From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 19:35:05 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A3AF106566C for ; Mon, 5 Apr 2010 19:35:05 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id EA7BC8FC0A for ; Mon, 5 Apr 2010 19:35:04 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Nys4U-0004YW-7n for freebsd-questions@freebsd.org; Mon, 05 Apr 2010 21:34:54 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 05 Apr 2010 21:34:54 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 05 Apr 2010 21:34:54 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Marcin Wisnicki Date: Mon, 5 Apr 2010 19:34:45 +0000 (UTC) Lines: 43 Message-ID: References: <4BB9A6D4.8080604@infracaninophile.co.uk> <4BB9AA98.7030205@unsane.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.132 (Waxed in Black) Subject: Re: SSH root login with keys only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 19:35:05 -0000 On Mon, 05 Apr 2010 12:38:01 -0500, Peggy Wilkins wrote: > On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman > wrote: >> >> However a note later in the default sshd_config file regarding the >> UsePAM setting says >> 'Depending on your PAM configuration, >>  PAM authentication via ChallengeResponseAuthentication may bypass >> the setting of "PermitRootLogin without-password".' > > That PAM comment in sshd_config got my attention a number of years ago, > so I did a lot of testing of various sshd/pam settings to try and > understand what could happen and to try and make some sense out of it. > > My configurations: > > in /etc/ssh/sshd_config: > PermitRootLogin without-password > UsePAM yes Hmm.. indeeed it seems to work just fine > > I haven't gone so far as to check source code to see why this works as > it does. I'm guessing that PAM may allow passwords for root via > something that isn't pam_unix since by design PAM can allow anything. > But when using pam_unix, at least, it does observe the without-password > setting for root. > I've followed the code and it looks like when 'without-password' is enabled then whatever password you entered will be replaced with "\b\n\r\177INCORRECT" in auth-pam.c:1175 before calling pam with a hope that it is not really your password ;) But I've tried worst case scenario (auth sufficient pam_permit.so) and it seems even that will be denied as there is an extra check in auth-pam.c:779 so it will fail anyway: fatal: Internal error: PAM auth succeeded when it should have failed So it seems it is in fact perfectly safe to use such combination of options.