# Unable to login as root in ssh



## ashvinsivram (Apr 27, 2009)

Hi All,

I am unable to login as root when I am using ssh to this FreeBSD 7.1 server. Alreaddy configured the /etc/ssh/sshd_config still the issue persists. I am able to login on the local machine but not from the remote computer. 


Please help!!

Thanks & Regards,

Ashwin


----------



## gilinko (Apr 27, 2009)

Have you restarted the sshd server(/etc/rc.d/sshd restart) after you made the configuration changes?

And just to be on the safe side: enabling root to login via ssh is "a bad thing"(tm).


----------



## ale (Apr 27, 2009)

You should login as normal user then use _su -_ or _sudo_.


----------



## mousaka (Apr 27, 2009)

There is an option *PermitRootLogin* in sshd_config to allow login for root. But I strongly recommend not to use this for security reasons.
Instead use su or sudo as already mentioned by ale.

mousaka


----------



## ashvinsivram (Apr 27, 2009)

Yes, I have restarted the sshd (/etc/rc.d/sshd restart)and have no plans to use su in FreeBSD. Previously I have configured some file like (/etc/local) not sure, was working fine before. I am able to ssh from localhost not from another units.


----------



## SirDice (Apr 27, 2009)

Which openssl are you running? The one in the base OS? Or the one installed via a port/package?


----------



## DutchDaemon (Apr 27, 2009)

Openssl?


----------



## DutchDaemon (Apr 27, 2009)

What does 'not being able to login' look like? No connection to the server, or endless username/password questions?

BTW, 'not planning to use su' is saying goodbye to one of the most import security features in FreeBSD. Don't come asking for help when someone grabs root on your machine.


----------



## ashvinsivram (Apr 27, 2009)

First of all I want to say Thanks to all, for the quick reply!!!


I did't install openssh. I am using the one that was installed by the OS.

Regards,

Ashwin


----------



## DutchDaemon (Apr 27, 2009)

The sshd installed by the OS *is* OpenSSH.


----------



## phoenix (Apr 27, 2009)

First, don't do this.    Never login directly as root across a network connection.

Second, you really don't want to do this.  

Third, if, for some bizarre reason, you are absolutely sure you want to do this, and give up one of the most important security features of the OS, then edit */etc/ssh/sshd_config*, enable the *PermitRootLogin* option, then run */etc/rc.d/sshd reload* to activate the change.  Check the output of *netstat -an|grep 22* to make sure it's running and LISTENing.  Then try to connect remotely.

Fourth, you really should look into using SSH keys.  Then you can create a key-pair for root, and change the *PermitRootLogin* option in sshd_config to *without-password*.  That enables root logins via SSH *but only using SSH keys*.  Normal password logins are not allowed.  It's the least of all evils, if you are bound and determined to use remote root logins.

And, last, you really should not do this.  :h


----------



## SirDice (Apr 27, 2009)

DutchDaemon said:
			
		

> Openssl?



I meant OpenSSH of course :r


----------



## MG (Apr 27, 2009)

DutchDaemon said:
			
		

> What does 'not being able to login' look like? No connection to the server, or endless username/password questions?
> 
> BTW, 'not planning to use su' is saying goodbye to one of the most import security features in FreeBSD. Don't come asking for help when someone grabs root on your machine.



What's the difference between a clean root login and a root login (su) from within the shell of a wheel member? You are root after being logged in normally and you are the same root after having done a su command.


----------



## anomie (Apr 27, 2009)

MG said:
			
		

> What's the difference between a clean root login and a root login (su) from within the shell of a wheel member? You are root after being logged in normally and you are the same root after having done a su command.



Another layer of security: An extra hurdle, more warning signs in the logs, and potentially a lot of extra time for you to detect an attacker.


----------



## DutchDaemon (Apr 27, 2009)

The fact that you have to enter a password twice should give something away about security layers .. It buys you that much more time to take action, and the fact that the attacker doesn't know who's in the wheel group before he manages to crack an account will put su out of reach if he didn't get it right the first time. Three layers (account -> wheel -> su), even more time.


----------



## anomie (Apr 27, 2009)

@MG: I also forgot to add one detail -- everyone knows there is an account called 'root' on a *nix system. Good target for brute force. Not everyone knows there is an account called 'mrbig'.


----------



## MG (Apr 27, 2009)

Allright, I'm starting to get it...
But when I change my root shell to sdkjhfskjh I can't su from another user so the root account is still needed and still needs a shell to be set.
What does work is sudo bash. Then I become root running a bash shell. But the sudo port is needed. Maybe this also works when root does not exist, but I find it a bit risky to try that out. At least a few system processes will complain about that.


