Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Cannot SSH as a normal user using public key

329 views
Skip to first unread message

Anoop

unread,
Jun 28, 2008, 9:20:40 PM6/28/08
to
Hi.
I have a linux server, and a bunch of solaris clients. I've set it up
the authorized keys file for each user on the clients to contain the
rsa public key of the respective user. This holds true for root as
well.
There are no issues with root logging in to the solaris clients using
public key authorisation. However, no other user can log in to the
solaris machines using public keys. The ssh waits at a password
prompt.
The error message that I see when running the server in debug mode is
------------------------------------------------
debug1: trying public key file /home/nostromo/.ssh/authorized_keys
debug1: matching key found: file /home/nostromo/.ssh/authorized_keys,
line 2
Found matching RSA key: a8:5b:3a:0e:cd:f2:c3:70:bb:9c:42:1b:df:
65:45:69
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug2: Starting PAM service sshd-pubkey for method publickey
debug3: Trying to reverse map address 10.1.1.1.
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for nostromo from 10.1.1.1 port 54592 ssh2
debug1: userauth-request for user nostromo service ssh-connection
method keyboard-interactive
debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug2: Starting PAM service sshd-kbdint for method keyboard-
interactive
debug2: Calling pam_authenticate()
debug2: PAM echo off prompt: Password:
------------------------------------------------
As you can see, the matching key is found but reports failure using
public key for the user.
Any ideas?
-a

Dave Uhring

unread,
Jun 28, 2008, 10:32:40 PM6/28/08
to
On Sat, 28 Jun 2008 18:20:40 -0700, Anoop wrote:

> I have a linux server, and a bunch of solaris clients. I've set it up
> the authorized keys file for each user on the clients to contain the
> rsa public key of the respective user. This holds true for root as
> well.
> There are no issues with root logging in to the solaris clients using
> public key authorisation. However, no other user can log in to the
> solaris machines using public keys. The ssh waits at a password
> prompt.

Restore the original /etc/ssh/sshd_config file on Solaris. You are *not*
supposed to be able to use ssh as root.

Dave

unread,
Jun 29, 2008, 3:24:16 AM6/29/08
to


But I don't think the fact he has allowed root to log in via ssh is
anything to do with the reason in this case.

Chris Ridd

unread,
Jun 29, 2008, 3:30:25 AM6/29/08
to

What name services (NIS, LDAP) are being used on all the machines?

Cheers,

Chris

Greg Andrews

unread,
Jun 29, 2008, 8:53:49 AM6/29/08
to
Anoop <anoop.r...@gmail.com> writes:
>
>I have a linux server, and a bunch of solaris clients. I've set it up
>the authorized keys file for each user on the clients to contain the
>rsa public key of the respective user. This holds true for root as
>well.
>There are no issues with root logging in to the solaris clients using
>public key authorisation. However, no other user can log in to the
>solaris machines using public keys. The ssh waits at a password
>prompt.
>

Are there any complaints from sshd about writable directories in
the logfiles? Are the home directories for your normal users
automounted?

-Greg
--
Do NOT reply via e-mail.
Reply in the newsgroup.

Dave Uhring

unread,
Jun 29, 2008, 9:20:47 AM6/29/08
to
On Sun, 29 Jun 2008 08:24:16 +0100, Dave wrote:
> Dave Uhring wrote:

>> Restore the original /etc/ssh/sshd_config file on Solaris. You are *not*
>> supposed to be able to use ssh as root.
>
> But I don't think the fact he has allowed root to log in via ssh is
> anything to do with the reason in this case.

Probably so, but what else did the OP bork when permitting root login? In
any case, starting from a known workable configuration is better than
starting from $DEITY knows where.

Anoop

unread,
Jun 29, 2008, 1:03:52 PM6/29/08
to

The user directories are automounted.

