Confusion on SSH and PAM

Vinny vinny-mail-01+f.questions20071007 at palaceofretention.ca
Tue Oct 9 20:27:43 PDT 2007


Rakhesh Sasidharan wrote:
> 
[snip]
> 
> Here's another oddity I encountered today.
> 
> If "PermitRootLogin" is set to "forced-commands-only", my understanding 
> is the SSHD will permit root logins if a command to be executed is 
> given. But that doesn't seem to be the case in practice! I have keys 
> setup for root to login, but instead of letting me in with those keys, 
> SSHD ignores them, passes me to PAM for password prompting (three times) 
> and the denies me out! Very strange.

PermitRootLogin forced-commands-only

This requires that a command be present in the authorized_keys
file for a given key.  For example, root's authorized_keys
file might look like this for an rsync command:

command="/root/.ssh/cron/validate-rsync",from="10.10.10.2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding
ssh-dss AAAAB3N_more_public_key_data comment

The entire text above should be only one line in the file.
The command shown in:

  command="/root/.ssh/cron/validate-rsync"

I.e. /root/.ssh/cron/validate-rsync

must be the command submitted on the ssh command line, loosely:

$ ssh -i private_key_matching_public_key_in_authorized_keys root at host \
  /root/.ssh/cron/validate-rsync

The root user cannot otherwise login to the system using ssh
unless further keys with corresponding commands exist.

Vinny



More information about the freebsd-questions mailing list