Confusion on SSH and PAM

Vinny vinny-mail-01+f.questions20071007 at
Tue Oct 9 20:27:43 PDT 2007

Rakhesh Sasidharan wrote:
> Here's another oddity I encountered today.
> If "PermitRootLogin" is set to "forced-commands-only", my understanding 
> is the SSHD will permit root logins if a command to be executed is 
> given. But that doesn't seem to be the case in practice! I have keys 
> setup for root to login, but instead of letting me in with those keys, 
> SSHD ignores them, passes me to PAM for password prompting (three times) 
> and the denies me out! Very strange.

PermitRootLogin forced-commands-only

This requires that a command be present in the authorized_keys
file for a given key.  For example, root's authorized_keys
file might look like this for an rsync command:

ssh-dss AAAAB3N_more_public_key_data comment

The entire text above should be only one line in the file.
The command shown in:


I.e. /root/.ssh/cron/validate-rsync

must be the command submitted on the ssh command line, loosely:

$ ssh -i private_key_matching_public_key_in_authorized_keys root at host \

The root user cannot otherwise login to the system using ssh
unless further keys with corresponding commands exist.


More information about the freebsd-questions mailing list