The only thing changed in the sshd_config are "PermitRootLogin"
parameter


Dave Uhring

unread,
Jun 29, 2008, 1:17:21 PM6/29/08
to
On Sun, 29 Jun 2008 10:03:52 -0700, Anoop wrote:

> On Jun 29, 6:20 am, Dave Uhring <daveuhr...@yahoo.com> wrote:
>> On Sun, 29 Jun 2008 08:24:16 +0100, Dave wrote:
>> > Dave Uhring wrote:
>> >> Restore the original /etc/ssh/sshd_config file on Solaris.  You are *not*
>> >> supposed to be able to use ssh as root.
>>
>> > But I don't think the fact he has allowed root to log in via ssh is
>> > anything to do with the reason in this case.
>>
>> Probably so, but what else did the OP bork when permitting root login?  In
>> any case, starting from a known workable configuration is better than
>> starting from $DEITY knows where.
>
> The user directories are automounted.

Perhaps you mean "user home directories"?

> The only thing changed in the sshd_config are "PermitRootLogin"
> parameter

Restore the original configuration from an unmodifed sshd_config and see
if the problem persists.

What version of Solaris are you using? Where did your sshd package come
from?

Anoop

unread,
Jun 29, 2008, 1:48:07 PM6/29/08
to
On Jun 29, 10:17 am, Dave Uhring <daveuhr...@yahoo.com> wrote:
> On Sun, 29 Jun 2008 10:03:52 -0700, Anoop wrote:
> > On Jun 29, 6:20 am, Dave Uhring <daveuhr...@yahoo.com> wrote:
> >> On Sun, 29 Jun 2008 08:24:16 +0100, Dave wrote:
> >> > Dave Uhring wrote:
> >> >> Restore the original /etc/ssh/sshd_config file on Solaris.  You are *not*
> >> >> supposed to be able to use ssh as root.
>
> >> > But I don't think the fact he has allowed root to log in via ssh is
> >> > anything to do with the reason in this case.
>
> >> Probably so, but what else did the OP bork when permitting root login?  In
> >> any case, starting from a known workable configuration is better than
> >> starting from $DEITY knows where.
>
> > The user directories are automounted.
>
> Perhaps you mean "user home directories"?

Yes I do.

>
> > The only thing changed in the sshd_config are "PermitRootLogin"
> > parameter
>
> Restore the original configuration from an unmodifed sshd_config and see
> if the problem persists.

It still persists.


>
> What version of Solaris are you using?  Where did your sshd package come
> from?

Solaris 10. sshd comes from the SUNWsshdu package.

-a

Dick Hoogendijk

unread,
Jun 29, 2008, 2:39:05 PM6/29/08
to
quoting Anoop (Sun, 29 Jun 2008 10:48:07 -0700 (PDT)):
> It still persists.

Did you check the logfile about permission issues?
Can't remember seeing an answer to that suggestion yet.

--
Dick Hoogendijk -- PGP/GnuPG key: 01D2433D
++ http://nagual.nl/ | SunOS 10u5 05/08 ++

Dave Uhring

unread,
Jun 29, 2008, 3:17:13 PM6/29/08
to

OK, did you restart the ssh service after restoring the original
sshd_config?

I know that such questions may appear insulting but they are not. I have
no idea what your experience is.

Anoop

unread,
Jun 29, 2008, 5:12:18 PM6/29/08
to

Thanks to everyone who helped.

It turned out that when I created the user on the solaris machine I
did not create a password for the user using "passwd". Even though I
copied the public key correctly, and a match was found, the ssh daemon
would throw an error that it failed public key authorization, and
client would wait at a password prompt.

As soon as I created some random password for the user the public key
authorization started to work, and it wouldn't ask for a password.

This is extremely strange behaviour that I just don't understand. As
far as I'm concerned, this is also unacceptable behaviour. A user
should not have to create a password, just to be able to use public
key authorization. Perhaps someone can shed light on this.

-a

lahuman9

unread,
Jun 29, 2008, 6:10:31 PM6/29/08
to
> -a- Hide quoted text -
>
> - Show quoted text -

You don't have to create a password. Just replace the password hash
or '*LK*' with 'NP', and you should be set. *LK* locks out the user
no
matter what...

0 new messages