SSH root login with keys only
mwisnicki+freebsd at gmail.com
Sun Apr 4 23:35:28 UTC 2010
On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote:
> On 04/04/10 23:04, Marcin Wisnicki wrote:
>> Is it possible to configure sshd such that both conditions are met:
>> 1. Root will be able to login only by using keys 2. Normal users will
>> still be able to use pam/keyboard-interactive
> Yes, you can create a Match block with the criteria User, something like
> this I guess will work (haven't tested):
> PermitRootLogin yes
> Match User root
> PasswordAuthentication no
> check the man page. You might also want to restrict from where root can
> login with another match block.
PasswordAuthentication is already disabled (by default).
I need to disable ChallengeResponseAuthentication however:
/etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication'
is not allowed within a Match block
Same thing for "UsePAM no" (though I would like to keep pam for accounting
and session management)
> I assume that you have decided root login is acceptable with the
> increased security of key authentication. Just beware that the key must
> be password protected.
> BR, Erik
More information about the freebsd-questions