Red Hat Bugzilla – Bug 886091
Disallow root SSH public key authentication
Last modified: 2015-05-12 07:04:33 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/1687 pam_sss does not allow users named "root" to authenticate. Do the same thing for SSH by rejecting public key requests for users named "root" in sss_ssh_authorizedkeys.
How to test from Honza: $ ipa user-add root --first Fake --last Root --sshpubkey="`cat .ssh/id_rsa.pub`" ... UID: 1192200011 ... $ ssh root@localhost Last login: Mon Dec 10 04:46:42 2012 from somewhere.example.com # id uid=0(root) gid=0(root) groups=0(root)
To amend the How To Test..what I wrote in comment #1 was the "before patch" behaviour. After the SSSD is patched, then you shouldn't be able to log in with your public key.
I still see the "before patch" behaviour, able to login with public key. [root@rhel64master ~]# ipa user-find --login=root -------------- 1 user matched -------------- User login: root First name: Fake Last name: Root Home directory: /home/root Login shell: /bin/sh Email address: root@testrelm.com UID: 1114200003 GID: 1114200003 Account disabled: False Password: False Kerberos keys available: False SSH public key fingerprint: E0:25:07:C3:96:93:75:F8:1D:05:C2:95:A7:1C:22:BD root@localhost (ssh-rsa) ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel64master ~]# ssh root@localhost Last login: Thu Jan 31 00:49:12 2013 from localhost [root@rhel64master ~]# id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@rhel64master ~]# logout Connection to localhost closed. [root@rhel64master ~]# [root@rhel64master ~]# rpm -q sssd ipa-server sssd-1.9.2-82.el6.x86_64 ipa-server-3.0.0-24.el6.x86_64 [root@rhel64master ~]#
That's because you authenticated by some other means (either GSSAPI or public key authentication with a key found in an authorized_keys file). Make sure the file /root/.ssh/authorized_keys does not exist on rhel64master and either run kdestroy before running ssh or run ssh with "-o GSSAPIAuthentication=no". You can check that SSSD is in fact not offering sshd any public keys for root by running "sss_ssh_authorizedkeys root".
Verified. sssd and ipa-server version: ============================ [root@rhel64master ~]# rpm -q sssd ipa-server sssd-1.9.2-82.el6.x86_64 ipa-server-3.0.0-25.el6.x86_64 [root@rhel64master ~]# I realized that it was authenticated by public key authentication as key was existing in /root/.ssh/authorized_keys Installation scripts was copying that key. cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys cp /root/.ssh/id_dsa.pub /root/.ssh/authorized_keys2 cp -f ./id_rsa_global.pub /dev/shm/. cp -f ./id_rsa_global /dev/shm/. cp -f ./known_hosts /dev/shm/. chmod 755 /dev/shm/*.sh chmod 600 /root/.ssh chmod 600 /root/.ssh/id* chmod 600 /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys2 ./runtest.sh :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: list files in /dev/shm ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Now tried after installing ipa-server manually and removed authorized_keys, root SSH public key authentication is not successfull now. [root@rhel64master ~]# ipa user-add root --first Fake --last Root --sshpubkey="`cat .ssh/id_rsa.pub`" ----------------- Added user "root" ----------------- User