----------



## ashvinsivram (Apr 27, 2009)

I dont know what you people are talking about??? DutchDeamon  was correct... 
People Please help me !!!! if you you are talking something else please give  me reference....


----------



## MG (Apr 27, 2009)

Sorry, I got off-topic.
Can you login via ssh with a regular user?
What happens exactly when you try to login via ssh as root?
Does it help if you rename the ~/.ssh dir (where your public keys are stored.)
Do /var/log/messages or /var/log/auth.log on the server say anything?


----------



## ashvinsivram (Apr 27, 2009)

Hey Bro,

I am able to login like ssh localhost as root. But I am not able to login from my Ubuntu server...


----------



## SirDice (Apr 28, 2009)

Run both the server (sshd on fbsd) and the client (ssh on ubuntu) with the -v switch. The clue why it's not working will be in the logging.

If you can't figure it out yourself, please post those log files. If you don't post them well be guessing until next Christmas and it still won't work.

We're good (I know I am :e) but we can't see what's happening on your screen and we can't read your mind.


----------



## ashvinsivram (Apr 28, 2009)

Hi SirDice,

I am newbie to this FreeBSD. But last month I had the same issue, but apart from sshd_config I configured some other file. I dont know the exact file name I remember it's like (/etc/local) something like that, but I remember local... Because, ssh_config will allow the root to login in ssh but there is something which not allowing me to login in other tty... I hope you understand.. If you want the log file, explain me how to access it I will post it here..


----------



## anomie (Apr 28, 2009)

@ashvinsivram: Looking back at your posts I have to concur that we have next to nothing to go on to (try to) help you. Please clearly answer each of the following: 

 Are you able to ssh from your Ubuntu box to your FreeBSD server as any user? Is only root having issues? 
 What are the IP addresses and subnets associated with each box? (Post the output of `# ifconfig` if you are not sure.) 
 Can you ping from the Ubuntu box to the FreeBSD server? 
 Is port 22 on the FreeBSD server open to the Ubuntu box? (From the Ubuntu box, run `# nc -zvw 1 freebsd.ip.here 22` and post the output if you are not sure.) 
 Are you running a packet filtering firewall on your FreeBSD server? (Post the output of `# kldstat` if you are not sure.) 
 Is sshd listening on an external interface on the FreeBSD server? (Post the output of `# sockstat -4l` if you are not sure.)

(Once these basics are out of the way, there will probably be more questions.)


----------



## tangram (Apr 28, 2009)

You said you were unable to login from a remote computer but could login from the local network...Did you Port Forward SSH's port to target IP address?


----------



## MG (Apr 28, 2009)

ashvinsivram said:
			
		

> Hi SirDice,
> 
> I am newbie to this FreeBSD. But last month I had the same issue, but apart from sshd_config I configured some other file. I dont know the exact file name I remember it's like (/etc/local) something like that, but I remember local... Because, ssh_config will allow the root to login in ssh but there is something which not allowing me to login in other tty... I hope you understand.. If you want the log file, explain me how to access it I will post it here..



I usually don't say this on a forum, but it looks like you definately need to read some docs about FreeBSD or UNIX. Configuring sshd without knowing how to read your log files tells me you are learning things in the wrong order. First find your way around in userland, then start configuring and installing things.
I you seriously want to learn FreeBSD, get rid of all your other operating systems and force yourself to get things done in FreeBSD. I did it and it works the best.

/etc/local is not a default FreeBSD directory.

/etc contains config files of the base system and /usr/local/etc contains config files of any installed apps.
Your log files are in /var/log. You can read them with the command 
	
	



```
cat filename | more
```
 or with the ee editor.

Please try to login on ssh and post the last 20 lines of both /var/log/messages and /var/log/auth.log
It would be nice to also post the things Ubuntu says to you when trying to log in.


----------



## ashvinsivram (Apr 29, 2009)

anomie: Answering to your questions.

