Hi all,
I have a very strange problem with the public key authentication with 2
machines.
I generated the key, configured the authorized_keys etc.. etc.. This is
all ok, now:
The ssh works without the password for the "root" user, any other user
cannot use the key and ssh ask me for the password !!
I cannot understand why only the root is able to connect without the
password. So, the ssh works and I think there is a wrong config file but I
cannt find it !!!!
Just to understand the issue, let's see the strace of sshd daemon. As you
can see when the root connect the sshd reads the key file, but when
another user try to connect, sshd open the file and the close it without
read the key......
Any ideas??
Federico
***********
for the root:
26728 read(4, "root:x:0:rootnbin:x:1:root,bin,d"..., 4096) = 946
26728 read(4, "", 4096) = 0
26728 close(4) = 0
26728 munmap(0xb7dce000, 4096) = 0
26728 setgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 0
26728 getgroups32(0, NULL) = 7
26728 getgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 7
26728 setgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 0
26728 setresgid32(-1, 0, -1) = 0
26728 setresuid32(-1, 0, -1) = 0
26728 stat64("/root/.ssh/authorized_keys", {st_mode=S_IFREG|0600,
st_size=1664, ...}) = 0
26728 open("/root/.ssh/authorized_keys", O_RDONLY|O_LARGEFILE) = 4
26728 lstat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
26728 lstat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...})
= 0
26728 lstat64("/root/.ssh/authorized_keys", {st_mode=S_IFREG|0600,
st_size=1664, ...}) = 0
26728 lstat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
26728 fstat64(4, {st_mode=S_IFREG|0600, st_size=1664, ...}) = 0
26728 stat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...})
= 0
26728 stat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
26728 fstat64(4, {st_mode=S_IFREG|0600, st_size=1664, ...}) = 0
26728 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7dce000
26728 read(4, "ssh-dss AAAAB3NzaC1kc3MAAACBALxI"..., 4096) = 1664
26728 setresuid32(-1, 0, -1) = 0
***************
and for another user:
23996 read(4, "root:x:0:rootnbin:x:1:root,bin,d"..., 4096) = 946
23996 read(4, "", 4096) = 0
23996 close(4) = 0
23996 munmap(0xb7e7c000, 4096) = 0
23996 setgroups32(2, [501, 502]) = 0
23996 getgroups32(0, NULL) = 2
23996 getgroups32(2, [501, 502]) = 2
23996 setgroups32(2, [501, 502]) = 0
23996 setresgid32(-1, 501, -1) = 0
23996 setresuid32(-1, 501, -1) = 0
23996 stat64("/u1/oracle/.ssh/authorized_keys", {st_mode=S_IFREG|0644,
st_size=836, ...}) = 0
23996 open("/u1/oracle/.ssh/authorized_keys", O_RDONLY|O_LARGEFILE) =
4
23996 lstat64("/u1", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
23996 lstat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...})
= 0
23996 lstat64("/u1/oracle/.ssh", {st_mode=S_IFDIR|0700, st_size=4096,
...}) = 0
23996 lstat64("/u1/oracle/.ssh/authorized_keys",
{st_mode=S_IFREG|0644,
st_size=836, ...}) = 0
23996 lstat64("/u1", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
23996 lstat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...})
= 0
23996 fstat64(4, {st_mode=S_IFREG|0644, st_size=836, ...}) = 0
23996 stat64("/u1/oracle/.ssh", {st_mode=S_IFDIR|0700, st_size=4096,
...})
= 0
23996 stat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...})
= 0
23996 close(4) = 0
23996 time(NULL) = 1229609500
23996 open("/etc/localtime", O_RDONLY) = 4
make sure the directory and file are owned by the user. the directory especially has to be the right mode. 0700 on ~/.ssh owned by the user. key files i think it wants them to not be writeable by others. The SSH daemon must also be able to access the keyfiles - usually root can but in some weird setups (EG with ACLs) it might be inaccessible to root. --On December 19, 2008 2:12:38 AM +0000 Fede Rico <fede_home at yahoo.it> wrote:> Hi all, > I have a very strange problem with the public key authentication with 2 > machines. > I generated the key, configured the authorized_keys etc.. etc.. This is > all ok, now: > The ssh works without the password for the "root" user, any other user > cannot use the key and ssh ask me for the password !! > I cannot understand why only the root is able to connect without the > password. So, the ssh works and I think there is a wrong config file but I > cannt find it !!!! > Just to understand the issue, let's see the strace of sshd daemon. As you > can see when the root connect the sshd reads the key file, but when > another user try to connect, sshd open the file and the close it without > read the key...... > Any ideas?? > > Federico > > *********** > for the root: > 26728 read(4, "root:x:0:rootnbin:x:1:root,bin,d"..., 4096) = 946 > 26728 read(4, "", 4096) = 0 > 26728 close(4) = 0 > 26728 munmap(0xb7dce000, 4096) = 0 > 26728 setgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 0 > 26728 getgroups32(0, NULL) = 7 > 26728 getgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 7 > 26728 setgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 0 > 26728 setresgid32(-1, 0, -1) = 0 > 26728 setresuid32(-1, 0, -1) = 0 > 26728 stat64("/root/.ssh/authorized_keys", {st_mode=S_IFREG|0600, > st_size=1664, ...