I needed to quickly enable SSH as root to
rsync a load of data. Yes, I
know there are far better ways to do it, and I know that enabling SSH
for root is a bad idea, and lazy, and normally I’d agree, but I needed
to do it. Anyway, it’s on a private lab network.
So, I opened
/etc/ssh/sshd_config and changed
yes. I refreshed the SSH service, and tried to run a remote command
as root, and it wouldn’t let me.
sshd_config man page told me I had to comment the
/etc/default/login, just like yout had to do for
the old days. So I did that, and still no dice.
I cranked up the
sshd logging, and saw that:
Dec 6 17:24:40 hp-bk-01 sshd: [ID 800047 local0.debug] debug1: PAM conv function returns PAM_SUCCESS Dec 6 17:24:40 hp-bk-01 sshd: [ID 800047 local0.info] Keyboard-interactive (PAM) userauth failed while authorizing: Permission denied Dec 6 17:24:40 hp-bk-01 sshd: [ID 800047 local0.info] Failed keyboard-interactive for root from 192.168.1.21 port 43885 ssh2 Dec 6 17:24:40 hp-bk-01 sshd: [ID 800047 local0.debug] debug1: userauth-request for user root service ssh-connection method keyboard-interactive Dec 6 17:24:40 hp-bk-01 sshd: [ID 800047 local0.debug] debug1: attempt 2 initial attempt 1 failures 1 initial failures 1
Ah, PAM. Right. This is where it starts to get murky for me. Remember
that for some time now Sun have been trying to turn us all off root,
making it a role and all that crap. You need to tell PAM that root is
still a user by sticking the following in
sshd-kbdint account required pam_unix_account.so.1
UPDATE: I had a devil of a job with one box only accepting interactive
logins. It looks like things have changed in Solaris 11.1, so to use
authorized_keys and whatnot, you’ll also have to have
sshd-pubkey account required pam_unix_account.so.1
Then, in combination with the other stuff, you can run SSH commands as root. So now you know how to do it, don’t do it.