From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 16:40:00 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEA58106566B for ; Mon, 5 Apr 2010 16:40:00 +0000 (UTC) (envelope-from modulok@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8AFAE8FC12 for ; Mon, 5 Apr 2010 16:40:00 +0000 (UTC) Received: by pvc7 with SMTP id 7so1951904pvc.13 for ; Mon, 05 Apr 2010 09:40:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=5u1FoD6a14kfycMnt31WFPoGWzFS9/lEdJ2t/Xfutlc=; b=hqXzl0A51sbIUmaGtLPNo50gmUl8Q6CTjPsZgqmFw+5AQHMkaBZZS7fm33xWTPURab CDd8AHA+ziB68p+hT0nUSGXQln2NNLGW1fLt9F7cOLI81liHbwC97nkwo6paJA5AUp0v mtRr7YhplEKgVkP8Nlbig+pcRsHzoZnTe9LM0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=N4/FsoQJ2Vk39ThJAGg8/Yy4AOM7XK3656BRrXc8G2Zt7Eh/t2Fp4DH4wlKllRHRc1 +CbVBmanzTkyuplMQRe+ILg2Z1lrIR/2H+yWrNJpkAwcGnq6EruiFsU/zoiEbuZz7YSY znRIKMcv3riCeKELaHmbPwbMyt9rWNghZpqa4= MIME-Version: 1.0 Received: by 10.142.131.20 with HTTP; Mon, 5 Apr 2010 09:39:59 -0700 (PDT) In-Reply-To: References: <4BB9A6D4.8080604@infracaninophile.co.uk> Date: Mon, 5 Apr 2010 10:39:59 -0600 Received: by 10.143.86.8 with SMTP id o8mr1913574wfl.344.1270485600015; Mon, 05 Apr 2010 09:40:00 -0700 (PDT) Message-ID: From: Modulok To: Marcin Wisnicki Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: SSH root login with keys only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 16:40:00 -0000 You should also consider posting your patch and related content to, 'freebsd-hackers@freebsd.org'. -Modulok- On 4/5/10, Marcin Wisnicki wrote: > On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 04/04/2010 22:04:35, Marcin Wisnicki wrote: >>> Is it possible to configure sshd such that both conditions are met: >>> >>> 1. Root will be able to login only by using keys 2. Normal users will >>> still be able to use pam/keyboard-interactive >> >> Only by running two instances of sshd on different ports / IP numbers. >> > > Thanks for all reponses. > I've finally solved it by configuring PAM to deny root. > Unfortunately all of pam modules in base system that can do it, > deny login only in "account" phase which is too late for sshd. > I've modified pam_securetty to also provide "auth" facility. > > For anyone interested, here is a patch: > > --- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 > 00:12:28.000000000 +0100 > +++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.000000000 +0200 > @@ -45,2 +45,3 @@ > > +#define PAM_SM_AUTH > #define PAM_SM_ACCOUNT > @@ -54,2 +55,24 @@ > PAM_EXTERN int > +pam_sm_authenticate(pam_handle_t *pamh, int flags, > + int argc, const char *argv[]) > +{ > + const char *user; > + int r; > + > + if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) > + return (r); > + > + return (pam_sm_acct_mgmt(pamh, flags, argc, argv)); > +} > + > +PAM_EXTERN int > +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, > + int argc __unused, const char *argv[] __unused) > +{ > + > + return (PAM_SUCCESS); > +} > + > + > +PAM_EXTERN int > pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >