Root SSH Login Not Working

January 5, 2015 6.6k views

I have a Ubuntu 14.04 system up and running. I created ssh keys on my Windows Desktop using Putty and pasted the public key into the authorized_keys file for my user account.

I am able to log into the user account using Putty and NotePad++ using the keys created on my Windows desktop. (Side note for others accessing using NotePad++, you have to convert your ssh key into Open SSH format in order for NotePad++ to work).

I added the same key into the /root/.ssh/authorized_keys file and then tried to access the server using the root account but I am getting an unauthorized access error message. It then asks for the root password but it doesn't accept that password.

If I use the DO Web console interface I am able to login as root with the password I am using so I'm a bit confused what I've done wrong.

I've read a lot of the posts and tutorials so perhaps I've modified a file incorrectly along the way. Ultimately I want to allow only ssh key access but before I do that I need to at least get it working with the root account.

  • When setting up ssh keys on your droplet did you update your ssh configuration to reflect:

    PermitRootLogin without-password

    To allow the root account to authenticate by key only? You mentioned going through several tutorials, I would recommend reviewing this one to ensure you've got everything configured correctly.

    by Etel Sverdlov
    SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.
  • With Ubuntu, look in /var/log/auth.log to see the details of why your keys are being rejected. The procedure I would use is to login as root through the DO web console and do 'tail -f /var/log/auth.log' and then ssh from you windows as your non-root account and then with your root account. This way you can see the effects of when it works and when it does not.

    Hope that helps.

  • Yes, in my /etc/ssh/sshd_config file is that line and I have also restarted the ssh service a few times

  • There were two main types of failures I've seen where ssh works for one user and not for another. The first case is a corrupted authorizedkeys file for the failing account (it should be 1 public key per line, but the bad one had some garbage lines that probably was a result of a bad cut+paste). The other case was that the authorizedkeys had the wrong key, where the wrong key was either the private key (oops!) or the wrong version because the user had generated multiple keys.

    At this point just visually compare the keys in root's authorized_keys with the one you generated from windows, and make sure your putty session for root is using the correct version. Good luck.

  • Is there any reason to not just copy the authorized_keys file from the working user into the /root/.ssh folder?

  • Still trying to debug this. If I run ssh into the account that works with keys (george) with verbose flags (ssh -vvv george@myserverip) I see this:

    debug2: we sent a publickey packet, wait for reply
    debug1: Server accepts key: pkalg ssh-rsa blen 279
    debug2: input_userauth_pk_ok: XXX...XXX
    debug3: sign_and_send_pubkey: RSA XXX...XXX
    debug1: key_parse_private2: missing begin marker
    debug1: read PEM private key done: type RSA
    debug1: Authentication succeeded (publickey).
    Authenticated to XXX.XXX.XXX.XXX([XXX.XXX.XXX.XXX]:22).

    If I ssh into the root account I see this:

    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey
    debug1: Trying private key: /root/.ssh/id_dsa
    debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
    debug1: Trying private key: /root/.ssh/id_ecdsa
    debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
    debug1: Trying private key: /root/.ssh/id_ed25519
    debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    Permission denied (publickey).

    Everything up to this point in the debug is exactly the same except for a line above

    debug2: key: /root/.ssh/id_rsa (0xb6f7xxxx),

    Where the hex value is different. I'm confused in this log if on the failed attempt for the root user if the "No such file or directory" errors are from the remote PC since those files do exist on the DO server and why are those files even being checked for the george user, shouldn't ssh be looking in the george directories?

    Sorry for the confusion but hopefully this helps someone help me figure out what I've done wrong.

  • @george - Let me see if I follow your debug procedure

    1. You logged in to your droplet using your george account (either through web console or ssh)
    2. You tried to ssh from that george login session to the root login on the same machine
    3. The ssh command spewed out that your linux george account did not have private keys available that can decipher the public in root's authorized_key file for your non-root account.

    Is that right? So the private+public keys that you generated at your PC (or any rsa key pairs that you generated) are not on the george account of your linux droplet where you atttempted step #2.

  • No, I'm trying to ssh into the DO server from 2 different places, another Ubuntu server and my Windows PC. Those last debug pastes were from the other Ubuntu server. From the other Ubuntu server AND my Windows PC I am able to use ssh keys to log into the george account on the DO server.

