On Mon, Feb 1, 2010 at 6:49 PM, Warren Michelsen Warren@mdcclxxvi.com wrote:
On Mac OS, in order to allow ssh using dsa keys, I would copy ~/.ssh/id_dsa.pub from my machine into ~/.ssh/authorized_keys of the target machine. I've created .ssh directories in my account home as well as in /root and copied the respective keys to authorized_keys files in each.
Strangely, I can now ssh as root with no password but my own user account still prompts for a password. What might be wrong?
Interestingly, passwordless root ssh log-in worked while 'PermitRootLogin' in /etc/ssh/sshd_config was just 'yes' and before I changed it to 'without-password'.
Check the permission all your top level directories and the .ssh directories and it's files.
Basically, group and other writes are forbidden since it would allow other people to change your keys.
If you're allowing the use of passwords and keys, then it's just falling back to passwords because the permissions are incorrect.
And I presuming the secret key is not encrypted, i.e., you never set a passphrase - hence the root login works without a password since the permissions are correct for key exchange.
Also, on Redhat/Centos/Solaris machines, it's
PermitRootLogin no
or
PermitRootLogin yes
and not
PermitRootLogin without-password
There should be separate entry for passwords
PermitEmptyPasswords no
You have to be barking mad to allow root connections - or any connection - with an empty passwords.
Note, this isn't Mac mailing list so your mileage will vary. Without a sshd_config file it's hard to help you.