On Mac OS, in order to allow ssh using dsa keys, I would copy ~/.ssh/id_dsa.pub from my machine into ~/.ssh/authorized_keys of the target machine. I've created .ssh directories in my account home as well as in /root and copied the respective keys to authorized_keys files in each. Strangely, I can now ssh as root with no password but my own user account still prompts for a password. What might be wrong? Interestingly, passwordless root ssh log-in worked while 'PermitRootLogin' in /etc/ssh/sshd_config was just 'yes' and before I changed it to 'without-password'.
Warren Michelsen wrote:> On Mac OS, in order to allow ssh using dsa keys, I would copy > ~/.ssh/id_dsa.pub from my machine into ~/.ssh/authorized_keys of the > target machine. I've created .ssh directories in my account home as > well as in /root and copied the respective keys to authorized_keys > files in each. > > Strangely, I can now ssh as root with no password but my own user > account still prompts for a password. What might be wrong? >have you checked /var/log/secure ? If permissions or ownership are not correct on the authorized_keys file, .ssh or the home directory then s/key auth will not work.> Interestingly, passwordless root ssh log-in worked while > 'PermitRootLogin' in /etc/ssh/sshd_config was just 'yes' and before I > changed it to 'without-password'. >This is correct behavior. The yes just says it will accept password and s/key for root. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6672 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.centos.org/pipermail/centos/attachments/20100201/9fff0f64/attachment-0001.bin>
On Mon, 2010-02-01 at 19:49 -0700, Warren Michelsen wrote:> On Mac OS, in order to allow ssh using dsa keys, I would copy > ~/.ssh/id_dsa.pub from my machine into ~/.ssh/authorized_keys of the > target machine. I've created .ssh directories in my account home as > well as in /root and copied the respective keys to authorized_keys > files in each. > > Strangely, I can now ssh as root with no password but my own user > account still prompts for a password. What might be wrong? > > > Interestingly, passwordless root ssh log-in worked while > 'PermitRootLogin' in /etc/ssh/sshd_config was just 'yes' and before I > changed it to 'without-password'. > > _______________________________________________Warren, You should be able to achieve what you are wanting to do. Some principles that need to be followed are : #1. If you change anything in sshd_config you must restart sshd before your changes will become active. You can do this in the root account easily by entering : service sshd restart #2. If you are connecting from one account to another account in different machines you must have id_dsa.pub in /home/user/.ssh/authorized_keys file of the account you are connecting with. ie if you are logged on as root in one machine and you connect to another machine to the root account then id_dsa.pub of the original account has to be in /root/.ssh/authorized_keys of the machine you are connecting to. #3. if you are are connecting to an account of a remote machine to an account different than the one you are on you must have the id_dsa.pub of your logged on account in the authorized_keys of the remote account. ie if you are on the root account of one machine and you want to log onto the warren account of a remote machine you must have /root/.ssh/id_dsa.pub in /home/warren/.ssh/authorized_keys The command for this connection would be "ssh warren at remote.com" or "ssh -l warren remote.com" Make sure these things are in place, and if it does not work after checking these things let me know. Greg Ennis
On Mon, Feb 1, 2010 at 6:49 PM, Warren Michelsen <Warren at mdcclxxvi.com> wrote:> On Mac OS, in order to allow ssh using dsa keys, I would copy > ~/.ssh/id_dsa.pub from my machine into ~/.ssh/authorized_keys of the > target machine. I've created .ssh directories in my account home as > well as in /root and copied the respective keys to authorized_keys > files in each. > > Strangely, I can now ssh as root with no password but my own user > account still prompts for a password. What might be wrong? > > > Interestingly, passwordless root ssh log-in worked while > 'PermitRootLogin' in /etc/ssh/sshd_config was just 'yes' and before I > changed it to 'without-password'.Check the permission all your top level directories and the .ssh directories and it's files. Basically, group and other writes are forbidden since it would allow other people to change your keys. If you're allowing the use of passwords and keys, then it's just falling back to passwords because the permissions are incorrect. And I presuming the secret key is not encrypted, i.e., you never set a passphrase - hence the root login works without a password since the permissions are correct for key exchange. Also, on Redhat/Centos/Solaris machines, it's PermitRootLogin no or PermitRootLogin yes and not PermitRootLogin without-password There should be separate entry for passwords PermitEmptyPasswords no You have to be barking mad to allow root connections - or any connection - with an empty passwords. Note, this isn't Mac mailing list so your mileage will vary. Without a sshd_config file it's hard to help you. -- Enjoy global warming while it lasts.
On Mon, Feb 1, 2010 at 9:49 PM, Warren Michelsen <Warren at mdcclxxvi.com> wrote:> On Mac OS, in order to allow ssh using dsa keys, I would copy > ~/.ssh/id_dsa.pub from my machine into ~/.ssh/authorized_keys of the > target machine. I've created .ssh directories in my account home as > well as in /root and copied the respective keys to authorized_keys > files in each. > > Strangely, I can now ssh as root with no password but my own user > account still prompts for a password. What might be wrong? > > > Interestingly, passwordless root ssh log-in worked while > 'PermitRootLogin' in /etc/ssh/sshd_config was just 'yes' and before I > changed it to 'without-password'. >chmod 700 ~/.ssh chmod 600 ~/.authorized_keys