Software for distribution of configuration files and changes
Jeremy Chadwick
koitsu at FreeBSD.org
Thu Nov 22 21:21:55 PST 2007
On Fri, Nov 23, 2007 at 09:21:24AM +0800, Quan Qiu wrote:
> On Nov 22, 2007 1:01 AM, Vivek Khera <vivek at khera.org> wrote:
> >
> > On Nov 21, 2007, at 12:45 AM, Quan Qiu wrote:
> >
> > >
> > > "ChallengeResponseAuthentication no" is also required to avoid sshd
> > > accepting keyboard-interactive/pam.
This affects all users, and not just root. This is probably not
what you want.
> Using the following settings in sshd_config:
>
> PermitRootLogin without-password
> PasswordAuthentication no
> UseDNS no
> Subsystem sftp /usr/libexec/sftp-server
>
> PuTTY'ing to the box produces:
>
> Using username "root".
> Using keyboard-interactive authentication.
> Password:
And have you tried actually attempting to log in with root's password
that way? I'm betting it doesn't work.
Here's proof from our RELENG_6 box, where I'm attempting to log in
as root on it:
eos$ whoami
jdc
eos$ ssh root at anubis.sc1.private.lan
The authenticity of host 'anubis.sc1.private.lan (10.72.0.125)' can't be established.
DSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'anubis.sc1.private.lan' (DSA) to the list of known hosts.
Password:
Password:
Password:
And the sshd_config from anubis is all defaults values, except for
"PermitRootLogin without-password".
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable
mailing list