Confusion on SSH and PAM
vinny-mail-01+f.questions20071007 at palaceofretention.ca
Tue Oct 9 20:27:43 PDT 2007
Rakhesh Sasidharan wrote:
> Here's another oddity I encountered today.
> If "PermitRootLogin" is set to "forced-commands-only", my understanding
> is the SSHD will permit root logins if a command to be executed is
> given. But that doesn't seem to be the case in practice! I have keys
> setup for root to login, but instead of letting me in with those keys,
> SSHD ignores them, passes me to PAM for password prompting (three times)
> and the denies me out! Very strange.
This requires that a command be present in the authorized_keys
file for a given key. For example, root's authorized_keys
file might look like this for an rsync command:
ssh-dss AAAAB3N_more_public_key_data comment
The entire text above should be only one line in the file.
The command shown in:
must be the command submitted on the ssh command line, loosely:
$ ssh -i private_key_matching_public_key_in_authorized_keys root at host \
The root user cannot otherwise login to the system using ssh
unless further keys with corresponding commands exist.
More information about the freebsd-questions