Hi,
I've just experienced a strange problem with OpenSSH. Scenario:
/etc/ssh/sshd_config: PermitRootLogin without-password
= root login with ssh keys works, as expected.
I've created another user, uid 1000, on the same box, and copied root's
authorized_keys file over, adjusted ownership, permissions etc...
= SSH login (from the same remote user) does _NOT_ work.
I've added that user to the group 'wheel'
= SSH login works
I've removed said user from the group 'wheel'
= SSH login no longer works
In sshd(8), there is no mentioning of key login requiring wheel
membership.
This is what a non-working login attempt looks like on the server
side. SSH asks for a password (this is locked):
# /usr/sbin/sshd -u0 -d -e
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-e'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.1.6 port 37071
debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2
Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.8
debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client-server aes128-cbc hmac-md5 none
debug1: kex: server-client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user admin service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for admin from 192.168.1.6 port 37071 ssh2
debug1: userauth-request for user admin service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for admin from 192.168.1.6 port 37071 ssh2
debug1: userauth-request for user admin service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=admin devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
Connection closed by 192.168.1.6
debug1: do_cleanup
debug1: do_cleanup
The same thing after adding the user to the group 'wheel':
# /usr/sbin/sshd -u0 -d -e
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-e'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.1.6 port 37076
debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2
Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.8
debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client-server aes128-cbc hmac-md5 none
debug1: kex: server-client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting