From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 17:38:03 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 526121065670 for ; Mon, 5 Apr 2010 17:38:03 +0000 (UTC) (envelope-from enlil65@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id DAFA28FC08 for ; Mon, 5 Apr 2010 17:38:02 +0000 (UTC) Received: by wwb24 with SMTP id 24so2618906wwb.13 for ; Mon, 05 Apr 2010 10:38:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type :content-transfer-encoding; bh=aCH+FKjOvKDrSMD/J6MbnqSoqX9mbJGPbEt8CwvyQ8w=; b=A+6gYjJ3dFqQdEbF00DgE9ukH1xqF5zN5Q4iFh+qFPZ7JRjvCSA3UwLlMoM2+sIY3c r5+XpEu8B4RPe+N64oPayVaIIm98ibmseffAQ5rK7Ip0Wa9gOAkdjiwf0lpJfW3XBBQ8 ThvmRwQflY++1+Y/ndXdnAUt/TjM0Y696yQ8c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=ikAAeY2JU82pdVQ4M8E6zhO1EIHT5YJZgg/f3jbai0trLrx/bFwAV12tggCttPpoVT 3RpBpBdeeEMBmJzwZR/4ynvksWakWd/RTYXmbdxS8Jm2IUZQPm+9mICmqIbN01gpx/jf 3+DIeTuNR3xIEzAErXe8dW1DbwkTToeYAB2mA= MIME-Version: 1.0 Received: by 10.216.154.142 with HTTP; Mon, 5 Apr 2010 10:38:01 -0700 (PDT) In-Reply-To: <4BB9AA98.7030205@unsane.co.uk> References: <4BB9A6D4.8080604@infracaninophile.co.uk> <4BB9AA98.7030205@unsane.co.uk> Date: Mon, 5 Apr 2010 12:38:01 -0500 Received: by 10.216.87.7 with SMTP id x7mr3182610wee.53.1270489081601; Mon, 05 Apr 2010 10:38:01 -0700 (PDT) Message-ID: From: Peggy Wilkins To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: SSH root login with keys only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 17:38:03 -0000 On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman wrote: > I missed the rest of this thread so sorry its its been said already. As > far as I knew the directive > PermitRootLogin without-password > in /etc/ssh/sshd_config > should accomplish what was requested. > > However a note later in the default sshd_config file regarding the > UsePAM setting says > 'Depending on your PAM configuration, > =A0PAM authentication via ChallengeResponseAuthentication may bypass > the setting of "PermitRootLogin without-password".' That PAM comment in sshd_config got my attention a number of years ago, so I did a lot of testing of various sshd/pam settings to try and understand what could happen and to try and make some sense out of it. My configurations: in /etc/ssh/sshd_config: PermitRootLogin without-password UsePAM yes in /etc/pam.d/sshd: # auth: open policy: allow OPIE, ldap, and unix password auth sufficient pam_opie.so no_warn no_fake_pro= mpts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_p= ass Using this configuration I have thoroughly tested on both FreeBSD-7 and (more recently) FreeBSD-8 and root is allowed in via ssh with public key auth only; typing the unix password at it gets permission denied for keyboard-interactive. Non-root users are allowed in via either LDAP password or local unix password as expected. I haven't configured OPIE for root, but it wouldn't bother me if it worked for root in this setup since its design addresses why passwords are insecure in the first place. I use this in production on all my systems and haven't changed any other of FreeBSD's default configurations for sshd. I haven't gone so far as to check source code to see why this works as it does. I'm guessing that PAM may allow passwords for root via something that isn't pam_unix since by design PAM can allow anything. But when using pam_unix, at least, it does observe the without-password setting for root. As always YMMV, but I am happy with this tested setup and so I use it with confidence. Peggy Wilkins Sysadmin, The University of Chicago Library