[ale] Getting root ssh key to work (was Re: [ot] Xmpp, ejabberd question)
Tim Watts
tim at cliftonfarm.org
Fri Jan 13 15:57:38 EST 2012
On Fri, 2012-01-13 at 15:40 -0500, Jim Kinney wrote:
> On Fri, Jan 13, 2012 at 3:28 PM, David Tomaschik
> <david at systemoverlord.com> wrote:
> You should have the public key in a file called
> authorized_keys on the
> server side.
>
> Yep! Easy tool is called ssh-copy-id <user>@<hostname> will do the
> RightThing (tm) on the remote end.
>
Does root's authorized_keys need to have my public key in order for me
to do "ssh timtw at blueberry" from root?
I can "ssh blueberry" as root using the key I gen'ed but I can't "ssh
timtw at blueberry" as root (get Permission denied (publickey)). Same song
when I tried to "ssh-copy-id timtw at blueberry" as root.
It works when I'm timtw no problem, using my key.
> Also you will need to edit the /etc/ssh/sshd_config file and change
>
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> to
>
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
>
Already had that. I can ssh as timtw with my ssh key no problem.
>
> For the back up process, you will want to put the key in the account
> of the backup user on the far machine (back up data storage system -
> wilma), not root user.
>
>
> David
>
>
> On Fri, Jan 13, 2012 at 3:06 PM, Tim Watts
> <tim at cliftonfarm.org> wrote:
> > OK, I did an ssh-keygen for root and managed to copy its
> id_rsa.pub to
> > $host:/root/.ssh. (I have "PasswordAuthentication no" in my
> sshd_config
> > so can't use ssh-copy-id.) On the target host it shows
> this:
> >
> > $ sudo ls -l /root/.ssh/
> > total 8
> > -rw-r--r-- 1 root root 396 2012-01-13 14:36 id_rsa.pub
> > -rw-r--r-- 1 root root 884 2010-11-28 13:36 known_hosts
> >
> > On my local machine I have this:
> >
> > # ls -l /root/.ssh
> > total 12
> > -rw------- 1 root root 1743 2012-01-13 14:25 id_rsa
> > -rw-r--r-- 1 root root 396 2012-01-13 14:25 id_rsa.pub
> > -rw-r--r-- 1 root root 884 2009-11-11 06:17 known_hosts
> >
> > The timestamp difference is due to copying it to my home
> before scp-ing
> > it to the target host.
> >
> > And yet:
> >
> > # ssh timtw at blueberry
> > Permission denied (publickey).
> > # ssh blueberry
> > Permission denied (publickey).
> >
> > My sshd_config has "PermitRootLogin yes". What else could I
> be missing?
> >
> >
> > On Fri, 2012-01-13 at 13:56 -0500, Jim Kinney wrote:
> >> root user needs to do a keygen and put the pub on wilma.
> >>
> >> On Fri, Jan 13, 2012 at 1:40 PM, Tim Watts
> <tim at cliftonfarm.org>
> >> wrote:
> >> On Fri, 2012-01-13 at 11:51 -0500, Jim Kinney
> wrote:
> >> > root on fred goes to fredbak on wilma
> >>
> >>
> >> Just to be clear: does this mean that the backup
> job runs as
> >> root but
> >> rsyncs as fredbak (via ssh key) to wilma? As in:
> >>
> >> # rsync $OPTS $SRC fredbak@$TGTHOST:$DST
> >>
> >> I get an error when I try to do something similar:
> >>
> >> OPTS="-az --delete-during --delete-delay -h
> --progress
> >> --stats"
> >>
> >> # rsync $OPTS /etc /home/timtw
> >> timtw at blueberry:/home/timtw/backups/dellberry
> >> Permission denied (publickey).
> >> rsync: connection unexpectedly closed (0 bytes
> received so
> >> far) [sender]
> >> rsync error: unexplained error (code 255) at
> io.c(601)
> >> [sender=3.0.7]
> >> #
> >>
> >> I am able to ssh to blueberry via my ssh key when
> I'm timtw
> >> but not as
> >> root. Is my key in the wrong place?
> >>
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> >>
> >>
> >>
> >> --
> >> --
> >> James P. Kinney III
> >>
> >> As long as the general population is passive, apathetic,
> diverted to
> >> consumerism or hatred of the vulnerable, then the powerful
> can do as
> >> they please, and those who survive will be left to
> contemplate the
> >> outcome.
> >> - 2011 Noam Chomsky
> >>
> >> http://heretothereideas.blogspot.com/
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
>
>
> --
>
> David Tomaschik, RHCE, LPIC-1
> System Administrator/Open Source Advocate
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
> --
> --
> James P. Kinney III
>
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as
> they please, and those who survive will be left to contemplate the
> outcome.
> - 2011 Noam Chomsky
>
> http://heretothereideas.blogspot.com/
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120113/27cdcaf1/attachment.bin
More information about the Ale
mailing list