SSH root login with keys only
mwisnicki+freebsd at gmail.com
Mon Apr 5 19:35:05 UTC 2010
On Mon, 05 Apr 2010 12:38:01 -0500, Peggy Wilkins wrote:
> On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman <vince at unsane.co.uk>
>> However a note later in the default sshd_config file regarding the
>> UsePAM setting says
>> 'Depending on your PAM configuration,
>> PAM authentication via ChallengeResponseAuthentication may bypass
>> the setting of "PermitRootLogin without-password".'
> That PAM comment in sshd_config got my attention a number of years ago,
> so I did a lot of testing of various sshd/pam settings to try and
> understand what could happen and to try and make some sense out of it.
> My configurations:
> in /etc/ssh/sshd_config:
> PermitRootLogin without-password
> UsePAM yes
Hmm.. indeeed it seems to work just fine
> I haven't gone so far as to check source code to see why this works as
> it does. I'm guessing that PAM may allow passwords for root via
> something that isn't pam_unix since by design PAM can allow anything.
> But when using pam_unix, at least, it does observe the without-password
> setting for root.
I've followed the code and it looks like when 'without-password' is enabled
then whatever password you entered will be replaced with "\b\n\r\177INCORRECT"
in auth-pam.c:1175 before calling pam with a hope that it is not really your
But I've tried worst case scenario (auth sufficient pam_permit.so) and it seems
even that will be denied as there is an extra check in auth-pam.c:779 so it will
fatal: Internal error: PAM auth succeeded when it should have failed
So it seems it is in fact perfectly safe to use such combination of options.
More information about the freebsd-questions