Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Aug 2005 06:26:23 +0100
From:      The WRS <thewrs@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   SSH root logins using public key only confusion
Message-ID:  <bbb2e418050803222653a7d2c9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
I've always preferred setting

PermitRootLogin without-password

in my sshd_config in order to allow root logins using a public key only.

I'm sure the above directive was all I needed to change in the past in
order to achieve this, however it now seems something has changed
either in the default sshd_config file or PAM's configuration itself.

The man page warns about several other directives i'm simply not sure
of ( ChallengeResponseAuthentication, PasswordAuthentication and
"pam_unix" within /etc/pam.d/sshd ) so I would appreciate some help on
how to reach my goal. I am very confused!

With a default sshd_config but PermitRootLogin set to
'without-password' I find that root is still allowed to login with a
user/pass. A feeble attempt at understanding the sshd_config man page
led me to disable ChallengeResponseAuthentication and enable
PasswordAuthentication left me with no direct root access at all (
password or public key ).

I have verified that my public key works correctly.

There are several local users who prefer authentication with
passwords, so I just want root to require the public key.

This is a FreeBSD 5.4 box.

My sshd_config is now default again ( except requirement of SSH2 ),
here is my /etc/pam.d/sshd in case it is causing the problem.

---------

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_pro=
mpts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_p=
ass
#auth           sufficient      pam_ssh.so              no_warn try_first_p=
ass
auth            required        pam_unix.so             no_warn try_first_p=
ass

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_p=
ass
password        required        pam_unix.so             no_warn try_first_p=
ass

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bbb2e418050803222653a7d2c9>