless absolutely necessary.

Thanks for any advice.

tronayne, I do not know why, but I found that I had to create all new keys using ssh-keygen after upgrading SSH. It may have something to do with RSA keys versus DSA keys. I was using DSA keys originally, and I had to run ssh-keygen again to create new RSA keys (which it now generates by default).

Did you check your PermitRootLogin parameter in sshd_config?

I believe the default was (and is) RSA keys (could be wrong about that but my existing keys are RSA generated by simply ssh-keygen).

My existing key pairs still work for ordinary users, but not for root. I realize that I must edit the PermitRootLogin parameter in sshd_config (thanks for the reminder @fogpipe); I suppose the "real" question is do I have to regenerate all SSH keys to avoid any problems with the change from version 1 to version 2 (if I understand the notes correctly) or just leave it alone for now.

What I do is generate keys for every authorized SSH user on every system, copy the public key to every other system (I just name the public key file to the name of the server) then
That lets me connect to the other servers without a password -- I figure the use of encrypted keys in properly configured ~/.ssh directories is good enough, the private keys stay in the ~/.ssh directory where they were generated, only the public keys get copied from server to server. Nobody has root access except root, but root can get to every other root. Works for me.

Maybe I'm just picking nits and should just get on with it and regenerate everything.

Tiz a puzzlement.

Ah yes you are right, when I created my keys a long time ago, I did choose to make DSA keys explicitly. I'm sure it would have made RSA keys by default.

But, after upgrading my SSH a few months ago from Slackware-current, I could no longer login remotely to other computers using the keys I had been using. After creating new RSA keys and copying those to the other computers, I was able to login again.

This probably doesn't help you, but just thought I would clarify :)

Oh, every little bit helps, can't know too much about this stuff and I appreciate your input.

So, next half hour or so, let's go generate some new keys!

Did everything on every box, it all works.

All is well that ends.