Date: Mon, 5 Apr 2010 19:34:45 +0000 (UTC) From: Marcin Wisnicki <mwisnicki+freebsd@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: SSH root login with keys only Message-ID: <hpde0l$eji$4@dough.gmane.org> References: <hpaut3$4gl$1@dough.gmane.org> <4BB9A6D4.8080604@infracaninophile.co.uk> <4BB9AA98.7030205@unsane.co.uk> <q2p1789c2361004051038gf1b531eve87c734bb48c4864@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 05 Apr 2010 12:38:01 -0500, Peggy Wilkins wrote: > On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman <vince@unsane.co.uk> > wrote: >> >> However a note later in the default sshd_config file regarding the >> UsePAM setting says >> 'Depending on your PAM configuration, >> PAM authentication via ChallengeResponseAuthentication may bypass >> the setting of "PermitRootLogin without-password".' > > That PAM comment in sshd_config got my attention a number of years ago, > so I did a lot of testing of various sshd/pam settings to try and > understand what could happen and to try and make some sense out of it. > > My configurations: > > in /etc/ssh/sshd_config: > PermitRootLogin without-password > UsePAM yes Hmm.. indeeed it seems to work just fine > > I haven't gone so far as to check source code to see why this works as > it does. I'm guessing that PAM may allow passwords for root via > something that isn't pam_unix since by design PAM can allow anything. > But when using pam_unix, at least, it does observe the without-password > setting for root. > I've followed the code and it looks like when 'without-password' is enabled then whatever password you entered will be replaced with "\b\n\r\177INCORRECT" in auth-pam.c:1175 before calling pam with a hope that it is not really your password ;) But I've tried worst case scenario (auth sufficient pam_permit.so) and it seems even that will be denied as there is an extra check in auth-pam.c:779 so it will fail anyway: fatal: Internal error: PAM auth succeeded when it should have failed So it seems it is in fact perfectly safe to use such combination of options.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hpde0l$eji$4>