Date: Tue, 09 Oct 2007 23:27:09 -0400 From: Vinny <vinny-mail-01+f.questions20071007@palaceofretention.ca> To: freebsd-questions@freebsd.org Subject: Re: Confusion on SSH and PAM Message-ID: <470C468D.4080604@palaceofretention.ca> In-Reply-To: <20070926145429.B65660@dogmatix.home.rakhesh.com> References: <20070925150058.J79029@dogmatix.home.rakhesh.com> <46F910EE.6070005@cyberleo.net> <20070926145429.B65660@dogmatix.home.rakhesh.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Rakhesh Sasidharan wrote: > [snip] > > Here's another oddity I encountered today. > > If "PermitRootLogin" is set to "forced-commands-only", my understanding > is the SSHD will permit root logins if a command to be executed is > given. But that doesn't seem to be the case in practice! I have keys > setup for root to login, but instead of letting me in with those keys, > SSHD ignores them, passes me to PAM for password prompting (three times) > and the denies me out! Very strange. PermitRootLogin forced-commands-only This requires that a command be present in the authorized_keys file for a given key. For example, root's authorized_keys file might look like this for an rsync command: command="/root/.ssh/cron/validate-rsync",from="10.10.10.2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3N_more_public_key_data comment The entire text above should be only one line in the file. The command shown in: command="/root/.ssh/cron/validate-rsync" I.e. /root/.ssh/cron/validate-rsync must be the command submitted on the ssh command line, loosely: $ ssh -i private_key_matching_public_key_in_authorized_keys root@host \ /root/.ssh/cron/validate-rsync The root user cannot otherwise login to the system using ssh unless further keys with corresponding commands exist. Vinny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?470C468D.4080604>