[SOLVED] SSH issue when logging as Root with key

JayMatthew · 05-12-2017, 12:35 PM

Quote:

Originally Posted by astrogeek

That is not correct. You must copy the public key into authorized_keys n the remote machine.

The private key must be 600 perms (local machine) and the public key may be 644.

Ooops. I was copying the id_rsa.pub to the authorized_keys. The perms are correct on the local machine.

astrogeek · 05-12-2017, 12:43 PM

Also, the ~/.ssh directory must be 700 perms...

Code:

drwx------ 2 user user 4096 May  9 21:52 /home/user/.ssh

JayMatthew · 05-12-2017, 12:43 PM

Quote:

Originally Posted by Turbocapitalist

There's the problem. The public key must go into the server's authorized_keys file. The private key stays on the client.

I did copy the id_rsa.pub key into the authorized_keys file and still the same issue.

JayMatthew · 05-12-2017, 12:44 PM

Quote:

Originally Posted by astrogeek

Also, the ~/.ssh directory must be 700 perms...

Code:

drwx------ 2 user user 4096 May  9 21:52 /home/user/.ssh

Yes, I did verify the permissions:
drwx------ 2 root root 4096 May 12 17:29 .ssh/

astrogeek · 05-12-2017, 12:46 PM

OK, sounds like perms and files are OK.

Lets reduce the clutter of your config. Do this and paste the output:

Code:

grep -v '^\s*#' /etc/ssh/sshd_config |sed '/^\s*$/d'

JayMatthew · 05-12-2017, 12:49 PM

I have no problem when logging in as a normal user with no password, it's the root key that seems to be giving me the issue. I've installed quite a few machines and this is the first time I am seeing this issue.

JayMatthew · 05-12-2017, 12:50 PM

Quote:

Originally Posted by astrogeek

OK, sounds like perms and files are OK.

Lets reduce the clutter of your config. Do this and paste the output:

Code:

grep -v '^\s*#' /etc/ssh/sshd_config |sed '/^\s*$/d'

Here's the output from the server:
Ciphers aes128-ctr
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding yes
Subsystem sftp /usr/libexec/sftp-server

Gerard Lally · 05-12-2017, 01:01 PM

Quote:

Originally Posted by JayMatthew

Here's the output from the server:
Ciphers aes128-ctr
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
X11Forwarding yes
Subsystem sftp /usr/libexec/sftp-server

I don't know what version of OpenSSH Slackware 14.0 comes with, but I do know substantial changes were introduced with OpenSSH 6.6 or thereabouts. Have you perchance created a key on a newer Slackware that is incompatible with the OpenSSH that comes with 14.0?

astrogeek · 05-12-2017, 01:01 PM

Quote:

Originally Posted by JayMatthew

Here are some errors I'm getting in /var/log/messages:

sshd[23059]: Authentication refused: bad ownership or modes for directory /root

Hmmm...

I just saw this. It is not complaining about key file permission, but the /root directory itself.

What does ls -ld /root show?

If not 710 then make it 710.

JayMatthew · 05-12-2017, 01:27 PM

Quote:

Originally Posted by astrogeek

Hmmm...

I just saw this. It is not complaining about key file permission, but the /root directory itself.

What does ls -ld /root show?

If not 710 then make it 710.

Wow. It wasn't the permissions, it was the ownership of the directory /root. It wasn't owned by root! Ugh. I don't even know how that happened. I was so focused on permissions I didn't pay attention to the ownership.

Thank you and everyone for your help. It's all working good now!

astrogeek · 05-12-2017, 01:34 PM

Quote:

Originally Posted by JayMatthew

Wow. It wasn't the permissions, it was the ownership of the directory /root. It wasn't owned by root! Ugh. I don't even know how that happened. I was so focused on permissions I didn't pay attention to the ownership.

Thank you and everyone for your help. It's all working good now!

Glad that worked, but I am not so sure that you are finished yet!

I would seriously investigate how/who/when ownership of the root directory was changed!

If this is an internet accessible server especially, that is a big red flag on fire!

JayMatthew · 05-12-2017, 02:34 PM

Quote:

Originally Posted by astrogeek

Glad that worked, but I am not so sure that you are finished yet!

I would seriously investigate how/who/when ownership of the root directory was changed!

If this is an internet accessible server especially, that is a big red flag on fire!

Agreed. There are only a handful of people with root access to the server and will hopefully find out on Monday.