Score:0

Ubuntu

Why is one of my machines refusing to accept ssh into the root account?

ForDummies

1/24/24, 12:30 AM

I have a cluster of 7 machines. All run Linux; 5 of them running Xubuntu 20.04.5, including all three I'll mention here. All have a root account and one user account. I am the only actual user; this is a hobby.

They are set up largely identically, to keep my life simple. Nevertheless, one of the machines refuses to accept incoming SSH connection to the root account, although connections to the root account are accepted by all of the other 6 hosts. The symptom is just the usual "Permission denied (publickey)."

All account keys are ed25519. There is just one authorized_keys file for root and one for the user, copied to all 7 machines.

For testing and describing this problem with some precision, I focused on three machines. One was the host that refused connedtions, one was going to attempt the connection, and the third was for comparison. Lets call the machines c, p and g (so that I can keep them straight). I logged into root on p and could from there log into root on g but not to c. I compared some files on g and c, and found them identical: /root/.ssh/authorized_keys /etc/sshd_config and all 3 files in /etc/ssh/sshd_config.d; moreover, all of these files were owned by root.

Meanwhile, g could log into the user account on c, both from its own root and its own user accounts, thus affirming that the SSH server on c is functioning.

One oddity that deserves note: when I ran ssh -vvv c on p, the output said it was trying two different private keys, but in both cases then said no such identity. Neither of them was the identity that does exist: /root/.ssh/id_ed25519. It tried id_ed25519_sk and id_xmss. Since the config files all match, and connection works via id_ed25519 to the user account, I have no idea why it skips that one.

The question: where else can I look for a difference that may be causing this? Something is.

1 + 8

sshd

Nmath

1/24/24, 12:48 AM

How did you configure ssh to accept root logins? By default, Ubuntu does not allow it for security.

steeldriver

1/24/24, 1:09 AM

@Nmath it prohibits *password-based* root login by default, but afaik permits public key authentication (`PermitRootLogin prohibit-password`)

guiverc

1/24/24, 1:18 AM

Don't forget you're describing a feature that is *disabled* by default; meaning the *odd* machine out is still following default procedures, so it's likely the others were amended to perform differently (as you want), with the *odd* machine being skipped with your configurations (*being its behavior is the Ubuntu/Xubuntu default*).

Nmath

1/24/24, 1:18 AM

@steeldriver You're right. If if were not for the other boxes, I would guess there's some other barrier related to logging in as root, since Ubuntu is not really designed for root logins. Ex. [Why does Ubuntu have a disabled root account?](https://askubuntu.com/q/687249) & [Why is it bad to log in as root?](https://askubuntu.com/q/16178)

ForDummies

1/24/24, 1:46 AM

They all have additions to `/etc/ssh/sshd_config.d` including `AllowedUsers root user` where "user" is my actual login name. I have a convenient workstation for only one of them, so I prefer to have the ability to switch machines easily. I've never been a fan of 'sudo', prefering my own macro 'sume' which switches me to root for a whole session.

steeldriver

1/24/24, 2:17 AM

@ForDummies have you run the failing ssh command with increased verbosity (`-v` or `-vv` or `-vvv`)? There should be quite a lot more diagnostic information available including which key(s) are being offered and so on

ForDummies

1/24/24, 2:19 AM

I've been writing computer programs since before many machines had enough memory for an OS at all -- before the "byte" was a thing. I hope you'll forgive me for being comfortable where the action is.

ForDummies

1/24/24, 3:28 PM

Thanks for the suggestion to try -v and -vvv; I had done so but not kept the results. So I tried again, and see that p offers `/root/.ssh/id_ed25519` in packet type 50 and gets back packet type 51, then proceeds to fail. On a machine that succeeds, the packet that is returned is type 52. No further details seem to be given. I take this as support for the idea that the crucial difference is in machine c. I just can't tell what that difference is.

Score:0

Ubuntu

ForDummies

1/24/24, 10:25 PM

Not getting much response here, I may have to do what I dread.

There is always the hard way, and I've done it more than a few times. Sometimes it´s called “bifurcation”, other times it's called “start over”. And by that I mean install the same Linux in a different partition. Install ssh-server and configure its SSH just like one of the other machines. See if it accepts incoming root SSH connections. If so, I´ll know the rest will work, albeit very tediously.

The rest is to step-by-step try to recreate the failed system, testing SSH at every step. Either it will begin to fail — which will give a clue as to where the problem was — or else everything goes smoothly. In the latter case, I will not have learned the answer to this question, but it won´t matter any more — I´ll just use the new install.

When I´m done, I may mark this answer accepted. We´ll just have to see.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why is one of my machines refusing to accept ssh into the root account?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.