SSH root login with keys only
Peggy Wilkins
enlil65 at gmail.com
Mon Apr 5 17:38:03 UTC 2010
On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman <vince at unsane.co.uk> wrote:
> I missed the rest of this thread so sorry its its been said already. As
> far as I knew the directive
> PermitRootLogin without-password
> in /etc/ssh/sshd_config
> should accomplish what was requested.
>
> However a note later in the default sshd_config file regarding the
> UsePAM setting says
> 'Depending on your PAM configuration,
> PAM authentication via ChallengeResponseAuthentication may bypass
> the setting of "PermitRootLogin without-password".'
That PAM comment in sshd_config got my attention a number of years
ago, so I did a lot of testing of various sshd/pam settings to try and
understand what could happen and to try and make some sense out of it.
My configurations:
in /etc/ssh/sshd_config:
PermitRootLogin without-password
UsePAM yes
in /etc/pam.d/sshd:
# auth: open policy: allow OPIE, ldap, and unix password
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so
no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
Using this configuration I have thoroughly tested on both FreeBSD-7
and (more recently) FreeBSD-8 and root is allowed in via ssh with
public key auth only; typing the unix password at it gets permission
denied for keyboard-interactive. Non-root users are allowed in via
either LDAP password or local unix password as expected.
I haven't configured OPIE for root, but it wouldn't bother me if it
worked for root in this setup since its design addresses why passwords
are insecure in the first place.
I use this in production on all my systems and haven't changed any
other of FreeBSD's default configurations for sshd.
I haven't gone so far as to check source code to see why this works as
it does. I'm guessing that PAM may allow passwords for root via
something that isn't pam_unix since by design PAM can allow anything.
But when using pam_unix, at least, it does observe the
without-password setting for root.
As always YMMV, but I am happy with this tested setup and so I use it
with confidence.
Peggy Wilkins
Sysadmin, The University of Chicago Library
More information about the freebsd-questions
mailing list