login: root First name: Fake Last name: Root Full name: Fake Root Display name: Fake Root Initials: FR Home directory: /home/root GECOS field: Fake Root Login shell: /bin/sh Kerberos principal: root@TESTRELM.COM Email address: root@testrelm.com UID: 1165000001 GID: 1165000001 SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAx0Hg3CZIzizMIohZydE5+cSgIyByWmD0r/J5+k2P0AveG4i5lVFhcuMasK6VYBKSrFxSgpgkw5M82Ven2lyDpFoPbPJFE8KW6eLoRPCYPO+BBaI2j9t90HueoT2y1NBrKo0QTk5fCSSGN3kKuMUCgcqQw/9ea39dFAI96szAVfk+Y1eg1E84iOg1a/usFft0r+UuOd6bxzu/1lDHo522tIhiQCKAAyxOGij3w6Zw4mfFu/99l3LKm+ACAFpeAWkJqCjfku2WIkE1qo4+lU+8SIKpFkhJIjl9JnG/9ecuMWAhiZq9Ny4lypXogbVOPZThd2nAP3x+//t7+Vrq+VXjCQ== root@epsilon.dsdev.sjc.redhat.com Password: False Kerberos keys available: False SSH public key fingerprint: E0:25:07:C3:96:93:75:F8:1D:05:C2:95:A7:1C:22:BD root@epsilon.dsdev.sjc.redhat.com (ssh-rsa) [root@rhel64master ~]# ssh root@localhost root@localhost's password: [root@rhel64master ~]# Beaker execution log: ===================== Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password :: [ PASS ] :: Running 'ipa-server-install --setup-dns --forwarder=10.14.63.12 --hostname=dell-pe1955-01.testrelm.com -r TESTRELM.COM -p Secret123 -P Secret123 -a Secret123 -U' :: [ PASS ] :: Running 'rm -rf /root/.ssh/auth*' Password for admin@TESTRELM.COM: :: [ PASS ] :: Running 'echo Secret123|kinit admin' ----------------- Added user "root" ----------------- User login: root First name: Fake Last name: Root Full name: Fake Root Display name: Fake Root Initials: FR Home directory: /home/root GECOS field: Fake Root Login shell: /bin/sh Kerberos principal: root@TESTRELM.COM Email address: root@testrelm.com UID: 481200001 GID: 481200001 SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAx0Hg3CZIzizMIohZydE5+cSgIyByWmD0r/J5+k2P0AveG4i5lVFhcuMasK6VYBKSrFxSgpgkw5M82Ven2lyDpFoPbPJFE8KW6eLoRPCYPO+BBaI2j9t90HueoT2y1NBrKo0QTk5fCSSGN3kKuMUCgcqQw/9ea39dFAI96szAVfk+Y1eg1E84iOg1a/usFft0r+UuOd6bxzu/1lDHo522tIhiQCKAAyxOGij3w6Zw4mfFu/99l3LKm+ACAFpeAWkJqCjfku2WIkE1qo4+lU+8SIKpFkhJIjl9JnG/9ecuMWAhiZq9Ny4lypXogbVOPZThd2nAP3x+//t7+Vrq+VXjCQ== root@localhost Password: False Kerberos keys available: False SSH public key fingerprint: E0:25:07:C3:96:93:75:F8:1D:05:C2:95:A7:1C:22:BD root@localhost (ssh-rsa) :: [ PASS ] :: Running 'ipa user-add root --first Fake --last Root --sshpubkey="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAx0Hg3CZIzizMIohZydE5+cSgIyByWmD0r/J5+k2P0AveG4i5lVFhcuMasK6VYBKSrFxSgpgkw5M82Ven2lyDpFoPbPJFE8KW6eLoRPCYPO+BBaI2j9t90HueoT2y1NBrKo0QTk5fCSSGN3kKuMUCgcqQw/9ea39dFAI96szAVfk+Y1eg1E84iOg1a/usFft0r+UuOd6bxzu/1lDHo522tIhiQCKAAyxOGij3w6Zw4mfFu/99l3LKm+ACAFpeAWkJqCjfku2WIkE1qo4+lU+8SIKpFkhJIjl9JnG/9ecuMWAhiZq9Ny4lypXogbVOPZThd2nAP3x+//t7+Vrq+VXjCQ== root@localhost"' spawn ssh -o StrictHostKeyChecking=no root@localhost Warning: Permanently added 'localhost' (RSA) to the list of known hosts. root@localhost's password: Permission denied, please try again. root@localhost's password: Permission denied, please try again. root@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). :: [ PASS ] :: BZ-886091 is not found : root SSH public key authentication is disallowed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html