Date: Mon, 5 Apr 2010 13:19:07 +0000 (UTC) From: Marcin Wisnicki <mwisnicki+freebsd@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: SSH root login with keys only Message-ID: <hpco0b$eji$1@dough.gmane.org> References: <hpaut3$4gl$1@dough.gmane.org> <4BB9A6D4.8080604@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/04/2010 22:04:35, Marcin Wisnicki wrote:
>> Is it possible to configure sshd such that both conditions are met:
>>
>> 1. Root will be able to login only by using keys 2. Normal users will
>> still be able to use pam/keyboard-interactive
>
> Only by running two instances of sshd on different ports / IP numbers.
>
Thanks for all reponses.
I've finally solved it by configuring PAM to deny root.
Unfortunately all of pam modules in base system that can do it,
deny login only in "account" phase which is too late for sshd.
I've modified pam_securetty to also provide "auth" facility.
For anyone interested, here is a patch:
--- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 00:12:28.000000000 +0100
+++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.000000000 +0200
@@ -45,2 +45,3 @@
+#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
@@ -54,2 +55,24 @@
PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+ int argc, const char *argv[])
+{
+ const char *user;
+ int r;
+
+ if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+ return (r);
+
+ return (pam_sm_acct_mgmt(pamh, flags, argc, argv));
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
+ int argc __unused, const char *argv[] __unused)
+{
+
+ return (PAM_SUCCESS);
+}
+
+
+PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hpco0b$eji$1>