0

I have a host (named giggles) whose root account does not accept incoming SSH connections. It has a user (kevin) account that does. Moreover the two accounts have exactly the same credentials for incoming root accounts, and that work for the user account but not for root.

From two different calling machines, I've done both "ssh -v giggles" and "ssh -v kevin@giggles". This verified that the same credentials are presented in both cases, but only the user account (kevin) accepted the connection.

I've used diff and vimdiff to verify that authorized_keys in both root and kevin on giggles contain identical lines for the incoming root connection. But only kevin accepts the call.

The machines are all running Xubuntu, either 20 or 22.

PermitRootLogin is left as the default: prohibit-password. Since I use root so much working on this cluster (7 hosts), I intend to move around with SSH a lot, and will leave it so.

Neither AllowUsers nor DenyUsers is mentioned in my config files, not even commented out.

I can, of course, sudo into the root account once I'm in the user account, but this is awkward for some of the things I do. And it ain't right.

The error message is

root@giggles: Permission denied (publickey).

What else should I be looking at?

Improve this question
4
  • 1
    Have you set PermitRootLogin yes in /etc/ssh/sshd_config? Sorry if that is too obvious a problem just thought I'd check.
    – Blindspots
    Commented Jan 18, 2023 at 21:59
  • 1
    Denying SSH for root is common. Check sshd.config for AllowUsers or DenyUsers as well
    – Cpt.Whale
    Commented Jan 18, 2023 at 22:01
  • @BlindSpots I've edited the question for this.
    – 4Dummies
    Commented Jan 19, 2023 at 2:00
  • @Cpt.Whale I've edited the question for this.
    – 4Dummies
    Commented Jan 19, 2023 at 2:00

2 Answers 2

Reset to default
1

I found the problem, and feel guilty about bothering you all with it. It turns out that root's authorized_keys file was NOT owned by root. Making it so made the problem disappear.

This is an artifact of work on an earlier problem that plagued several hosts in the cluster. I probably missed a clean-up step on this machine.

Improve this answer
1
  • That happened to me once :D Good to know it's solved. Feel free to mark your own answer as accepted one.
    – gildux
    Commented Jan 19, 2023 at 13:08
0

As other comments already mentioned, you need to have PermitRootLogin yes in order to allow root ssh-ing the box. The default PermitRootLogin no is better as you can ssh with some other accounts because from there you can become root by issuing su -l if you know the root password, or you can use sudo -i or doas etc.

But, if you really need to permit root ssh login, the option can be PermitRootLogin without-password (older form) or PermitRootLogin prohibit-password (newer form) in order to allow login but without keyboard-interactive authentication (hence keys pair only.) Even in that case, tweak the /root/.ssh/authorized_keys to accept only well known addresses.
Reference: man 5 sshd_config

Improve this answer
2
  • I believe I've done all that. I still have the problem. And authorized_keys on all members of my cluster includes only other members of the cluster. This is true for the one user account as well as for root. And since my router does not allow port 22 in from the outside, I feel pretty safe.
    – 4Dummies
    Commented Jan 19, 2023 at 2:02
  • Background: I'm the only user. Root has no password. There are 7 hosts varying from a core-i5 laptop to a dual-Xeon monster with 256GB RAM.
    – 4Dummies
    Commented Jan 19, 2023 at 2:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .