Root SSH Login Not Working

  • Posted January 5, 2015

I have a Ubuntu 14.04 system up and running. I created ssh keys on my Windows Desktop using Putty and pasted the public key into the authorized_keys file for my user account.

I am able to log into the user account using Putty and NotePad++ using the keys created on my Windows desktop. (Side note for others accessing using NotePad++, you have to convert your ssh key into Open SSH format in order for NotePad++ to work).

I added the same key into the /root/.ssh/authorized_keys file and then tried to access the server using the root account but I am getting an unauthorized access error message. It then asks for the root password but it doesn’t accept that password.

If I use the DO Web console interface I am able to login as root with the password I am using so I’m a bit confused what I’ve done wrong.

I’ve read a lot of the posts and tutorials so perhaps I’ve modified a file incorrectly along the way. Ultimately I want to allow only ssh key access but before I do that I need to at least get it working with the root account.


@george - So it’s not the key contents, but permissions on the files (like authorized_keys for root login is not readeable sshd) or login specifications in /etc for root is not setup to use ssh keys. The former you can easily check by setting your authorized_keys file readable by any (should be OK since this should be all public keys). The latter means you need to go through through that tutorial again for the root account to make sure nothing went wrong in one of the steps. Good luck.

Yes, I have 3 lines in the DO /root/.ssh/authorized_keys file (Ubuntu1, Ubuntu2, Windows Putty)

On Ubuntu1 I do have a id_rsa and in the ~/.ssh directory and both have the same date and time so it’s not like the private and public got mixed up somehow.

Same goes for the Ubuntu2 server. So I have 3 computers (Ubuntu1, Ubuntu2, Windows PC) able to ssh using the george account on the DO server but none of these can log into the root account on the DO server.

I am really puzzled by this!

@george - The contents of ~/.ssh/ in your FROM ubuntu can be found in one of the lines in /root/.ssh/authorized_keys in your TO ubuntu. Also you have ~/.ssh/id_rsa available in your FROM ubuntu. Can you confirm that?

Permissions on the files in both the george account and the root account appear to be the same:

root@iotllc:~# ls -al /home/george/.ssh/
total 28
drwx------ 2 george george 4096 Jan  5 21:54 .
drwxr-xr-x 9 george george 4096 Jan  5 21:49 ..
-rw------- 1 george george 1207 Jan  6 00:13 authorized_keys
-rw------- 1 george george  796 Jan  5 21:50 authorized_keys.backup
-rw------- 1 george george 1679 Jan  4 23:13 id_rsa
-rw-r--r-- 1 george george  395 Jan  4 23:13
-rw-r--r-- 1 george george  444 Jan  5 17:06 known_hosts
root@iotllc:~# ls -al /root/.ssh
total 28
drwx------ 2 root root 4096 Jan  5 21:57 .
drwxr-xr-x 6 5245 5245 4096 Jan  5 16:17 ..
-rw------- 1 root root 1288 Jan  5 23:03 authorized_keys
-rw------- 1 root root 1149 Jan  5 20:34 authorized_keys.backup
-rw------- 1 root root 1675 Jan  4 22:51 id_rsa
-rw-r--r-- 1 root root  393 Jan  4 22:51
-rw-r--r-- 1 root root  222 Jan  4 22:52 known_hosts
root@iotllc:~# ls -al /root
total 52
drwxr-xr-x  6 5245 5245 4096 Jan  5 16:17 .
drwxr-xr-x 22 root root 4096 Jan  5 02:02 ..
drwx------  2 root root 4096 Jan  5 21:57 .ssh
drwxr-xr-x  2 root root 4096 Aug  1  2013 testtmp
root@iotllc:~# ls -al /home/george
total 1640
drwxr-xr-x 9 george george   4096 Jan  5 21:49 .
drwxr-xr-x 4 root   root     4096 Jan  4 23:46 ..
drwx------ 2 george george   4096 Jan  5 21:54 .ssh
drwxrwxr-x 2 george george   4096 Aug  2  2013 temp

No, I’m trying to ssh into the DO server from 2 different places, another Ubuntu server and my Windows PC. Those last debug pastes were from the other Ubuntu server. From the other Ubuntu server AND my Windows PC I am able to use ssh keys to log into the george account on the DO server.

From BOTH the other Ubuntu server AND the Windows PC I keep getting Permission denied errors when trying to log into the root account on the DO server.

@george - Let me see if I follow your debug procedure

  1. You logged in to your droplet using your george account (either through web console or ssh)
  2. You tried to ssh from that george login session to the root login on the same machine
  3. The ssh command spewed out that your linux george account did not have private keys available that can decipher the public in root’s authorized_key file for your non-root account.

Is that right? So the private+public keys that you generated at your PC (or any rsa key pairs that you generated) are not on the george account of your linux droplet where you atttempted step #2.

Still trying to debug this. If I run ssh into the account that works with keys (george) with verbose flags (ssh -vvv george@myserverip) I see this:

debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: XXX...XXX
debug3: sign_and_send_pubkey: RSA XXX...XXX
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to XXX.XXX.XXX.XXX([XXX.XXX.XXX.XXX]:22).

If I ssh into the root account I see this:

debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ecdsa
debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /root/.ssh/id_ed25519
debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

Everything up to this point in the debug is exactly the same except for a line above

debug2: key: /root/.ssh/id_rsa (0xb6f7xxxx),

Where the hex value is different. I’m confused in this log if on the failed attempt for the root user if the “No such file or directory” errors are from the remote PC since those files do exist on the DO server and why are those files even being checked for the george user, shouldn’t ssh be looking in the george directories?

Sorry for the confusion but hopefully this helps someone help me figure out what I’ve done wrong.

Is there any reason to not just copy the authorized_keys file from the working user into the /root/.ssh folder?

There were two main types of failures I’ve seen where ssh works for one user and not for another. The first case is a corrupted authorized_keys file for the failing account (it should be 1 public key per line, but the bad one had some garbage lines that probably was a result of a bad cut+paste). The other case was that the authorized_keys had the wrong key, where the wrong key was either the private key (oops!) or the wrong version because the user had generated multiple keys.

At this point just visually compare the keys in root’s authorized_keys with the one you generated from windows, and make sure your putty session for root is using the correct version. Good luck.

Yes, in my /etc/ssh/sshd_config file is that line and I have also restarted the ssh service a few times

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

There are 2 things that I did just now which allowed me to access the DO server using the root account with ssh keys.

  1. I have NO idea how but I noticed the actual /root directory had ownership by 5245:5245 instead of root:root. I checked all users and groups on the DO server and could not find a user or group with the 5245 name. I changed the /root directory to root:root (and recursively just to be sure).
  2. Just to be sure I also copied the /home/george/.ssh/authorized_keys file to /root/.ssh/authorized_keys
  3. Just to be sure again, I rebooted the DO machine.

Once I did that I was able to ssh in to the DO machine using the Ubuntu1, Ubuntu2, and Windows PC.

At least I won’t be laying in bed tonight trying to figure out what was going on but I still wonder why things were wrong!

What’s odd is that /var/log/auth.log is empty