I need to enable root access via sshd. I will be using certificates and firewalled access. I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
Also put SELinux into Permissive mode.
But still neither root sshd nor login work.
Help,
Aaron
Aaron Gray wrote:
I need to enable root access via sshd. I will be using certificates and firewalled access. I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
This only affects login via the Gnome Display Manager.
Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
This is, AFAIK, the default. It doesn't hurt having it, but it should not be required.
Also put SELinux into Permissive mode.
But still neither root sshd nor login work.
I know that root logins via sshd work on F11, and there isn't anything special required to allow it that I am aware of. I think you should post the details of the failure you are seeing. Running ssh with -vvv for more verbose output might help. Also, check /var/log/secure on the server to see if it includes any relevant information. If you are using key based authentication, you should look for lines indicating that the ownership and permissions on your keys are incorrect.
On 12/09/2009, Todd Zullinger tmz@pobox.com wrote:
Aaron Gray wrote:
I need to enable root access via sshd. I will be using certificates and firewalled access. I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
This only affects login via the Gnome Display Manager.
Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
This is, AFAIK, the default. It doesn't hurt having it, but it should not be required.
Also put SELinux into Permissive mode.
But still neither root sshd nor login work.
I know that root logins via sshd work on F11, and there isn't anything special required to allow it that I am aware of. I think you should post the details of the failure you are seeing. Running ssh with -vvv for more verbose output might help. Also, check /var/log/secure on the server to see if it includes any relevant information. If you are using key based authentication, you should look for lines indicating that the ownership and permissions on your keys are incorrect.
Its like the password is being rejected but the password works in 'su'. I am getting the following:-
ang@Zinc ~]$ ssh -vvv root@192.168.0.16 OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.0.16 [192.168.0.16] port 22. debug1: Connection established. debug1: identity file /home/ang/.ssh/identity type -1 debug1: identity file /home/ang/.ssh/id_rsa type -1 debug1: identity file /home/ang/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 debug1: match: OpenSSH_5.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 126/256 debug2: bits set: 544/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/ang/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '192.168.0.16' is known and matches the RSA host key. debug1: Found key in /home/ang/.ssh/known_hosts:1 debug2: bits set: 524/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/ang/.ssh/identity ((nil)) debug2: key: /home/ang/.ssh/id_rsa ((nil)) debug2: key: /home/ang/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 192.168.0.16. debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/ang/.ssh/identity debug3: no such identity: /home/ang/.ssh/identity debug1: Trying private key: /home/ang/.ssh/id_rsa debug3: no such identity: /home/ang/.ssh/id_rsa debug1: Trying private key: /home/ang/.ssh/id_dsa debug3: no such identity: /home/ang/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password Permission denied, please try again. root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password Permission denied, please try again. root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,password).
Any clues ?
Aaron
On Sat, 2009-09-12 at 18:13 +0100, Aaron Gray wrote:
On 12/09/2009, Todd Zullinger tmz@pobox.com wrote:
Aaron Gray wrote:
I need to enable root access via sshd. I will be using certificates and firewalled access. I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
This only affects login via the Gnome Display Manager.
Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
This is, AFAIK, the default. It doesn't hurt having it, but it should not be required.
Also put SELinux into Permissive mode.
But still neither root sshd nor login work.
I know that root logins via sshd work on F11, and there isn't anything special required to allow it that I am aware of. I think you should post the details of the failure you are seeing. Running ssh with -vvv for more verbose output might help. Also, check /var/log/secure on the server to see if it includes any relevant information. If you are using key based authentication, you should look for lines indicating that the ownership and permissions on your keys are incorrect.
Its like the password is being rejected but the password works in 'su'. I am getting the following:-
ang@Zinc ~]$ ssh -vvv root@192.168.0.16 OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.0.16 [192.168.0.16] port 22. debug1: Connection established. debug1: identity file /home/ang/.ssh/identity type -1 debug1: identity file /home/ang/.ssh/id_rsa type -1 debug1: identity file /home/ang/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 debug1: match: OpenSSH_5.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 126/256 debug2: bits set: 544/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/ang/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '192.168.0.16' is known and matches the RSA host key. debug1: Found key in /home/ang/.ssh/known_hosts:1 debug2: bits set: 524/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/ang/.ssh/identity ((nil)) debug2: key: /home/ang/.ssh/id_rsa ((nil)) debug2: key: /home/ang/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 192.168.0.16. debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/ang/.ssh/identity debug3: no such identity: /home/ang/.ssh/identity debug1: Trying private key: /home/ang/.ssh/id_rsa debug3: no such identity: /home/ang/.ssh/id_rsa debug1: Trying private key: /home/ang/.ssh/id_dsa debug3: no such identity: /home/ang/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password Permission denied, please try again. root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password Permission denied, please try again. root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,password).
Any clues ?
Aaron
No clues...but, please check your /etc/ssh/sshd_config file again.
Do you, by any chance, have "allowusers" or "allowgroups" or "denyusers" or "denygroups" in it.
I don't know how sshd will behave if you try to log into an account that is denied because of the above keywords. Will sshd let you try to log in only to always say the password is wrong, or will sshd not even give you the chance to enter a password before denying you?
On Sat, 2009-09-12 at 18:18 -0500, Rick Sewill wrote:
On Sat, 2009-09-12 at 18:13 +0100, Aaron Gray wrote:
On 12/09/2009, Todd Zullinger tmz@pobox.com wrote:
Aaron Gray wrote:
I need to enable root access via sshd. I will be using certificates and firewalled access. I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
This only affects login via the Gnome Display Manager.
Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
This is, AFAIK, the default. It doesn't hurt having it, but it should not be required.
Also put SELinux into Permissive mode.
But still neither root sshd nor login work.
I know that root logins via sshd work on F11, and there isn't anything special required to allow it that I am aware of. I think you should post the details of the failure you are seeing. Running ssh with -vvv for more verbose output might help. Also, check /var/log/secure on the server to see if it includes any relevant information. If you are using key based authentication, you should look for lines indicating that the ownership and permissions on your keys are incorrect.
Its like the password is being rejected but the password works in 'su'. I am getting the following:-
ang@Zinc ~]$ ssh -vvv root@192.168.0.16 OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.0.16 [192.168.0.16] port 22. debug1: Connection established. debug1: identity file /home/ang/.ssh/identity type -1 debug1: identity file /home/ang/.ssh/id_rsa type -1 debug1: identity file /home/ang/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 debug1: match: OpenSSH_5.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 126/256 debug2: bits set: 544/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/ang/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '192.168.0.16' is known and matches the RSA host key. debug1: Found key in /home/ang/.ssh/known_hosts:1 debug2: bits set: 524/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/ang/.ssh/identity ((nil)) debug2: key: /home/ang/.ssh/id_rsa ((nil)) debug2: key: /home/ang/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 192.168.0.16. debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/ang/.ssh/identity debug3: no such identity: /home/ang/.ssh/identity debug1: Trying private key: /home/ang/.ssh/id_rsa debug3: no such identity: /home/ang/.ssh/id_rsa debug1: Trying private key: /home/ang/.ssh/id_dsa debug3: no such identity: /home/ang/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password Permission denied, please try again. root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password Permission denied, please try again. root@192.168.0.16's password: debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,password).
Any clues ?
Aaron
No clues...but, please check your /etc/ssh/sshd_config file again.
Do you, by any chance, have "allowusers" or "allowgroups" or "denyusers" or "denygroups" in it.
I don't know how sshd will behave if you try to log into an account that is denied because of the above keywords. Will sshd let you try to log in only to always say the password is wrong, or will sshd not even give you the chance to enter a password before denying you?
Also, could you check the following two files on the server side when you try to ssh in as root: 1) /var/log/messages -- I don't really know or expect anything here, but is always good to check. 2) /var/log/secure -- I don't know what to expect in this file. There may or may not be a message giving a clue.
Snip extraneous quotes from your posts to the list, dammit! (You, and everyone else doing this.)
It's a pain to read stuff when there's three pages of stuff that just isn't needed in a message, and has to be scrolled past to find the reply.
It's a waste of everyone's time, bandwidth, and storage space. You're not paying for any of that, including the list server's, so don't make things more expensive for those that are.
Do you give out tickets and fines, jail terms and excommunication for the crime of posting?
Bob
On 09/13/2009 02:06 AM, Tim wrote:
Snip extraneous quotes from your posts to the list, dammit! (You, and everyone else doing this.)
It's a pain to read stuff when there's three pages of stuff that just isn't needed in a message, and has to be scrolled past to find the reply.
It's a waste of everyone's time, bandwidth, and storage space. You're not paying for any of that, including the list server's, so don't make things more expensive for those that are.
On Sun, 2009-09-13 at 09:52 -0400, Robert L Cochran wrote:
Do you give out tickets and fines, jail terms and excommunication for the crime of posting?
Have you actually read the list guidelines (including the part about not top-posting)?
poc
Guidelines are voluntary.
I don't crucify, burn at stake, hang, dismember or torture other list people for doing things differently. We do not live in the 1400s any longer.
Bob
On 09/13/2009 10:00 AM, Patrick O'Callaghan wrote:
On Sun, 2009-09-13 at 09:52 -0400, Robert L Cochran wrote:
Do you give out tickets and fines, jail terms and excommunication for the crime of posting?
Have you actually read the list guidelines (including the part about not top-posting)?
poc
Robert L Cochran wrote:
Guidelines are voluntary.
So is providing help on the list. Not following the guidelines is a good way to limit those willing to help you.
I don't crucify, burn at stake, hang, dismember or torture other list people for doing things differently. We do not live in the 1400s any longer.
Bob
I guess politeness has also gone out of style. Guidelines are to let people know the way they are expected to behave in this community. After all, things like changing you cloths, washing, etc are voluntary. But you will have a hard time fitting in in most parts of the world if this is the way you conduct yourself.
Mikkel
Here in the USA, I do not need to be ashamed for having a different view and a different way of doing things. I can have my own beliefs and practices.
When you resort to threats of no help to me unless I toe the line you dictate to me, you illustrate what I'm getting at.
It takes people with many different views to make a good product. If I banned everyone from my workplace who doesn't think as I do, then I'd be standing in the building alone. With nothing to show for it.
Bob
On 09/13/2009 10:35 AM, Mikkel L. Ellertson wrote:
Robert L Cochran wrote:
Guidelines are voluntary.
So is providing help on the list. Not following the guidelines is a good way to limit those willing to help you.
I don't crucify, burn at stake, hang, dismember or torture other list people for doing things differently. We do not live in the 1400s any longer.
Bob
I guess politeness has also gone out of style. Guidelines are to let people know the way they are expected to behave in this community. After all, things like changing you cloths, washing, etc are voluntary. But you will have a hard time fitting in in most parts of the world if this is the way you conduct yourself.
Mikkel
All I ask is let everyone try keep civil to each other.
(The order this appears in the thread, is just that. Please attach no significance to it)
Regards,
Frank
Robert L Cochran wrote:
Here in the USA, I do not need to be ashamed for having a different view and a different way of doing things. I can have my own beliefs and practices.
Please don't conflate personal freedom with ignoring list norms and basic netiquette. This is akin to insisting on smoking when you are at a guests house who asks you not to smoke.
If you choose not to heed the list guidelines, fine. But please don't waste our time defending your refusal to be considerate to the other list members.
On Sun, 2009-09-13 at 11:57 -0400, Robert L Cochran wrote:
It takes people with many different views to make a good product. If I banned everyone from my workplace who doesn't think as I do, then I'd be standing in the building alone. With nothing to show for it.
The usual strawman argument when anyone dares to suggest that the guidelines, while not rules or laws, are there to help communication.
IOW, "The guidelines are for other people, I'm too important/busy/ornery/individualistic to be bothered with this penny-ante stuff."
(Yes, I know *you* didn't say those words. Just call it a metasemantic interpretation).
poc
On Sunday 13 September 2009 16:57:58 Robert L Cochran wrote:
Here in the USA, I do not need to be ashamed for having a different view and a different way of doing things. I can have my own beliefs and practices.
Absolutely true. You can continue to have no consideration for those that offer help, and especially for those less fortunate than you who have either very slow connections or have capped downloads. You can continue to be any kind of ass you choose.
