only root without password
Damien Miller
djm at mindrot.org
Mon Dec 22 19:23:18 EST 2008
Somehow you are still failing to post the output of the server actually
accepting a connection. Perhaps there was a bug in 3.9p1 that made this
not work, but it was so long ago that I forget.
Can you replicate the problem with a recent (5.1p1) sshd?
-d
On Sun, 21 Dec 2008, Fede Rico wrote:
> Hi,
> this is all the output thant I have.
> sorry for this long email....
>
> SERVER
> [root at xxx ~]# /usr/sbin/sshd -D -ddd -p 3333
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 321
> debug2: parse_server_config: config /etc/ssh/sshd_config len 321
> debug1: sshd version OpenSSH_3.9p1
> debug1: private host key: #0 type 0 RSA1
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-D'
> debug1: rexec_argv[2]='-ddd'
> debug1: rexec_argv[3]='-p'
> debug1: rexec_argv[4]='3333'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 3333 on ::.
> Server listening on :: port 3333.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 3333 on 0.0.0.0.
> Bind to port 3333 on 0.0.0.0 failed: Address already in use.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug3: fd 4 is not O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 7 config len 321
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
>
> CLIENT
> [oracle at xxx log]$ ssh -vvv -p 3333 xxx
> OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to xxx [xxx.xxx.xxx.xxx] port 3333.
> debug1: Connection established.
> debug1: identity file /u1/oracle/.ssh/identity type 0
> debug3: Not a RSA1 key file /u1/oracle/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /u1/oracle/.ssh/id_rsa type 1
> debug3: Not a RSA1 key file /u1/oracle/.ssh/id_dsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /u1/oracle/.ssh/id_dsa type 2
> debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
> debug1: match: OpenSSH_3.9p1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.9p1
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 119/256
> debug2: bits set: 513/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /u1/oracle/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 5
> debug3: check_host_in_hostfile: filename /u1/oracle/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 5
> debug1: Host 'xxx' is known and matches the RSA host key.
> debug1: Found key in /u1/oracle/.ssh/known_hosts:5
> debug2: bits set: 501/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /u1/oracle/.ssh/id_rsa (0x8a0d658)
> debug2: key: /u1/oracle/.ssh/id_dsa (0x8a0d670)
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug3: start over, passed a different list publickey,gssapi-with-mic,password
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /u1/oracle/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Offering public key: /u1/oracle/.ssh/id_dsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> oracle at xxx's password:
>
>
>
>
>
> --- Sab 20/12/08, Ben Lindstrom <mouring at eviladmin.org> ha scritto:
>
> > Da: Ben Lindstrom <mouring at eviladmin.org>
> > Oggetto: Re: only root without password
> > A: fede_home at yahoo.it
> > Cc: openssh-unix-dev at mindrot.org
> > Data: Sabato 20 dicembre 2008, 01:28
> > You need to actually show us the connection. Not that you
> > started
> > sshd. Plus you may need to run it on an alternate port
> > (assuming you
> > are not going to down the original deamon). e.g. sshd
> > -ddd -p 35
> > then on the client side to ssh -p 35 machine.
> >
> > - Ben
> >
> > On Dec 19, 2008, at 2:24 PM, Fede Rico wrote:
> >
> > > The sshd -ddd output
> > >
> > > debug2: load_server_config: filename
> > /etc/ssh/sshd_config
> > > debug2: load_server_config: done config len = 321
> > > debug2: parse_server_config: config
> > /etc/ssh/sshd_config len 321
> > > debug1: sshd version OpenSSH_3.9p1
> > > debug1: private host key: #0 type 0 RSA1
> > > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> > > debug1: read PEM private key done: type RSA
> > > debug1: private host key: #1 type 1 RSA
> > > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> > > debug1: read PEM private key done: type DSA
> > > debug1: private host key: #2 type 2 DSA
> > > debug1: rexec_argv[0]='/usr/sbin/sshd'
> > > debug1: rexec_argv[1]='-D'
> > > debug1: rexec_argv[2]='-ddd'
> > > debug1: rexec_argv[3]='-p'
> > > debug1: rexec_argv[4]='3333'
> > > debug2: fd 3 setting O_NONBLOCK
> > > debug1: Bind to port 3333 on ::.
> > > Server listening on :: port 3333.
> > > debug2: fd 4 setting O_NONBLOCK
> > > debug1: Bind to port 3333 on 0.0.0.0.
> > > Bind to port 3333 on 0.0.0.0 failed: Address already
> > in use.
> > > Generating 768 bit RSA key.
> > > RSA key generation complete.
> > > debug3: fd 4 is not O_NONBLOCK
> > > debug1: Server will not fork when running in debugging
> > mode.
> > > debug3: send_rexec_state: entering fd = 7 config len
> > 321
> > > debug3: ssh_msg_send: type 0
> > > debug3: send_rexec_state: done
> > > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock
> > 7
> > >
> > >
> > >
> > > --- Ven 19/12/08, Bob Proulx <bob at proulx.com> ha
> > scritto:
> > >
> > >> Da: Bob Proulx <bob at proulx.com>
> > >> Oggetto: Re: only root without password
> > >> A: "Fede Rico"
> > <fede_home at yahoo.it>
> > >> Cc: openssh-unix-dev at mindrot.org
> > >> Data: Venerdì 19 dicembre 2008, 18:18
> > >> Fede Rico wrote:
> > >>> this is the .ssh permission:
> > >>>
> > >>> .ssh
> > >>> 4,0K drwx------ 2 oracle oinstall 4,0K
> > 2008-12-04
> > >> 22:44 .ssh
> > >>>
> > >>> .ssh/
> > >>> 4,0K -rw-r--r-- 1 oracle oinstall 859
> > 2008-12-04
> > >> 22:44 authorized_keys
> > >>> 4,0K -rw------- 1 oracle oinstall 1,7K
> > 2008-12-04
> > >> 22:39 id_rsa
> > >>> 4,0K -rw-r--r-- 1 oracle oinstall 403
> > 2008-12-04
> > >> 22:39 id_rsa.pub
> > >>> 4,0K -rw-r--r-- 1 oracle oinstall 1,5K
> > 2008-12-17
> > >> 19:07 known_hosts
> > >>
> > >> You did not show the permissions on the home
> > directory.
> > >> Those are
> > >> also considered and are often the source of
> > problems.
> > >>
> > >> chmod go-w $HOME
> > >>
> > >>> The ssh works without the password for the
> > >> "root" user, any other user
> > >>> cannot use the key and ssh ask me for the
> > password !!
> > >>
> > >> It is possible that root has an ssh-agent and the
> > ssh-agent
> > >> has an
> > >> authorized key loaded but the non-root user does
> > not? That
> > >> could give
> > >> the appearance of what you describe.
> > >>
> > >> ssh-add -l
> > >> ssh-add -L
> > >>
> > >> Bob
> > >
> > >
> > >
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev at mindrot.org
> > >
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list