Confusion on SSH and PAM
Vinny
vinny-mail-01+f.questions20071007 at palaceofretention.ca
Tue Oct 9 20:27:43 PDT 2007
Rakhesh Sasidharan wrote:
>
[snip]
>
> Here's another oddity I encountered today.
>
> If "PermitRootLogin" is set to "forced-commands-only", my understanding
> is the SSHD will permit root logins if a command to be executed is
> given. But that doesn't seem to be the case in practice! I have keys
> setup for root to login, but instead of letting me in with those keys,
> SSHD ignores them, passes me to PAM for password prompting (three times)
> and the denies me out! Very strange.
PermitRootLogin forced-commands-only
This requires that a command be present in the authorized_keys
file for a given key. For example, root's authorized_keys
file might look like this for an rsync command:
command="/root/.ssh/cron/validate-rsync",from="10.10.10.2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding
ssh-dss AAAAB3N_more_public_key_data comment
The entire text above should be only one line in the file.
The command shown in:
command="/root/.ssh/cron/validate-rsync"
I.e. /root/.ssh/cron/validate-rsync
must be the command submitted on the ssh command line, loosely:
$ ssh -i private_key_matching_public_key_in_authorized_keys root at host \
/root/.ssh/cron/validate-rsync
The root user cannot otherwise login to the system using ssh
unless further keys with corresponding commands exist.
Vinny
More information about the freebsd-questions
mailing list