(...)

> Is this issue specific to ssh? What happens if you locally (on SERVER)
> try to su -l checkuser with UID=1001? Or use ftp or telnet?


Yes, it's specific to SSH authentication with keys. Password logins work
fine.
I can su:

thecus:/var/log# su -l checkuser
checkuser@thecus:~$
checkuser@thecus:~$ su
Password:
thecus:/home/checkuser#

I can login via telnet (using a password).


> Also, try turning up the debug in the sshd process to try and see more
> of what is happening:
>
> # For sshd_config
> LogLevel DEBUG3
>
> We need to see what happens between the last two lines and the above
> might help:
> sshd[18730]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
> sshd[18730]: debug1: trying public key file /home/checkuser/.ssh/
> authorized_keys
> sshd[18730]: debug1: restore_uid: 0/0


There is something strange with the key:

Sep 8 11:27:23 thecus sshd[23596]: Failed none for checkuser from
192.168.111.181 port 35531 ssh2
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_request_receive entering
Sep 8 11:27:23 thecus sshd[23596]: debug3: monitor_read: checking
request 20
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed entering
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed:
key_from_blob: 0x69b00
Sep 8 11:27:23 thecus sshd[23596]: debug1: temporarily_use_uid:
1001/1001 (e=0/0)
Sep 8 11:27:23 thecus sshd[23596]: debug1: trying public key file
/home/checkuser/.ssh/authorized_keys
Sep 8 11:27:23 thecus sshd[23596]: debug1: restore_uid: 0/0
Sep 8 11:27:23 thecus sshd[23596]: debug1: temporarily_use_uid:
1001/1001 (e=0/0)
Sep 8 11:27:23 thecus sshd[23596]: debug1: trying public key file
/home/checkuser/.ssh/authorized_keys2
Sep 8 11:27:23 thecus sshd[23596]: debug1: restore_uid: 0/0
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_answer_keyallowed: key
0x69b00 is disallowed
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_request_send entering:
type 21
Sep 8 11:27:23 thecus sshd[23596]: debug3: mm_request_receive entering


So, why the key is allowed if UID=0, and is disallowed if UID!=0?


> Last option: you initially said that there were no options enabled in
> sshd_config to deny users - what about the group options DenyGroups and
> AllowGroups?


There's no option which allows/denies groups in my config.

I even used the same sshd_config file from another server, to which I
can login using the same key (where "checkuser" has UID=1001), but
still, I could only login if "checkuser" had UID=0.


--
Tomasz Chmielewski
http://wpkg.org