1. Yes, I am able to ssh from your Ubuntu box to your FreeBSD server as normal user.

2. From FreeBSD:

```
FreeBSD# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=8<VLAN_MTU>
       ether 00:11:09:13:22:d1
       inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
       media: Ethernet autoselect (100baseTX <full-duplex>)
       status: active
```
  From Ubuntu:

```
wlan0     Link encap:Ethernet  HWaddr 00:16:ea:d6:10:a0  
          inet addr:192.168.1.4  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:eaff:fed6:10a0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2088 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1744895 (1.7 MB)  TX bytes:363369 (363.3 KB)
```
3.  

```
ashwin@Ubuntu-laptop:~$ ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.750 ms
64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.835 ms
64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.829 ms
64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.826 ms
64 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=0.822 ms
^C
--- 192.168.1.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.750/0.812/0.835/0.040 ms
```

4. 

```
ashwin@Ubuntu-laptop:~$ nc -zvw 1 192.168.1.3 22
192.168.1.3: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.1.3] 22 (ssh) open
ashwin@Ubuntu-laptop:~$ ssh 192.168.1.3
Password:
```
5. 

```
FreeBSD# kldstat
Id Refs Address    Size     Name
 1   12 0xc0400000 97f830   kernel
 2    1 0xc0d80000 6a2c4    acpi.ko
 3    1 0xc3116000 22000    linux.ko
 4    1 0xc3393000 6000     i915.ko
 5    1 0xc3399000 f000     drm.ko
FreeBSD#
```
6. 

```
FreeBSD# sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     inetd      774   5  tcp4   *:21                  *:*
root     inetd      774   6  tcp4   *:23                  *:*
root     inetd      774   8  tcp4   *:513                 *:*
root     sendmail   745   3  tcp4   127.0.0.1:25          *:*
root     sshd       739   4  tcp4   *:22                  *:*
root     syslogd    590   7  udp4   *:514                 *:*
FreeBSD#
```


----------



## ashvinsivram (Apr 29, 2009)

MG:

You are really correct! Thanks for your advice. I am doing the same mistake. I am working on HP-UX. Due to hardware I am unable to use UX at home. So, at home first started with Solaris, then Debian, then FreeBSD, then Ubuntu, now again back to FreeBSD. 

Now, I decided as you said "you seriously want to learn FreeBSD, get rid of all your other operating systems and force yourself to get things done in FreeBSD."


----------



## SirDice (Apr 29, 2009)

ashvinsivram said:
			
		

> ```
> FreeBSD# sockstat -4l
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> root     inetd      774   5  tcp4   *:21                  *:*
> ...


Just a hint, turn off telnet and rsh. Turn off inetd too.

Also add to /etc/rc.conf:

```
syslogd_flags="-ss"
```
That will stop syslogd from listening to network syslog messages. It's quite easy to spoof and it will fill up your logs.


----------



## anomie (Apr 29, 2009)

@ashvinsivram: OK, now we are getting somewhere. 

Now, on the FreeBSD server, run `# tail -f /var/log/auth.log`

Keep that running in a terminal. Next, from the Ubuntu box, try to ssh in as root to the FreeBSD server. 

What do you see showing up in auth.log exactly? Please post it here.


----------



## ashvinsivram (Apr 29, 2009)

```
Apr 29 23:56:28 FreeBSD sshd[96241]: Accepted keyboard-interactive/pam for ashwin from 192.168.1.4 port 38118 ssh2
Apr 29 23:56:42 FreeBSD login: pam_acct_mgmt(): authentication error
Apr 29 23:56:47 FreeBSD gnome-keyring-daemon[863]: error connecting to D-BUS system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
Apr 29 23:56:47 FreeBSD gnome-keyring-daemon[863]: Scheduling hal init retry
Apr 29 23:57:14 FreeBSD login: 1 LOGIN FAILURE ON ttyp2
Apr 29 23:57:14 FreeBSD login: 1 LOGIN FAILURE ON ttyp2, root
```

Actually when I type ssh FreeBSD.ipaddress it's not showing me login it's directly asking for password.


----------



## anomie (Apr 29, 2009)

From the Ubuntu box, use: `$ ssh [email]root@<freebsd.ip.here>[/email]`

Try that and repeat the same steps from my last post again (i.e. tail auth.log and post the results).


----------



## ashvinsivram (Apr 29, 2009)

```
Apr 30 00:07:58 FreeBSD sshd[51866]: Accepted keyboard-interactive/pam for root from 192.168.1.4 port 52235 ssh2
```


Bingo!!!! it's Working...


----------



## SirDice (Apr 29, 2009)

ashvinsivram said:
			
		

> Apr 29 23:56:47 FreeBSD gnome-keyring-daemon[863]: error connecting to D-BUS system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
> Apr 29 23:56:47 FreeBSD gnome-keyring-daemon[863]: Scheduling hal init retry


Not related but you don't seem to have dbus running.