When you resort to threats of no help to me unless I toe the line you dictate to me, you illustrate what I'm getting at.
No threat whatsoever. It's a promise. We are volunteers, and we can volunteer not to answer those people who cannot be polite and considerate.
It takes people with many different views to make a good product. If I banned everyone from my workplace who doesn't think as I do, then I'd be standing in the building alone. With nothing to show for it.
No concern of ours. Only behaviour on our lists concerns us.
Anne
On Sun, Sep 13, 2009 at 11:57:58AM -0400, Robert L Cochran wrote:
Here in the USA, I do not need to be ashamed for having a different view and a different way of doing things. I can have my own beliefs and practices.
Dear Bob,
1. please be considerate of volunteer effort, as it is very valuable, and the enthusiasm required for it isn't infinite in each volunteer.
2. Wasting someones time with excess quoting and flaming in mailinglists is a good way to ensure that he'll loose his enthusiasm.
3. One of the reasons that many lists have netiquettes and have added top-posting to the list of things to avoid.
When you resort to threats of no help to me unless I toe the line you dictate to me, you illustrate what I'm getting at.
Here's another simple rule-of-3:
1. Feel free to continue like that.
2. Others will feel free to killfile your address and thus won't ever again see your emails.
3. Welcome to my killfile.
2009/9/13 Peter l Jakobi lists@kefk.oa.shuttle.de:
- Wasting someones time with excess quoting and flaming in
mailinglists is a good way to ensure that he'll loose his enthusiasm.
Flaming is bad, but I for one don't have too much of a problem with excess quoting. It doesn't take _that_ much time to read as I generally skim-read anyway. I question how much time is "lost" with /excessive/ quoting.
I have a bigger problem with people making initial posts full or unnecessary verbiage and no concrete information.
- One of the reasons that many lists have netiquettes and have added
top-posting to the list of things to avoid.
Again, I'm not too fussed - I work in a Microsoft Environment where most people do this - I respect the etiquette guidelines of the list on this, but I don't usually castigate people for it.
-- Sam
On Sun, Sep 13, 2009 at 08:55:24PM +0100, Sharpe, Sam J wrote:
2009/9/13 Peter l Jakobi lists@kefk.oa.shuttle.de:
Again, I'm not too fussed - I work in a Microsoft Environment where most people do this - I respect the etiquette guidelines of the list on this, but I don't usually castigate people for it.
On a good day, my tolerance is a bit higher for this kind of inpoliteness. But after 10 hours or so this grows thin. And in my spare time after hours, there's also the added lack of payment for tolerating such behaviour.
Top-posting might make sense to contain the full history within each mail in a 1:1 exchange in a biz setting.
But it breaks BADLY as soon as more people participate (other than as silent cc:-to-archive or cc:-to-management recipients). In the general case it's really nice to observe that soon NOBODY will have either the complete list of recipients or the full history of the discussion. With subsequent wasted time, uninformed project members and more expensive side-effects.
Get the peanuts, lean back and enjoy the chaos. But also be prepared for the risk of late-night after-hours obligatory-participation telephone conferences...
A saner work-around for this would be a single mailinglist alias plus a list archive to keep the history. Like this list offers.
But then there's no more "need" at all for keeping "the history as TOFU" and wasting a large number of recipients' time...
What's that saying? "On the internet, it's always September". IMHO outlook's TOFU tendencies rather add to the mess school accounts and AOL created.
Perhaps it's just time to extend the usual SPAM filter with a TOFU filter to blackhole such postings early both at the mailinglist alias-level and in the personal .procmailrc... . Maybe even with a polite posting pointing to the netiquette and some instructions on proper email reformatting for successful redistribution :>.
On Sun, Sep 13, 2009 at 12:55 PM, Sharpe, Sam J sam.sharpe+lists.redhat@gmail.com wrote:
2009/9/13 Peter l Jakobi lists@kefk.oa.shuttle.de:
- Wasting someones time with excess quoting and flaming in
mailinglists is a good way to ensure that he'll loose his enthusiasm.
<.....>
I have a bigger problem with people making initial posts full or unnecessary verbiage and no concrete information.
