Can't SSH as root anymore!


 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Can't SSH as root anymore!
# 1  
Old 11-13-2009
Can't SSH as root anymore!

I've screwed something up in my sshd_config apparently, because I can't ssh with root anymore.

I had disabled root login for security reasons, but then my ssh credentials with full administrative privelges stopped working. So then I reenabled root login (and reset ssh), but root now isn't working either.

The error I get when I attempt to ssh in is access denied - it seems like it's an authentication error, but it's not.

Below is my sshd_config - please help me figure out where I've gone wrong.

Code:
# Package generated configuration file                                                                                  
# See the sshd(8) manpage for details                                                                                   
                                                                                                                        
# What ports, IPs and protocols we listen for                                                                           
Port 22                                                                                                                 
# Use these options to restrict which interfaces/protocols sshd will bind to                                            
#ListenAddress ::                                                                                                       
#ListenAddress 0.0.0.0                                                                                                  
Protocol 2                                                                                                              
# HostKeys for protocol version 2                                                                                       
HostKey /etc/ssh/ssh_host_rsa_key                                                                                       
HostKey /etc/ssh/ssh_host_dsa_key                                                                                       
#Privilege Separation is turned on for security                                                                         
UsePrivilegeSeparation yes                                                                                              
                                                                                                                        
# Lifetime and size of ephemeral version 1 server key                                                                   
KeyRegenerationInterval 3600                                                                                            
ServerKeyBits 768  
                                                                                                                        
# Logging                                                                                                               
SyslogFacility AUTH                                                                                                     
LogLevel INFO                                                                                                           
                                                                                                                        
# Authentication:                                                                                                       
LoginGraceTime 120                                                                                                      
PermitRootLogin yes                                                                                                     
AllowUsers ***EDITED FOR FORUM***                                                                                                  
StrictModes yes                                                                                                         
                                                                                                                        
#RSAAuthentication yes                                                                                                  
PubkeyAuthentication yes                                                                                                
#AuthorizedKeysFile     %h/.ssh/authorized_keys                                                                         
                                                                                                                        
# Don't read the user's ~/.rhosts and ~/.shosts files                                                                   
IgnoreRhosts yes                                                                                                        
# For this to work you will also need host keys in /etc/ssh_known_hosts                                                 
RhostsRSAAuthentication no                                                                                              
# similar for protocol version 2                                                                                        
HostbasedAuthentication no                                                                                              
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication                                           
#IgnoreUserKnownHosts yes                                                                                               
                                                                                                                        
# To enable empty passwords, change to yes (NOT RECOMMENDED)                                                            
PermitEmptyPasswords no                                                                                                 
                                                                                                                        
# Change to yes to enable challenge-response passwords (beware issues with                                              
# some PAM modules and threads)                                                                                         
ChallengeResponseAuthentication no                                                                                      
                                                                                                                        
# Change to no to disable tunnelled clear text passwords                                                                
PasswordAuthentication yes                                                                                              
                                                                                                                        
                                                                                                                        
# Kerberos options                                                                                                      
#KerberosAuthentication no                                                                                              
#KerberosGetAFSToken no                                                                                                 
#KerberosOrLocalPasswd yes                                                                                              
#KerberosTicketCleanup yes                                                                                              
                                                                                                                        
# GSSAPI options                                                                                                        
#GSSAPIAuthentication no                                                                                                
#GSSAPICleanupCredentials yes                                                                                           
                                                                                                                        
X11Forwarding yes                                                                                                       
X11DisplayOffset 10                                                                                                     
PrintMotd no                                                                                                            
PrintLastLog yes                                                                                                        
TCPKeepAlive yes                                                                                                        
#UseLogin no                                                                                                            
                                                                                                                        
#MaxStartups 10:30:60
                                                                                                                      
#Banner /etc/issue.net                                                                                                  
                                                                                                                        
# Allow client to pass locale environment variables                                                                     
AcceptEnv LANG LC_*                                                                                                     
                                                                                                                        
Subsystem sftp /usr/lib/openssh/sftp-server                                                                             
                                                                                                                        
UsePAM yes

# 2  
Old 11-13-2009
Quote:
# Logging
SyslogFacility AUTH
LogLevel INFO
What does the log file say?
# 3  
Old 11-13-2009
It says (some info edited out):

Note, this is two auth attempts: one with root, and one with the admin account I have set up under "allowUsers"