This isn't getting us anywhere, to much other crap in the logs x(

Stop the sshd on the fbsd box: */etc/rc.d/sshd stop*
Run in a terminal, as root: */usr/sbin/sshd -d*

On the Ubuntu box run, as root: *ssh -v root@ipaddressfbsdbox*

Please post the outputs of both commands..


----------



## SirDice (Apr 29, 2009)

ashvinsivram said:
			
		

> Apr 30 00:07:58 FreeBSD sshd[51866]: Accepted keyboard-interactive/pam for root from 192.168.1.4 port 52235 ssh2
> 
> 
> Bingo!!!! it's Working...


Ok.. What made it work?


----------



## ashvinsivram (Apr 29, 2009)

Now, I really somewhat understand the issue. (Please do not scold me)..

The thing is I configured same username and password in ubuntu and in FreeBSD. So, whenever I try to ssh it's asking only for password and when I try to login as root it's not allowing me.. Now, I logged in as root@ipaddress it's working now.. Please correct me if I am wrong!!ï¿½eï¿½e


----------



## ashvinsivram (Apr 29, 2009)

SirDice said:
			
		

> Not related but you don't seem to have dbus running.
> 
> This isn't getting us anywhere, to much other crap in the logs x(
> 
> ...



I installed Apache22 and it's not working and I checked one of your posts..there you mentioned update the ports. So, in background I am updating the ports.


----------



## SirDice (Apr 29, 2009)

ashvinsivram said:
			
		

> The thing is I configured same username and password in ubuntu and in FreeBSD. So, whenever I try to ssh it's asking only for password and when I try to login as root it's not allowing me.. Now, I logged in as root@ipaddress it's working now.. Please correct me if I am wrong!!ï¿½eï¿½e



Yes, if you use ssh to login from boxA to boxB it will use the username you have on boxA to login on boxB. You can use the -u switch or the @ syntax to specify a specific user.


----------



## ashvinsivram (Apr 29, 2009)

Once Again!! I want to say thanks to everybody, who helped me a lot to resolve the issue...

Thanks & Regards,

Ashwin


----------



## DutchDaemon (Apr 29, 2009)

ashvinsivram: always use CODE tags for posting system output! Or did you totally miss the fact that a bunch of your posts has been edited to add those tags?


----------



## Trojan (May 3, 2009)

phoenix said:
			
		

> Third, if, for some bizarre reason, you are absolutely sure you want to do this, and give up one of the most important security features of the OS, then edit */etc/ssh/sshd_config*, enable the *PermitRootLogin* option, then run */etc/rc.d/sshd reload* to activate the change.  Check the output of *netstat -an|grep 22* to make sure it's running and LISTENing.  Then try to connect remotely.


I made all the the things *phoenix* wrote i.e. edited option *PermitRootLogin* for *"YES"* then run */etc/rc.d/sshd reload* (also restarted the machine) BUT still can't connect remotely via ssh as root. As regular user ther is no problem with remote connect. Here is the console outputs:

from Windows XP station

```
login as: root
Using keyboard-interactive authentication.
Password:
Access denied
```

from FreeBSD server

```
shlus# May 3 18:05:59 shlus sshd[933] error: PAM: authentication error
for root from 192.168.1.100
```

What should I do else or what I missed to do?


----------



## kamikaze (May 3, 2009)

I suspect he didn't enable sshd. Run [cmd=/etc/rc.d/sshd]onestart[/cmd] and if it works afterwards that means you forgot to set _sshd_enable="YES"_ in your /etc/rc.conf.


----------



## phoenix (May 4, 2009)

SSH is obviously working, otherwise he wouldn't get a login prompt.  

Trojan:  Can you SSH from the FreeBSD console to localhost?  `$ ssh -l root localhost`

Can you add a -v or two to the SSH command, to see what the error is `$  ssh -l root -vv localhost`


----------



## MG (May 4, 2009)

@kamikaze: If you switched hostnames or networking cards FreeBSD might think someone is trying to attack your network by pretending to be one of the local machines. In that case move or remove roots' ~/.ssh/known_hosts

edit: that should be @trojan


----------



## anomie (May 4, 2009)

IMO, Trojan's question deserves its own thread. The OP (ashvinsivram) has solved his problem already.


----------



## DutchDaemon (May 4, 2009)

anomie, I see your point, but the problem's similar/related, and I'd have to butcher that post to extricate it from this thread, probably causing more confusion than help. So we'll just let it peter out.


