SSH root logins using public key only confusion
The WRS
thewrs at gmail.com
Thu Aug 4 05:26:27 GMT 2005
I've always preferred setting
PermitRootLogin without-password
in my sshd_config in order to allow root logins using a public key only.
I'm sure the above directive was all I needed to change in the past in
order to achieve this, however it now seems something has changed
either in the default sshd_config file or PAM's configuration itself.
The man page warns about several other directives i'm simply not sure
of ( ChallengeResponseAuthentication, PasswordAuthentication and
"pam_unix" within /etc/pam.d/sshd ) so I would appreciate some help on
how to reach my goal. I am very confused!
With a default sshd_config but PermitRootLogin set to
'without-password' I find that root is still allowed to login with a
user/pass. A feeble attempt at understanding the sshd_config man page
led me to disable ChallengeResponseAuthentication and enable
PasswordAuthentication left me with no direct root access at all (
password or public key ).
I have verified that my public key works correctly.
There are several local users who prefer authentication with
passwords, so I just want root to require the public key.
This is a FreeBSD 5.4 box.
My sshd_config is now default again ( except requirement of SSH2 ),
here is my /etc/pam.d/sshd in case it is causing the problem.
---------
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
More information about the freebsd-questions
mailing list