SSH root login with keys only

Peggy Wilkins enlil65 at gmail.com
Mon Apr 5 17:38:03 UTC 2010 

On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman <vince at unsane.co.uk> wrote:

> I missed the rest of this thread so sorry its its been said already. As
> far as I knew the directive
> PermitRootLogin without-password
> in /etc/ssh/sshd_config
> should accomplish what was requested.
>
> However a note later in the default sshd_config file regarding the
> UsePAM setting says
> 'Depending on your PAM configuration,
>  PAM authentication via ChallengeResponseAuthentication may bypass
> the setting of "PermitRootLogin without-password".'

That PAM comment in sshd_config got my attention a number of years
ago, so I did a lot of testing of various sshd/pam settings to try and
understand what could happen and to try and make some sense out of it.

My configurations:

in /etc/ssh/sshd_config:
PermitRootLogin without-password
UsePAM yes

in /etc/pam.d/sshd:
# auth: open policy: allow OPIE, ldap, and unix password
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so
no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

Using this configuration I have thoroughly tested on both FreeBSD-7
and (more recently) FreeBSD-8 and root is allowed in via ssh with
public key auth only; typing the unix password at it gets permission
denied for keyboard-interactive.  Non-root users are allowed in via
either LDAP password or local unix password as expected.

I haven't configured OPIE for root, but it wouldn't bother me if it
worked for root in this setup since its design addresses why passwords
are insecure in the first place.

I use this in production on all my systems and haven't changed any
other of FreeBSD's default configurations for sshd.

I haven't gone so far as to check source code to see why this works as
it does.  I'm guessing that PAM may allow passwords for root via
something that isn't pam_unix since by design PAM can allow anything.
But when using pam_unix, at least, it does observe the
without-password setting for root.

As always YMMV, but I am happy with this tested setup and so I use it
with confidence.

Peggy Wilkins
Sysadmin, The University of Chicago Library

More information about the freebsd-questions mailing list