----------



## Trojan (May 5, 2009)

phoenix said:
			
		

> SSH is obviously working, otherwise he wouldn't get a login prompt.
> 
> Trojan:  Can you SSH from the FreeBSD console to localhost?  `$ ssh -l root localhost`
> 
> Can you add a -v or two to the SSH command, to see what the error is `$  ssh -l root -vv localhost`


When I run *ssh -l root localhost* I get the next:

```
shlus# ssh -l root localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
DSA key fingerpront is e2:81:82:d7:c3:af:d0:d0:35:32:24:21:df:18:56:45.
Are you sure you want to continue connecting (yes/no)?
```

And here is the output of *ssh -l root -vv localhost*:

```
shlus# ssh -l root -vv localhost
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 FreeBSD-20080901
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 136/256
debug2: bits set: 534/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug2: no key of type 0 for host localhost
debug2: no key of type 1 for host localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
DSA key fingerprint is e2:81:82:d7:c3:af:d0:d0:35:32:24:21:df:18:56:45.
Are you sure you want to continue connecting (yes/no)?
```


----------



## gilinko (May 5, 2009)

@Trojan: That message indicates that you currently don't have the DSA key stored in your known_hosts file. Answer yes and it will store the profile key and give you a password prompt. Nest time you connect you will not be asked if you trust this key as you have already accepted it, and you will just be prompted to give your password.

Now if this key change for this particular host, you will get a stern warning as the system you are connecting to aren't the same as the one you accepted a key for(aka a possible breach of security on the remote host).


----------



## ashvinsivram (May 6, 2009)

anomie said:
			
		

> IMO, Trojan's question deserves its own thread. The OP (ashvinsivram) has solved his problem already.




Not a Problem! Let us help this guy.. Even people like me will learn  how to troubleshoot SSH issues..ï¿½e


Regards,

Ashwin


----------



## Trojan (May 6, 2009)

gilinko said:
			
		

> @Trojan: That message indicates that you currently don't have the DSA key stored in your known_hosts file. Answer yes and it will store the profile key and give you a password prompt. Nest time you connect you will not be asked if you trust this key as you have already accepted it, and you will just be prompted to give your password.
> 
> Now if this key change for this particular host, you will get a stern warning as the system you are connecting to aren't the same as the one you accepted a key for(aka a possible breach of security on the remote host).


I logged in locally on FreeBSD macine then run *ssh -l root localhost* and here the output of what I got:

```
shlus# ssh -l root shlus
The authenticity of host 'shlus.home (192.168.1.1)' can't be established.
DSA key fingerprint is e2:81:82:d7:c3:af:d0:d0:35:32:24:21:df:18:56:45.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'shlus.home' (DSA) to the list of known hosts.
Password: [I]<- here I entered the password for root[/I]
May 6 12:45:25 shlus sshd[882]: error: PAM: authentication error for root from localhost
Password: [I]<- here I entered the password for root[/I]
Password: [I]<- here I entered the password for root[/I]
Permission denied (publickey,keyboard-interactive).
```

Where I was mistaken?


----------



## phoenix (May 6, 2009)

And what shows in */var/log/auth.log* on shlus after you try to login?


----------



## Trojan (May 7, 2009)

phoenix said:
			
		

> And what shows in */var/log/auth.log* on shlus after you try to login?




```
May  7 11:43:13 shlus sshd[813]: error: PAM: authentication error for root from 
localhost
May  7 11:43:22 shlus last message repeated 2 times
```


----------



## Dryanta (May 7, 2009)

Essentially, unless you are playing with pam modules and alternative logon methods there are three possible problems.

1: You did not make the correct change in /etc/ssh/sshd_config.
2: You did not use the rcfile or kill to restart the daemon.
3: You are fat-fingering your password.


----------



## Trojan (May 24, 2009)

Finally I solved the issue with ssh login under root. 
In my case the problem was that parameter "*AllowRootLogin yes*" wasn't uncommented and it was my fault of course. I uncommented this parameter and now it's OK.
Do excuse me please for misleading and ty for trying to help me.


----------



## jackfree (Aug 14, 2012)

*remote login using ssh*

i have tried to remote login into freebsd 7.1, but it is throwing PAM: authentication error for root. I have only one login that is root. No other user i have created since i am only using. I am not able to login through putty or winscp? 

Please tell me any solution how to recover.


----------



## gnuhurd (Dec 14, 2016)

how to enable and config sshd on freebsd-12


----------



## SirDice (Dec 14, 2016)

Exactly the same way as every other version.

Handbook: 13.8.2. Enabling the SSH Server


Topics about unsupported FreeBSD versions


----------

