Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Nov 2007 21:21:55 -0800
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        Quan Qiu <jackqq@gmail.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Software for distribution of configuration files and changes
Message-ID:  <20071123052155.GA721@eos.sc1.parodius.com>
In-Reply-To: <53a565700711221721v1eb695bcy507780fc3fc30eaa@mail.gmail.com>
References:  <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAACAAAAAAAAAAiuboouUF6EKrT2uPks5M1AAAAAD7AgAAAPYFABAAAAAdMdDZF9ebRbtpiHRx6LqFAQAAAAA=@kmjeuro.com> <474325A0.7060802@gmail.com> <200711202315.lAKNFa4R012904@fire.js.berklix.net> <20071121002043.GA98340@eos.sc1.parodius.com> <53a565700711202145q3c1a8db5k8c0d41d7ad890405@mail.gmail.com> <EC7D0AEA-8151-45BC-B2C4-15B5E108F404@khera.org> <53a565700711221721v1eb695bcy507780fc3fc30eaa@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 23, 2007 at 09:21:24AM +0800, Quan Qiu wrote:
> On Nov 22, 2007 1:01 AM, Vivek Khera <vivek@khera.org> wrote:
> >
> > On Nov 21, 2007, at 12:45 AM, Quan Qiu wrote:
> >
> > >
> > > "ChallengeResponseAuthentication no" is also required to avoid sshd
> > > accepting keyboard-interactive/pam.

This affects all users, and not just root.  This is probably not
what you want.

> Using the following settings in sshd_config:
> 
> PermitRootLogin without-password
> PasswordAuthentication no
> UseDNS no
> Subsystem       sftp    /usr/libexec/sftp-server
> 
> PuTTY'ing to the box produces:
> 
> Using username "root".
> Using keyboard-interactive authentication.
> Password:

And have you tried actually attempting to log in with root's password
that way?  I'm betting it doesn't work.

Here's proof from our RELENG_6 box, where I'm attempting to log in
as root on it:

eos$ whoami
jdc
eos$ ssh root@anubis.sc1.private.lan
The authenticity of host 'anubis.sc1.private.lan (10.72.0.125)' can't be established.
DSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'anubis.sc1.private.lan' (DSA) to the list of known hosts.
Password:
Password:
Password:

And the sshd_config from anubis is all defaults values, except for
"PermitRootLogin without-password".

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071123052155.GA721>