[CentOS] ssh prompting for password

Thu Nov 18 06:40:21 UTC 2010
Gordon Messmer <yinyang at eburg.com>

On 11/16/2010 06:19 PM, Kwan Lowe wrote:
> On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris<lists at spuddy.org>  wrote:
>> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
>> normally the default) means that phase is run as the destination user
>> and not as root.
> To clarify, the sshd listener runs as root and then drops privileges
> once the user is authenticated..  The issue is specifically the root
> squash across NFS filesystems which is normally set to disable root
> privs on the mount (that, and noexec).  I.e., even root has no privs
> to validate the shared key.

You are both incorrect.  Key authentication *always* takes place as the 
user requesting login, regardless of the UsePrivilegeSeparation option.

When using UsePrivilegeSeparation, sshd creates a separate process to 
handle the crypto and compression bits (primarily) of incoming traffic, 
in order to prevent privilege escalation.  That option does not affect 
most authentication types (it is documented to interact with UseLogin, 
which is off by default).

I'm not aware of any configuration where root_squash will prevent users 
from authenticating with keys.