    From BOTH the other Ubuntu server AND the Windows PC I keep getting Permission denied errors when trying to log into the root account on the DO server.

  • Permissions on the files in both the george account and the root account appear to be the same:

    root@iotllc:~# ls -al /home/george/.ssh/
    total 28
    drwx------ 2 george george 4096 Jan  5 21:54 .
    drwxr-xr-x 9 george george 4096 Jan  5 21:49 ..
    -rw------- 1 george george 1207 Jan  6 00:13 authorized_keys
    -rw------- 1 george george  796 Jan  5 21:50 authorized_keys.backup
    -rw------- 1 george george 1679 Jan  4 23:13 id_rsa
    -rw-r--r-- 1 george george  395 Jan  4 23:13
    -rw-r--r-- 1 george george  444 Jan  5 17:06 known_hosts
    root@iotllc:~# ls -al /root/.ssh
    total 28
    drwx------ 2 root root 4096 Jan  5 21:57 .
    drwxr-xr-x 6 5245 5245 4096 Jan  5 16:17 ..
    -rw------- 1 root root 1288 Jan  5 23:03 authorized_keys
    -rw------- 1 root root 1149 Jan  5 20:34 authorized_keys.backup
    -rw------- 1 root root 1675 Jan  4 22:51 id_rsa
    -rw-r--r-- 1 root root  393 Jan  4 22:51
    -rw-r--r-- 1 root root  222 Jan  4 22:52 known_hosts
    root@iotllc:~# ls -al /root
    total 52
    drwxr-xr-x  6 5245 5245 4096 Jan  5 16:17 .
    drwxr-xr-x 22 root root 4096 Jan  5 02:02 ..
    drwx------  2 root root 4096 Jan  5 21:57 .ssh
    drwxr-xr-x  2 root root 4096 Aug  1  2013 testtmp
    root@iotllc:~# ls -al /home/george
    total 1640
    drwxr-xr-x 9 george george   4096 Jan  5 21:49 .
    drwxr-xr-x 4 root   root     4096 Jan  4 23:46 ..
    drwx------ 2 george george   4096 Jan  5 21:54 .ssh
    drwxrwxr-x 2 george george   4096 Aug  2  2013 temp
  • @george - The contents of ~/.ssh/ in your FROM ubuntu can be found in one of the lines in /root/.ssh/authorized_keys in your TO ubuntu. Also you have ~/.ssh/id_rsa available in your FROM ubuntu. Can you confirm that?

  • Yes, I have 3 lines in the DO /root/.ssh/authorized_keys file (Ubuntu1, Ubuntu2, Windows Putty)

    On Ubuntu1 I do have a idrsa and in the ~/.ssh directory and both have the same date and time so it's not like the private and public got mixed up somehow.

    Same goes for the Ubuntu2 server. So I have 3 computers (Ubuntu1, Ubuntu2, Windows PC) able to ssh using the george account on the DO server but none of these can log into the root account on the DO server.

    I am really puzzled by this!

  • @george - So it's not the key contents, but permissions on the files (like authorized_keys for root login is not readeable sshd) or login specifications in /etc for root is not setup to use ssh keys. The former you can easily check by setting your authorized_keys file readable by any (should be OK since this should be all public keys). The latter means you need to go through through that tutorial again for the root account to make sure nothing went wrong in one of the steps. Good luck.

2 Answers

What's odd is that /var/log/auth.log is empty

There are 2 things that I did just now which allowed me to access the DO server using the root account with ssh keys.

  1. I have NO idea how but I noticed the actual /root directory had ownership by 5245:5245 instead of root:root. I checked all users and groups on the DO server and could not find a user or group with the 5245 name. I changed the /root directory to root:root (and recursively just to be sure).
  2. Just to be sure I also copied the /home/george/.ssh/authorizedkeys file to /root/.ssh/authorizedkeys
  3. Just to be sure again, I rebooted the DO machine.

Once I did that I was able to ssh in to the DO machine using the Ubuntu1, Ubuntu2, and Windows PC.

At least I won't be laying in bed tonight trying to figure out what was going on but I still wonder why things were wrong!

  • I did a quick research if there's a virus that changes root permission to that number. Good news is I didn't find one. I hope you installed a rootkit scanner, just in case.

Have another answer? Share your knowledge.