[OpenIndiana-discuss] ssh root login

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Sat Jan 12 23:01:04 UTC 2013 

I am trying to accomplish ssh root login with a forced command via an 
entry in /root/.ssh/authorized_keys.  This is to support my home-made 
backup system.  The strategy is already working for Solaris 10, Apple 
OS X, Linux, and FreeBSD hosts.  However, it is failing for 
OpenIndiana and I am having difficulty determining why.

I have this in /etc/ssh/sshd_config:

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin yes

Besides, 'yes', I also tried 'forced-commands-only'.  I even tried 
temporarily editing /etc/default/login and commenting out the CONSOLE 
entry.  Each time I do 'svcadm refresh svc:/network/ssh:default' and 
observe that a refresh entry does appear in 
'/var/svc/log/network-ssh:default.log'.

I am not able to successfully ssh in as 'root' using root's 
pass-phrase or password.  I am not able to invoke the forced command 
using the private key.

This is what I see on the ssh client side:

debug1: Next authentication method: publickey
debug1: Trying public key: /.ssh/id_dsa_rsync
debug2: we sent a publickey packet, wait for reply
debug1: Remote: Forced command: /usr/bin/rsync --server --daemon --config=/root/.ssh/rsync.conf .
debug1: Remote: Pty allocation disabled.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Server accepts key: pkalg ssh-dss blen 530 lastkey 80a9c50 hint 0
debug2: input_userauth_pk_ok: fp 23:58:6a:f1:77:62:aa:1b:6c:4b:25:65:7e:64:1a:9e
debug1: read PEM private key done: type DSA
debug1: Remote: Forced command: /usr/bin/rsync --server --daemon --config=/root/.ssh/rsync.conf .

It is seeing my forced command but it is silently rejecting the key. 
I am not able to find any log file information on the server side 
(/var/adm/messages) which would provide a hint of why the key is 
rejected.

Setting LogLevel to debug has no apparent effect and sshd does little 
logging to /var/adm/messages.  In other ssh implementations I see many 
log messages.

Any ideas?

Bob
-- 
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

More information about the OpenIndiana-discuss mailing list