Re: SSH key authentication - can only login as root

Fri, 08 Sep 2006 08:49:06 -0700 

(...)


Is this issue specific to ssh?  What happens if you locally (on SERVER)
try to su -l checkuser with UID=1001? Or use ftp or telnet?



Yes, it's specific to SSH authentication with keys. Password logins work 
fine.

I can su:

thecus:/var/log# su -l checkuser
[EMAIL PROTECTED]:~$
[EMAIL PROTECTED]:~$ su
Password:
thecus:/home/checkuser#

I can login via telnet (using a password).



Also, try turning up the debug in the sshd process to try and see more
of what is happening:

# For sshd_config
LogLevel DEBUG3

We need to see what happens between the last two lines and the above
might help:
sshd[18730]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
sshd[18730]: debug1: trying public key file /home/checkuser/.ssh/
authorized_keys
sshd[18730]: debug1: restore_uid: 0/0


There is something strange with the key:


Sep  8 11:27:23 thecus sshd[23596]: Failed none for checkuser from 
192.168.111.181 port 35531 ssh2

Sep  8 11:27:23 thecus sshd[23596]: debug3: mm_request_receive entering

Sep  8 11:27:23 thecus sshd[23596]: debug3: monitor_read: checking 
request 20

Sep  8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed entering

Sep  8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed: 
key_from_blob: 0x69b00
Sep  8 11:27:23 thecus sshd[23596]: debug1: temporarily_use_uid: 
1001/1001 (e=0/0)
Sep  8 11:27:23 thecus sshd[23596]: debug1: trying public key file 
/home/checkuser/.ssh/authorized_keys

Sep  8 11:27:23 thecus sshd[23596]: debug1: restore_uid: 0/0

Sep  8 11:27:23 thecus sshd[23596]: debug1: temporarily_use_uid: 
1001/1001 (e=0/0)
Sep  8 11:27:23 thecus sshd[23596]: debug1: trying public key file 
/home/checkuser/.ssh/authorized_keys2

Sep  8 11:27:23 thecus sshd[23596]: debug1: restore_uid: 0/0

Sep  8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed: key 
0x69b00 is disallowed
Sep  8 11:27:23 thecus sshd[23596]: debug3: mm_request_send entering: 
type 21

Sep  8 11:27:23 thecus sshd[23596]: debug3: mm_request_receive entering


So, why the key is allowed if UID=0, and is disallowed if UID!=0?



Last option: you initially said that there were no options enabled in
sshd_config to deny users - what about the group options DenyGroups and
AllowGroups?


There's no option which allows/denies groups in my config.


I even used the same sshd_config file from another server, to which I 
can login using the same key (where "checkuser" has UID=1001), but 
still, I could only login if "checkuser" had UID=0.



--
Tomasz Chmielewski
http://wpkg.org






















					Reply via email to