From owner-freebsd-questions@FreeBSD.ORG Thu Oct 11 01:49:58 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F82B16A41B for ; Thu, 11 Oct 2007 01:49:58 +0000 (UTC) (envelope-from vinny-mail-01+f.questions20071007@palaceofretention.ca) Received: from www.giovannetti.ca (www.giovannetti.ca [206.248.136.48]) by mx1.freebsd.org (Postfix) with ESMTP id 15E3D13C459 for ; Thu, 11 Oct 2007 01:49:57 +0000 (UTC) (envelope-from vinny-mail-01+f.questions20071007@palaceofretention.ca) Received: from the.palaceofretention.ca (intgateway.palaceofretention.ca [10.10.10.42]) by www.giovannetti.ca (Postfix) with ESMTP id 96A3B11460 for ; Wed, 10 Oct 2007 22:01:48 -0400 (EDT) Message-ID: <470D8124.40103@palaceofretention.ca> Date: Wed, 10 Oct 2007 21:49:24 -0400 From: Vinny User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20070925150058.J79029@dogmatix.home.rakhesh.com> <46F910EE.6070005@cyberleo.net> <20070926145429.B65660@dogmatix.home.rakhesh.com> <470C468D.4080604@palaceofretention.ca> In-Reply-To: <470C468D.4080604@palaceofretention.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Confusion on SSH and PAM X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Oct 2007 01:49:58 -0000 Replying to myself to fix my error. Vinny wrote: > Rakhesh Sasidharan wrote: >> > [snip] >> >> Here's another oddity I encountered today. >> >> If "PermitRootLogin" is set to "forced-commands-only", my >> understanding is the SSHD will permit root logins if a command to be >> executed is given. But that doesn't seem to be the case in practice! I >> have keys setup for root to login, but instead of letting me in with >> those keys, SSHD ignores them, passes me to PAM for password prompting >> (three times) and the denies me out! Very strange. > > PermitRootLogin forced-commands-only > > This requires that a command be present in the authorized_keys > file for a given key. For example, root's authorized_keys > file might look like this for an rsync command: > > command="/root/.ssh/cron/validate-rsync",from="10.10.10.2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding > > ssh-dss AAAAB3N_more_public_key_data comment > > The entire text above should be only one line in the file. > The command shown in: > > command="/root/.ssh/cron/validate-rsync" > > I.e. /root/.ssh/cron/validate-rsync > This: > must be the command submitted on the ssh command line, loosely: > > $ ssh -i private_key_matching_public_key_in_authorized_keys root@host \ > /root/.ssh/cron/validate-rsync > is incorrect. The command shown is the command that is executed when the root user is authenticated via the key in question. It does not need to appear on any ssh command line. > The root user cannot otherwise login to the system using ssh > unless further keys with corresponding commands exist. > Sorry about the error. Vinny