only root without password

Michael Loftis mloftis at wgops.com
Fri Dec 19 20:16:55 EST 2008


make sure the directory and file are owned by the user.  the directory 
especially has to be the right mode.  0700 on ~/.ssh owned by the user. 
key files i think it wants them to not be writeable by others.  The SSH 
daemon must also be able to access the keyfiles - usually root can but in 
some weird setups (EG with ACLs) it might be inaccessible to root.

--On December 19, 2008 2:12:38 AM +0000 Fede Rico <fede_home at yahoo.it> 
wrote:

> Hi all,
> I have a very strange problem with the public key authentication with 2
> machines.
> I generated the key, configured the authorized_keys etc.. etc.. This is
> all ok, now:
> The ssh works without the password for the "root" user, any other user
> cannot use the key and ssh ask me for the password !!
> I cannot understand why only the root is able to connect without the
> password. So, the ssh works and I think there is a wrong config file but I
> cannt find it !!!!
> Just to understand the issue, let's see the strace of sshd daemon. As you
> can see when the root connect the sshd reads the key file, but when
> another user try to connect, sshd open the file and the close it without
> read the key......
> Any ideas??
>
> Federico
>
> ***********
> for the root:
> 26728 read(4, "root:x:0:rootnbin:x:1:root,bin,d"..., 4096) = 946
> 26728 read(4, "", 4096) = 0
> 26728 close(4) = 0
> 26728 munmap(0xb7dce000, 4096) = 0
> 26728 setgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 0
> 26728 getgroups32(0, NULL) = 7
> 26728 getgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 7
> 26728 setgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 0
> 26728 setresgid32(-1, 0, -1) = 0
> 26728 setresuid32(-1, 0, -1) = 0
> 26728 stat64("/root/.ssh/authorized_keys", {st_mode=S_IFREG|0600,
> st_size=1664, ...}) = 0
> 26728 open("/root/.ssh/authorized_keys", O_RDONLY|O_LARGEFILE) = 4
> 26728 lstat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
> 26728 lstat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
> 26728 lstat64("/root/.ssh/authorized_keys", {st_mode=S_IFREG|0600,
> st_size=1664, ...}) = 0
> 26728 lstat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
> 26728 fstat64(4, {st_mode=S_IFREG|0600, st_size=1664, ...}) = 0
> 26728 stat64("/root/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
> 26728 stat64("/root", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
> 26728 fstat64(4, {st_mode=S_IFREG|0600, st_size=1664, ...}) = 0
> 26728 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0xb7dce000
> 26728 read(4, "ssh-dss AAAAB3NzaC1kc3MAAACBALxI"..., 4096) = 1664
> 26728 setresuid32(-1, 0, -1) = 0
>
> ***************
> and for another user:
> 23996 read(4, "root:x:0:rootnbin:x:1:root,bin,d"..., 4096) = 946
> 23996 read(4, "", 4096) = 0
> 23996 close(4) = 0
> 23996 munmap(0xb7e7c000, 4096) = 0
> 23996 setgroups32(2, [501, 502]) = 0
> 23996 getgroups32(0, NULL) = 2
> 23996 getgroups32(2, [501, 502]) = 2
> 23996 setgroups32(2, [501, 502]) = 0
> 23996 setresgid32(-1, 501, -1) = 0
> 23996 setresuid32(-1, 501, -1) = 0
> 23996 stat64("/u1/oracle/.ssh/authorized_keys", {st_mode=S_IFREG|0644,
> st_size=836, ...}) = 0
> 23996 open("/u1/oracle/.ssh/authorized_keys", O_RDONLY|O_LARGEFILE) = 4
> 23996 lstat64("/u1", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
> 23996 lstat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...}) = 0
> 23996 lstat64("/u1/oracle/.ssh", {st_mode=S_IFDIR|0700, st_size=4096,
> ...}) = 0
> 23996 lstat64("/u1/oracle/.ssh/authorized_keys", {st_mode=S_IFREG|0644,
> st_size=836, ...}) = 0
> 23996 lstat64("/u1", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
> 23996 lstat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...}) = 0
> 23996 fstat64(4, {st_mode=S_IFREG|0644, st_size=836, ...}) = 0
> 23996 stat64("/u1/oracle/.ssh", {st_mode=S_IFDIR|0700, st_size=4096, ...})
> = 0
> 23996 stat64("/u1/oracle", {st_mode=S_IFDIR|0774, st_size=4096, ...}) = 0
> 23996 close(4) = 0
> 23996 time(NULL) = 1229609500
> 23996 open("/etc/localtime", O_RDONLY) = 4
>
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



-- 
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


More information about the openssh-unix-dev mailing list