SSH root login with keys only

Modulok modulok at gmail.com
Mon Apr 5 16:40:00 UTC 2010 

You should also consider posting your patch and related content to,
'freebsd-hackers at freebsd.org'.

-Modulok-


On 4/5/10, Marcin Wisnicki <mwisnicki+freebsd at gmail.com> wrote:
> On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/04/2010 22:04:35, Marcin Wisnicki wrote:
>>> Is it possible to configure sshd such that both conditions are met:
>>>
>>> 1. Root will be able to login only by using keys 2. Normal users will
>>> still be able to use pam/keyboard-interactive
>>
>> Only by running two instances of sshd on different ports / IP numbers.
>>
>
> Thanks for all reponses.
> I've finally solved it by configuring PAM to deny root.
> Unfortunately all of pam modules in base system that can do it,
> deny login only in "account" phase which is too late for sshd.
> I've modified pam_securetty to also provide "auth" facility.
>
> For anyone interested, here is a patch:
>
> --- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c	2010-02-18
> 00:12:28.000000000 +0100
> +++ pam_securetty/pam_securetty.c	2010-04-05 04:47:21.000000000 +0200
> @@ -45,2 +45,3 @@
>
> +#define PAM_SM_AUTH
>  #define PAM_SM_ACCOUNT
> @@ -54,2 +55,24 @@
>  PAM_EXTERN int
> +pam_sm_authenticate(pam_handle_t *pamh, int flags,
> +    int argc, const char *argv[])
> +{
> +	const char *user;
> +	int r;
> +
> +	if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
> +		return (r);
> +
> +	return (pam_sm_acct_mgmt(pamh, flags, argc, argv));
> +}
> +
> +PAM_EXTERN int
> +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
> +    int argc __unused, const char *argv[] __unused)
> +{
> +
> +	return (PAM_SUCCESS);
> +}
> +
> +
> +PAM_EXTERN int
>  pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list