From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 09:17:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BF5E106566C for ; Mon, 5 Apr 2010 09:17:14 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 093DB8FC19 for ; Mon, 5 Apr 2010 09:17:13 +0000 (UTC) Received: from vhoffman-macbook.local ([10.0.0.173]) (authenticated bits=0) by unsane.co.uk (8.14.3/8.14.3) with ESMTP id o359HCmr042312 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 5 Apr 2010 09:17:12 GMT (envelope-from vince@unsane.co.uk) Message-ID: <4BB9AA98.7030205@unsane.co.uk> Date: Mon, 05 Apr 2010 10:17:12 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4BB9A6D4.8080604@infracaninophile.co.uk> In-Reply-To: <4BB9A6D4.8080604@infracaninophile.co.uk> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: SSH root login with keys only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 09:17:14 -0000 On 05/04/2010 10:01, Matthew Seaman wrote: > On 04/04/2010 22:04:35, Marcin Wisnicki wrote: > > Is it possible to configure sshd such that both conditions are met: > > > 1. Root will be able to login only by using keys > > 2. Normal users will still be able to use pam/keyboard-interactive > > Only by running two instances of sshd on different ports / IP numbers. > I missed the rest of this thread so sorry its its been said already. As far as I knew the directive PermitRootLogin without-password in /etc/ssh/sshd_config should accomplish what was requested. However a note later in the default sshd_config file regarding the UsePAM setting says 'Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin without-password".' So I'd be interested to know if by default this is the case. Vince > Cheers, > > Matthew > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"