Date: Sun, 4 Apr 2010 23:35:13 +0000 (UTC) From: Marcin Wisnicki <mwisnicki+freebsd@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: SSH root login with keys only Message-ID: <hpb7nh$csf$1@dough.gmane.org> References: <hpaut3$4gl$1@dough.gmane.org> <4BB91FD5.3040403@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote: > On 04/04/10 23:04, Marcin Wisnicki wrote: >> Is it possible to configure sshd such that both conditions are met: >> >> 1. Root will be able to login only by using keys 2. Normal users will >> still be able to use pam/keyboard-interactive > > Yes, you can create a Match block with the criteria User, something like > this I guess will work (haven't tested): > > PermitRootLogin yes > Match User root > PasswordAuthentication no > > check the man page. You might also want to restrict from where root can > login with another match block. > PasswordAuthentication is already disabled (by default). I need to disable ChallengeResponseAuthentication however: /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' is not allowed within a Match block Same thing for "UsePAM no" (though I would like to keep pam for accounting and session management) > I assume that you have decided root login is acceptable with the > increased security of key authentication. Just beware that the key must > be password protected. > > BR, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hpb7nh$csf$1>