Date: Mon, 05 Apr 2010 10:25:43 +0100 From: Vincent Hoffman <vince@unsane.co.uk> To: freebsd-questions@freebsd.org Subject: Re: SSH root login with keys only Message-ID: <4BB9AC97.6020905@unsane.co.uk> In-Reply-To: <4BB9AA98.7030205@unsane.co.uk> References: <hpaut3$4gl$1@dough.gmane.org> <4BB9A6D4.8080604@infracaninophile.co.uk> <4BB9AA98.7030205@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/04/2010 10:17, Vincent Hoffman wrote: > On 05/04/2010 10:01, Matthew Seaman wrote: > >> On 04/04/2010 22:04:35, Marcin Wisnicki wrote: >> >>> Is it possible to configure sshd such that both conditions are met: >>> >> >>> 1. Root will be able to login only by using keys >>> 2. Normal users will still be able to use pam/keyboard-interactive >>> >> Only by running two instances of sshd on different ports / IP numbers. >> >> > I missed the rest of this thread so sorry its its been said already. As > far as I knew the directive > PermitRootLogin without-password > in /etc/ssh/sshd_config > should accomplish what was requested. > > However a note later in the default sshd_config file regarding the > UsePAM setting says > 'Depending on your PAM configuration, > PAM authentication via ChallengeResponseAuthentication may bypass > the setting of "PermitRootLogin without-password".' > > So I'd be interested to know if by default this is the case. > > And sure enough when I have a look in the archive, my suggestion has been discussed at length. sorry for noise. Vince > Vince > > > >> Cheers, >> >> Matthew >> >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BB9AC97.6020905>