SSH w/ root and keypair authentication problem

[Adar Dembo]

I'm trying to create a backup script that will, when run, connect to another computer, and rsync all of its partitions into the local computer.

In order to be able to rsync properly and copy all the files, the user logging in must be root. However, this poses a problem, as PermitRootLogin was "no" in sshd_config. So here is how I went about trying to solve the problem.

First, some names. The source computer is called "dh3". The target computer is "dh2".

On dh2, I ran:
ssh-keygen -t rsa1
ssh-keygen -t rsa
ssh-keygen -t dsa

I chose the default values for all three, so I have 3 key files in /root/.ssh/, id_rsa, id_dsa, and identity, each with a corresponding .pub file. For each key, I chose an empty passphrase.

Then, I coped the .pub files to dh3, and concatenated them all into /root/.ssh/authorized_keys.

The authorized_keys file contains the three public keys, delimited by endlines.

Here are the contents of sshd_config on dh3:
dh3:~/.ssh# cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2,1
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Authentication:
LoginGraceTime 600
PermitRootLogin forced-commands-only
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user
PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/sftp-server

Note the use of PermitRootLogin forced-commands-only which should allow me to ssh in as root, using my keys, as long as I run a command afterwards.

The actual command being run on dh2 (as root) is something to the effect of:

ssh dh3.doggus.com rsync .....

Doing that, or substituting any command instead of rsync, results in dh3 asking me for a password for root@dh3. With the various -v options, more information is displayed, but I can't really understand any of it.

Why isn't this keypair scheme working?

Some ideas:
1) dh2 is behind a router, whereas dh3 is not. Not sure how this would affect ssh.
2) The format of authorized_keys on dh3 is incorrect somehow.

Any ideas would be greatly appreciated. Thanks!

-Adar Dembo

PS: I'm not subscribed to debian-user, so please reply directly back to me.






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]