Date: Mon, 5 Apr 2010 12:38:01 -0500 From: Peggy Wilkins <enlil65@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: SSH root login with keys only Message-ID: <q2p1789c2361004051038gf1b531eve87c734bb48c4864@mail.gmail.com> In-Reply-To: <4BB9AA98.7030205@unsane.co.uk> References: <hpaut3$4gl$1@dough.gmane.org> <4BB9A6D4.8080604@infracaninophile.co.uk> <4BB9AA98.7030205@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman <vince@unsane.co.uk> wrote: > I missed the rest of this thread so sorry its its been said already. As > far as I knew the directive > PermitRootLogin without-password > in /etc/ssh/sshd_config > should accomplish what was requested. > > However a note later in the default sshd_config file regarding the > UsePAM setting says > 'Depending on your PAM configuration, > =A0PAM authentication via ChallengeResponseAuthentication may bypass > the setting of "PermitRootLogin without-password".' That PAM comment in sshd_config got my attention a number of years ago, so I did a lot of testing of various sshd/pam settings to try and understand what could happen and to try and make some sense out of it. My configurations: in /etc/ssh/sshd_config: PermitRootLogin without-password UsePAM yes in /etc/pam.d/sshd: # auth: open policy: allow OPIE, ldap, and unix password auth sufficient pam_opie.so no_warn no_fake_pro= mpts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_p= ass Using this configuration I have thoroughly tested on both FreeBSD-7 and (more recently) FreeBSD-8 and root is allowed in via ssh with public key auth only; typing the unix password at it gets permission denied for keyboard-interactive. Non-root users are allowed in via either LDAP password or local unix password as expected. I haven't configured OPIE for root, but it wouldn't bother me if it worked for root in this setup since its design addresses why passwords are insecure in the first place. I use this in production on all my systems and haven't changed any other of FreeBSD's default configurations for sshd. I haven't gone so far as to check source code to see why this works as it does. I'm guessing that PAM may allow passwords for root via something that isn't pam_unix since by design PAM can allow anything. But when using pam_unix, at least, it does observe the without-password setting for root. As always YMMV, but I am happy with this tested setup and so I use it with confidence. Peggy Wilkins Sysadmin, The University of Chicago Library
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?q2p1789c2361004051038gf1b531eve87c734bb48c4864>