}) = 0 > 26728 open("/root/.ssh/authorized_keys", O_RDONLY|O_LARGEFILE) = 4 > 26728 lstat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 > 26728 lstat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 > 26728 lstat64("/root/.ssh/authorized_keys", {st_mode=S_IFREG|0600, > st_size=1664, ...}) = 0 > 26728 lstat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 > 26728 fstat64(4, {st_mode=S_IFREG|0600, st_size=1664, ...}) = 0 > 26728 stat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 > 26728 stat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 > 26728 fstat64(4, {st_mode=S_IFREG|0600, st_size=1664, ...}) = 0 > 26728 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, > -1, 0) = 0xb7dce000 > 26728 read(4, "ssh-dss AAAAB3NzaC1kc3MAAACBALxI"..., 4096) = 1664 > 26728 setresuid32(-1, 0, -1) = 0 > > *************** > and for another user: > 23996 read(4, "root:x:0:rootnbin:x:1:root,bin,d"..., 4096) = 946 > 23996 read(4, "", 4096) = 0 > 23996 close(4) = 0 > 23996 munmap(0xb7e7c000, 4096) = 0 > 23996 setgroups32(2, [501, 502]) = 0 > 23996 getgroups32(0, NULL) = 2 > 23996 getgroups32(2, [501, 502]) = 2 > 23996 setgroups32(2, [501, 502]) = 0 > 23996 setresgid32(-1, 501, -1) = 0 > 23996 setresuid32(-1, 501, -1) = 0 > 23996 stat64("/u1/oracle/.ssh/authorized_keys", {st_mode=S_IFREG|0644, > st_size=836, ...}) = 0 > 23996 open("/u1/oracle/.ssh/authorized_keys", O_RDONLY|O_LARGEFILE) = 4 > 23996 lstat64("/u1", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0 > 23996 lstat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...}) = 0 > 23996 lstat64("/u1/oracle/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, > ...}) = 0 > 23996 lstat64("/u1/oracle/.ssh/authorized_keys", {st_mode=S_IFREG|0644, > st_size=836, ...}) = 0 > 23996 lstat64("/u1", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0 > 23996 lstat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...}) = 0 > 23996 fstat64(4, {st_mode=S_IFREG|0644, st_size=836, ...}) = 0 > 23996 stat64("/u1/oracle/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) > = 0 > 23996 stat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...}) = 0 > 23996 close(4) = 0 > 23996 time(NULL) = 1229609500 > 23996 open("/etc/localtime", O_RDONLY) = 4 > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
On Fri, Dec 19, 2008 at 02:12:38 +0000, Fede Rico wrote:> Hi all, > I have a very strange problem with the public key authentication with 2 > machines. > I generated the key, configured the authorized_keys etc.. etc.. This is > all ok, now: > The ssh works without the password for the "root" user, any other user > cannot use the key and ssh ask me for the password !! > I cannot understand why only the root is able to connect without the > password. So, the ssh works and I think there is a wrong config file but I > cannt find it !!!! > Just to understand the issue, let's see the strace of sshd daemon. As you > can see when the root connect the sshd reads the key file, but when > another user try to connect, sshd open the file and the close it without > read the key...... > Any ideas?? > > Federico >For debugging purposes, it's usually more useful to use the output of ssh-v (or sshd -d) rather than strace. Check teh output of ssh -v for both cases and confirm that the client is offering a public key in both cases. -- Iain Morgan
Hi, for both root and oracle user: ssh-add -l Could not open a connection to your authentication agent. ssh-add -L Could not open a connection to your authentication agent. I changed the home perimission, same result. I will try to use a sshd with -ddd options and try to see why I have this issue. Federico --- Ven 19/12/08, Bob Proulx <bob at proulx.com> ha scritto:> Da: Bob Proulx <bob at proulx.com> > Oggetto: Re: only root without password > A: "Fede Rico" <fede_home at yahoo.it> > Cc: openssh-unix-dev at mindrot.org > Data: Venerd? 19 dicembre 2008, 18:18 > Fede Rico wrote: > > this is the .ssh permission: > > > > .ssh > > 4,0K drwx------ 2 oracle oinstall 4,0K 2008-12-04 > 22:44 .ssh > > > > .ssh/ > > 4,0K -rw-r--r-- 1 oracle oinstall 859 2008-12-04 > 22:44 authorized_keys > > 4,0K -rw------- 1 oracle oinstall 1,7K 2008-12-04 > 22:39 id_rsa > > 4,0K -rw-r--r-- 1 oracle oinstall 403 2008-12-04 > 22:39 id_rsa.pub > > 4,0K -rw-r--r-- 1 oracle oinstall 1,5K 2008-12-17 > 19:07 known_hosts > > You did not show the permissions on the home directory. > Those are > also considered and are often the source of problems. > > chmod go-w $HOME > > > The ssh works without the password for the > "root" user, any other user > > cannot use the key and ssh ask me for the password !! > > It is possible that root has an ssh-agent and the ssh-agent > has an > authorized key loaded but the non-root user does not? That > could give > the appearance of what you describe. > > ssh-add -l > ssh-add -L > > Bob
On Fri, 19 Dec 2008, Fede Rico wrote:> Hi, > for both root and oracle user: > ssh-add -l > Could not open a connection to your authentication agent. > ssh-add -L > Could not open a connection to your authentication agent.I may have missed this in earlier post but is ssh-agent running for those 2 users? And does their environment include SSH_AUTH_SOCK?> I changed the home perimission, same result. > I will try to use a sshd with -ddd options and try to see why I have this issue. > > Federico-- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net