Configuration for root logins

[Damien Miller]

On Sun, 14 Jul 2024, Thomas Köller wrote:

> Hi,
> 
> I am trying to configure OpenSSH to allow root logins, without success so far.
> So I could really use some advice.
> 
> This is my server configuration:
> 
> AllowUsers = thomas root
> AuthenticationMethods hostbased,publickey
> ExposeAuthInfo = no
> ForceCommand none
> GSSAPIAuthentication no
> HostbasedAcceptedAlgorithms ssh-ed25519
> HostbasedAuthentication yes
> HostbasedUsesNameFromPacketOnly yes
> HostKey /etc/ssh/host_key_sarkovy.koeller.dyndns.org_ed25519
> IgnoreRhosts yes
> IgnoreUserKnownHosts yes
> KerberosAuthentication no
> ListenAddress = 192.168.0.1
> ListenAddress = fd46:1ffa:d8e0::1
> LogLevel VERBOSE
> PasswordAuthentication no
> PermitEmptyPasswords no
> PermitRootLogin yes
> PermitTTY yes
> PermitTunnel no
> PermitUserRC yes
> PubkeyAuthentication yes
> PubkeyAcceptedAlgorithms ssh-ed25519
> UseDNS = no
> X11Forwarding no
> 
> For now, the client machine is on a static IP address, just for testing using
> my in-house network. But later the client machines will be on dynamic IP
> addresses, which is why I have 'HostbasedUsesNameFromPacketOnly yes'. With
> this setup I can log into my regular user account 'thomas', so hostbased
> authentication at least seems to be configured correctly. But root logins are
> rejected like this:
> 
> root at htpc:~# ssh sarkovy
> root at sarkovy: Permission denied (hostbased).
> 
> I created a /root/.shosts file containing
> 
> fd46:1ffa:d8e0::2 root
> htpc.koeller.dyndns.org root
> 
> to no avail. Enabling debug output on both the server and the client did not
> produce anything hinting at the reason why logins are failing, or at least I
> have been unable to spot anything like that.

hostbased authentication can be tricky to debug, and basically impossible
without logs from both the client and server.

Did you set EnableSSHKeysign in the client's /etc/ssh/ssh_config ?

-d