Confusion on SSH and PAM

[Pollywog]

On Wednesday 26 September 2007 11:02:26 Rakhesh Sasidharan wrote:
> CyberLeo Kitsana wrote:
> > Rakhesh Sasidharan wrote:
> >> Any ideas or nudges in the right direction as to why this is happening?
> >> Looks like I've understood the interaction between SSH and PAM wrong
> >> here, so would appreciate some enlightenment.
> >
> > According to my understanding of the SSH protocol, you're continually
> > asked because an authentication failure is not a fatal error.
> >
> > When authenticating an SSH session, a list of mutually supported methods
> > is compiled (public-key, challenge-response, S/Key,
> > keyboard-interactive, plaintext) and the client cycles through the list
> > based on what it thinks is most likely to work.
> >
> > It's perfectly acceptable for a client to attempt password
> > authentication before public-key, or even interleave them. All the
> > server can do is say yay or nay to an attempt with a restricted method,
> > because it cannot know if the next attempt may utilize an allowed method.
> >
> > After the requisite three or five failed attempts (depending on the
> > server config), it may send a general failure code (too many failed
> > attempts) and disconnect the client at it's discretion.
>
> Here's another oddity I encountered today.
>
> If "PermitRootLogin" is set to "forced-commands-only", my understanding is
> the SSHD will permit root logins if a command to be executed is given. But
> that doesn't seem to be the case in practice! I have keys setup for root
> to login, but instead of letting me in with those keys, SSHD ignores them,
> passes me to PAM for password prompting (three times) and the denies me
> out! Very strange.
>
> I even setup a "Match User" clause for root and specified a command to
> run. Still, SSHD refuses to let me in with/ without key and for a specific
> command.

PermitRootLogin without-password  won't allow what you want to do?
To use it, you have to set up a passphrase (public key).