Quote:
Nov 13 17:15:16 EDITED sshd[14220]: User root from EDITED. net not allowed because not listed in AllowUsers
Nov 13 17:15:16 EDITED sshd[14220]: Failed none for invalid user root from IP EDITED port 62450 ssh2
Nov 13 17:15:17 Sustainable sshd[14220]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=EDITED user=root
Nov 13 17:15:19 EDITED sshd[14220]: Failed password for invalid user root from IP EDITED port 62450 ssh2
Nov 13 17:16:27 EDITED sshd[14220]: Failed password for invalid user root from IP EDITED port 62450 ssh2
Nov 13 17:16:29 EDITED sshd[14220]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= EDITED user=root
Nov 13 17:19:13 EDITED sshd[14229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=EDITED us
er=ACCOUNT NAME EDITED
Nov 13 17:19:13 EDITED sshd[14229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=EDITED user=ACCOUNT NAME EDITED
Nov 13 17:19:15 EDITED sshd[14229]: Failed password for ACCOUNT NAME EDITED from EDITED port 62483 ssh2
I've tried removing the allowed users line and I get different errors. Let me grab those quickly unless you lot have any awesome ideas. Smilie

---------- Post updated at 02:19 PM ---------- Previous update was at 02:13 PM ----------

Removing allowed users worked this time. Never mind, everybody. Smilie Thanks...
# 4  
Old 11-14-2009
Great!

FWIW, it is good to post the relevant log file entries here when trying to solve problems. (Don't forget to post log file entries in quote tags Smilie )
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. SuSE

Auditors want more security with root to root access via ssh keys

I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner: 1) Remote root access is turned off in the sshd_config file. 2) I am the only user of this admin... (6 Replies)
Discussion started by: dvbell
6 Replies

2. Solaris

Passwordless ssh for root

Hi Experts, I am trying to setup passwordless ssh for root between two of my solaris servers(say A & B). I have exchanged the public keys between both servers. Password less ssh working fine while I try to connect from Server A to Server B. However it is still asking password... (6 Replies)
Discussion started by: sai_2507
6 Replies

3. Solaris

ssh as root

Hi guys. I have two machines and I am using both as root. I need to know , is there a way by which I can ssh from Machine1 to Machine2 without giving the root password for Machine2. I actually need to write a script so that when its executed , it will ssh into another machine and run a... (4 Replies)
Discussion started by: Junaid Subhani
4 Replies

4. Solaris

Solaris 8: root can't ssh to other systems.

Hi, The issue is that root can not ssh to a Solaris 8 server: Please help. Thank you in advance! (7 Replies)
Discussion started by: aixlover
7 Replies

5. UNIX for Dummies Questions & Answers

How to disable root login (Not over SSH)?

I have already disabled root login over the ssh by modifying /etc/ssh/sshd_config. But how would i disable root login on a server itself. We have implemented LDAP in our environment and our security guide states that root login must be obtained by first logging into the host using his/her own... (2 Replies)
Discussion started by: pinga123
2 Replies

6. Solaris

How to configure ssh for root user....???

Hi Friends, I would like to configure ssh for root user. Note : I am able to use the ssh for other user. Can someone suggest me what needs to be done....??? Thanks & Regards, jumadhiya. (8 Replies)
Discussion started by: jumadhiya
8 Replies

7. Cybersecurity

Running script through SSH as root

Hi all, I have a situation where I have a shell script that I need to run remotely on multiple *nix machines via SSH. Unfortunately, some of the commands in it require root access. I know that best practices for ssh entail configuring it so that the root account cannot log in, you need to... (4 Replies)
Discussion started by: irinotecan
4 Replies

8. Solaris

Remote ssh login as root

I edited my /etc/default/login file and commented the line: # If CONSOLE is set, root can only login on that device. # Comment this line out to allow remote login by root. # #CONSOLE=/dev/console I still cant login thru telnet or ssh. What else do i have to do to be able to login... (14 Replies)
Discussion started by: BG_JrAdmin
14 Replies

9. AIX

Passwordless root authentication via SSH

Hello, I would like to issue a couple of commands as root on a remote machine without having to enter the root password. I used "ssh-keygen -t rsa" to generate the encryption keys, copied the public key to the remote machine, etc. I also tried playing around with the sshd_config file and... (3 Replies)
Discussion started by: sphericon
3 Replies

10. UNIX for Dummies Questions & Answers

deny ssh from root - how to?

using redhat 7.2 Is it possible to not allow root to ssh into the server remotely, but allow the account that ssh'd in to the box to su to root? This way there is the added security of a hacker needing two passwords to hack your computer, a username/password for a regular account and also the... (3 Replies)
Discussion started by: theDirtiest
3 Replies
Login or Register to Ask a Question