+1
There are busy days when one may quickly browse through the list, pick a post with the intention to help and then find out that is hard to make sense of it. It's a good thing --as the list motto goes-- to "assist, encourage and advice" posters to make better use of this resource. On the other hand, insulting others leads to nowhere... but it does get people's attention as this thread shows it.
~af
Robert L Cochran wrote:
Here in the USA, I do not need to be ashamed for having a different view and a different way of doing things. I can have my own beliefs and practices.
I'm from Milwaukee - I know something about the US. You can have your own beliefs. But you are constrained in your practices by what the community tolerates.
When you resort to threats of no help to me unless I toe the line you dictate to me, you illustrate what I'm getting at.
Not a threat - I have no obligation to help anyone on the list. I am much more likely to help someone that is polite. That is MY choice. I only help on problems that interest me. If someone can be bothered to follow list guidelines, that person just lost my interest.
By beliefs is that if someone does not care enough about following the list guidelines when asking for help, they they are not worth helping. Are telling me I can not follow my beliefs?
It takes people with many different views to make a good product. If I banned everyone from my workplace who doesn't think as I do, then I'd be standing in the building alone. With nothing to show for it.
I guess you have never seen a "No shoes, no shirt, no service." sign, or don't believe you have to follow that type of sign. There are plenty of companies that will refuse to do business with you if you don't want to conform to expected behavior. This has almost nothing to do with your beliefs, and everything to do polite behavior. (Some people believe that helping someone that is not even related to them is foolish. Being polite is an even worse offense.)
On that point, welcome to my kill file.
Mikkel
On Sun, Sep 13, 2009 at 12:57 PM, Robert L Cochran cochranb@speakeasy.netwrote:
Here in the USA, I do not need to be ashamed for having a different view and a different way of doing things. I can have my own beliefs and practices.
When you resort to threats of no help to me unless I toe the line you dictate to me, you illustrate what I'm getting at.
It takes people with many different views to make a good product. If I banned everyone from my workplace who doesn't think as I do, then I'd be standing in the building alone. With nothing to show for it.
Bob
On 09/13/2009 10:35 AM, Mikkel L. Ellertson wrote:
Robert L Cochran wrote:
Guidelines are voluntary.
So is providing help on the list. Not following the guidelines is a good way to limit those willing to help you.
I don't crucify, burn at stake, hang, dismember or torture other list people for doing things differently. We do not live in the 1400s any longer.
Bob
I guess politeness has also gone out of style. Guidelines are to let people know the way they are expected to behave in this community. After all, things like changing you cloths, washing, etc are voluntary. But you will have a hard time fitting in in most parts of the world if this is the way you conduct yourself.
Mikkel
Sun, Sep 13, 2009 at 11:57:58AM -0400, Robert L Cochran wrote:
Here in the USA, I do not need to be ashamed for having a different view and a different way of doing things. I can have my own beliefs and practices.
Dear Bob,
1. please be considerate of volunteer effort, as it is very valuable, and the enthusiasm required for it isn't infinite in each volunteer.
2. Wasting someones time with excess quoting and flaming in mailinglists is a good way to ensure that he'll loose his enthusiasm.
3. One of the reasons that many lists have netiquettes and have added top-posting to the list of things to avoid.
When you resort to threats of no help to me unless I toe the line you dictate to me, you illustrate what I'm getting at.
Here's another simple rule-of-3:
1. Feel free to continue like that.
2. Others will feel free to killfile your address and thus won't ever again see your emails.
3. Welcome to my killfile.
-- cu Peter l Jakobi lists@kefk.oa.shuttle.de
On Sun, 2009-09-13 at 09:52 -0400, Robert L Cochran wrote:
Do you give out tickets and fines, jail terms and excommunication for the crime of posting?
No, but you get properly roasted for being a pain in the butt.
Every post sent to this server is sent to hundreds, perhaps thousands, of people. You increase the workload (and bandwidth costs) of the server whenever you (that's the collective "you") post piles of unnecessary quoting.
You also antagonise everyone on the list who has to scroll through pages of CRAP, yes UTTER crap, when some dingbat quotes everything to add just three or four lines that DO NOT need all the quoted crap. The older users, those who're most likely to be able to answer questions best, are the most likely to just hit delete and ignore postings sent by thoughtless users.
Top posting doesn't help. You're still wasting bandwidth on a ridiculous scale, and people still have to scroll up and down all over the place to find out what the hell you're responding to.
Don't be a bloody nuisance. - Show quoted text -
On 09/13/2009 10:35 AM, Mikkel L. Ellertson wrote:
Robert L Cochran wrote:
Guidelines are voluntary.
So is providing help on the list. Not following the guidelines is a good way to limit those willing to help you.
I don't crucify, burn at stake, hang, dismember or torture other list people for doing things differently. We do not live in the 1400s any longer.
Bob
I guess politeness has also gone out of style. Guidelines are to let people know the way they are expected to behave in this community. After all, things like changing you cloths, washing, etc are voluntary. But you will have a hard time fitting in in most parts of the world if this is the way you conduct yourself.
Mikkel
You all have very good points, but may I add one to those people who get a little tight under the collar when you don't do what they do, and you should because that's the way I do it. That is what's great about the Linux community , we all have different Ideals about the way it should be done, and I'll respect your Ideal if you will respect mine. After all that is what makes for a strong community. And that's why Linux and OSS will succeed.
Mikkel L. Ellertson wrote:
Robert L Cochran wrote:
Guidelines are voluntary.
So is providing help on the list. Not following the guidelines is a good way to limit those willing to help you.
Too bad there isn't a guideline on sending off-topic complaints about posting form, spelling, etc, etc, directly to the poster and not filling the list with noise.
[__ see, I clipped the other few lines to make you happy. __]
On Wed, 2009-09-30 at 10:07 -0400, Bill Davidsen wrote:
Mikkel L. Ellertson wrote:
Robert L Cochran wrote:
Guidelines are voluntary.
So is providing help on the list. Not following the guidelines is a good way to limit those willing to help you.
Too bad there isn't a guideline on sending off-topic complaints about posting form, spelling, etc, etc, directly to the poster and not filling the list with noise.
Well if he had you wouldn't know about it would you? I know I've done it on occasion. There is a point to sometimes complaining publicly: keeping all complaints private sends the implicit message that no-one has a problem with the objectionable behaviour.
poc
On Wednesday 30 September 2009 15:29:07 Patrick O'Callaghan wrote:
Well if he had you wouldn't know about it would you? I know I've done it on occasion. There is a point to sometimes complaining publicly: keeping all complaints private sends the implicit message that no-one has a problem with the objectionable behaviour.
It also makes it look as though the comment is aimed at one person, when usually it has built up over several messages.
It would greatly help if people would remember that not all are fortunate enough to have unlimited cheap bandwidth. This is not merely a politeness, but a necessity for those people.
Anne
Anne Wilson wrote:
On Wednesday 30 September 2009 15:29:07 Patrick O'Callaghan wrote:
Well if he had you wouldn't know about it would you? I know I've done it on occasion. There is a point to sometimes complaining publicly: keeping all complaints private sends the implicit message that no-one has a problem with the objectionable behaviour.
It also makes it look as though the comment is aimed at one person, when usually it has built up over several messages.
It would greatly help if people would remember that not all are fortunate enough to have unlimited cheap bandwidth. This is not merely a politeness, but a necessity for those people.
The public comment generated 27 (so far) replies, which is a pretty good troll. A single polite "would you" generates none, and will either work or not, depending on the recipient, and is less likely to cause a defensive response.
Having been accused of trimming too much, and having my own posts trimmed so someone can tell me something I included in the original post, I try to trim lightly, although not THAT lightly.
Bill Davidsen wrote:
Too bad there isn't a guideline on sending off-topic complaints about posting form, spelling, etc, etc, directly to the poster and not filling the list with noise.
You mean like resurrecting a thread that died 2 weeks ago?
I guess it would be better to bombard the poster with a dizen messages from people on the list rather than to post one message that shows the person has already been told, and also helps other new users understand that there are guidelines, and they stand a better chance of getting help if they follow them.
Mikkel
On 09/13/2009 03:20 PM, Robert L Cochran wrote:
Guidelines are voluntary.
I don't crucify, burn at stake, hang, dismember or torture other list people for doing things differently. We do not live in the 1400s any longer.
