SSH root login with keys only

Marcin Wisnicki mwisnicki+freebsd at
Sun Apr 4 23:35:28 UTC 2010

On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote:

> On 04/04/10 23:04, Marcin Wisnicki wrote:
>> Is it possible to configure sshd such that both conditions are met:
>> 1. Root will be able to login only by using keys 2. Normal users will
>> still be able to use pam/keyboard-interactive
> Yes, you can create a Match block with the criteria User, something like
> this I guess will work (haven't tested):
> PermitRootLogin yes
> Match User root
>      PasswordAuthentication no
> check the man page. You might also want to restrict from where root can
> login with another match block.

PasswordAuthentication is already disabled (by default).
I need to disable ChallengeResponseAuthentication however:

 /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' 
   is not allowed within a Match block

Same thing for "UsePAM no" (though I would like to keep pam for accounting
and session management)

> I assume that you have decided root login is acceptable with the
> increased security of key authentication. Just beware that the key must
> be password protected.
> BR, Erik

More information about the freebsd-questions mailing list