SSH root login with keys only
Marcin Wisnicki
mwisnicki+freebsd at gmail.com
Mon Apr 5 13:19:24 UTC 2010
On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/04/2010 22:04:35, Marcin Wisnicki wrote:
>> Is it possible to configure sshd such that both conditions are met:
>>
>> 1. Root will be able to login only by using keys 2. Normal users will
>> still be able to use pam/keyboard-interactive
>
> Only by running two instances of sshd on different ports / IP numbers.
>
Thanks for all reponses.
I've finally solved it by configuring PAM to deny root.
Unfortunately all of pam modules in base system that can do it,
deny login only in "account" phase which is too late for sshd.
I've modified pam_securetty to also provide "auth" facility.
For anyone interested, here is a patch:
--- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 00:12:28.000000000 +0100
+++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.000000000 +0200
@@ -45,2 +45,3 @@
+#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
@@ -54,2 +55,24 @@
PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+ int argc, const char *argv[])
+{
+ const char *user;
+ int r;
+
+ if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+ return (r);
+
+ return (pam_sm_acct_mgmt(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
+ int argc __unused, const char *argv[] __unused)
+{
+
+ return (PAM_SUCCESS);
+}
+
+
+PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
More information about the freebsd-questions
mailing list