Bob
On 09/13/2009 10:00 AM, Patrick O'Callaghan wrote:
On Sun, 2009-09-13 at 09:52 -0400, Robert L Cochran wrote:
Do you give out tickets and fines, jail terms and excommunication for the crime of posting?
Have you actually read the list guidelines (including the part about not top-posting)?
poc
Hi
Do you like to live in peace with your neighbors? Is the same principle.
Regards
Marcelo
Marcelo M. Garcia wrote:
Do you like to live in peace with your neighbors? Is the same principle.
I think the live in peace would say that if you have an issue with a person it is better to send them a private eMail than to call them out on the list. The original post on clipping was both public and somewhat hostile, "Snip extraneous quotes from your posts to the list, dammit!" is not the way to get cooperation.
Bill Davidsen wrote:
Marcelo M. Garcia wrote:
Do you like to live in peace with your neighbors? Is the same principle.
I think the live in peace would say that if you have an issue with a person it is better to send them a private eMail than to call them out on the list. The original post on clipping was both public and somewhat hostile, "Snip extraneous quotes from your posts to the list, dammit!" is not the way to get cooperation.
You are assuming that there was not a private message sent first. I can understand a somewhat hostile message to the list if the private message was ignored.
But people should keep in mind that some people on the list do not get messages sent to the address they use to post to the list.
Mikkel
On Sun, 2009-09-13 at 09:52 -0400, Robert L Cochran wrote:
Do you give out tickets and fines, jail terms and excommunication for the crime of posting?
No, but you get properly roasted for being a pain in the butt.
Every post sent to this server is sent to hundreds, perhaps thousands, of people. You increase the workload (and bandwidth costs) of the server whenever you (that's the collective "you") post piles of unnecessary quoting.
You also antagonise everyone on the list who has to scroll through pages of CRAP, yes UTTER crap, when some dingbat quotes everything to add just three or four lines that DO NOT need all the quoted crap. The older users, those who're most likely to be able to answer questions best, are the most likely to just hit delete and ignore postings sent by thoughtless users.
Top posting doesn't help. You're still wasting bandwidth on a ridiculous scale, and people still have to scroll up and down all over the place to find out what the hell you're responding to.
Don't be a bloody nuisance.
Rick Sewill-2 wrote:
No clues...but, please check your /etc/ssh/sshd_config file again.
Do you, by any chance, have "allowusers" or "allowgroups" or "denyusers" or "denygroups" in it.
I don't know how sshd will behave if you try to log into an account that is denied because of the above keywords. Will sshd let you try to log in only to always say the password is wrong, or will sshd not even give you the chance to enter a password before denying you?
Apart from checking that permitRootLogin is yes, if there is an allowusers line then root should be included in the list of user names I think and of course make sure root is not included in the denial list.
I have used root login on F11 with no problem at all.
On 12/09/2009, Todd Zullinger tmz@pobox.com wrote:
Aaron Gray wrote:
I need to enable root access via sshd. I will be using certificates and firewalled access. I tried remove the suffix " user != root quiet" from /etc/pam.d/gdm.
This only affects login via the Gnome Display Manager.
Also added "PermitRootLogin yes" in /etc/ssh/sshd_config.
This is, AFAIK, the default. It doesn't hurt having it, but it should not be required.
Also put SELinux into Permissive mode.
But still neither root sshd nor login work.
I know that root logins via sshd work on F11, and there isn't anything special required to allow it that I am aware of. I think you should post the details of the failure you are seeing. Running ssh with -vvv for more verbose output might help. Also, check /var/log/secure on the server to see if it includes any relevant information. If you are using key based authentication, you should look for lines indicating that the ownership and permissions on your keys are incorrect.
I a not getting anything in /var/log/secure for the operation.
Confused :(
Aaron
-
Aaron Gray -
Aldo Foot -
Anne Wilson -
Bill Davidsen -
Fernando Cassia -
Frank Murphy -
Jim -
Jorge Fábregas -
Marcelo Garcia -
mike cloaked -
Mikkel -
Patrick O'Callaghan -
Peter l Jakobi -
Richard Sewill -
Robert L Cochran -
Sam Sharpe -
Tim -
Todd Zullinger