From owner-freebsd-questions@FreeBSD.ORG Thu Aug 4 05:26:27 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F8C816A41F for ; Thu, 4 Aug 2005 05:26:27 +0000 (GMT) (envelope-from thewrs@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3B9D43D48 for ; Thu, 4 Aug 2005 05:26:26 +0000 (GMT) (envelope-from thewrs@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so174660nzd for ; Wed, 03 Aug 2005 22:26:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=N5MdWjmzAyv1CDVF0YktPBuAD3eX55lC9Fi6zBqXi6Pxr0W5PCff/CicyZwM1Asm0G3Wu6IloMyc87cY7XkfTGyPe+G5qpFhAOv6kTZTEFA6QqN6UxGw08I/ZHSzbc1NRs+E0oRh7b12cRTTYsHZP+2sHYq8sLGaG9MpPyltxPU= Received: by 10.36.224.6 with SMTP id w6mr735748nzg; Wed, 03 Aug 2005 22:26:23 -0700 (PDT) Received: by 10.36.104.12 with HTTP; Wed, 3 Aug 2005 22:26:23 -0700 (PDT) Message-ID: Date: Thu, 4 Aug 2005 06:26:23 +0100 From: The WRS To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: SSH root logins using public key only confusion X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The WRS List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 05:26:27 -0000 I've always preferred setting PermitRootLogin without-password in my sshd_config in order to allow root logins using a public key only. I'm sure the above directive was all I needed to change in the past in order to achieve this, however it now seems something has changed either in the default sshd_config file or PAM's configuration itself. The man page warns about several other directives i'm simply not sure of ( ChallengeResponseAuthentication, PasswordAuthentication and "pam_unix" within /etc/pam.d/sshd ) so I would appreciate some help on how to reach my goal. I am very confused! With a default sshd_config but PermitRootLogin set to 'without-password' I find that root is still allowed to login with a user/pass. A feeble attempt at understanding the sshd_config man page led me to disable ChallengeResponseAuthentication and enable PasswordAuthentication left me with no direct root access at all ( password or public key ). I have verified that my public key works correctly. There are several local users who prefer authentication with passwords, so I just want root to require the public key. This is a FreeBSD 5.4 box. My sshd_config is now default again ( except requirement of SSH2 ), here is my /etc/pam.d/sshd in case it is causing the problem. --------- # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the "sshd" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_pro= mpts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_p= ass #auth sufficient pam_ssh.so no_warn try_first_p= ass auth required pam_unix.so no_warn try_first_p= ass # account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_p= ass password required pam_unix.so no_warn try_first_p= ass