From owner-freebsd-questions@FreeBSD.ORG  Sun Apr  4 23:35:27 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F33AA106566B
	for <freebsd-questions@freebsd.org>;
	Sun,  4 Apr 2010 23:35:27 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from lo.gmane.org (lo.gmane.org [80.91.229.12])
	by mx1.freebsd.org (Postfix) with ESMTP id ADEA28FC18
	for <freebsd-questions@freebsd.org>;
	Sun,  4 Apr 2010 23:35:27 +0000 (UTC)
Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <freebsd-questions@m.gmane.org>) id 1NyZLg-0004hE-7x
	for freebsd-questions@freebsd.org; Mon, 05 Apr 2010 01:35:24 +0200
Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Mon, 05 Apr 2010 01:35:24 +0200
Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with
	local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Mon, 05 Apr 2010 01:35:24 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-questions@freebsd.org
From: Marcin Wisnicki <mwisnicki+freebsd@gmail.com>
Date: Sun, 4 Apr 2010 23:35:13 +0000 (UTC)
Lines: 34
Message-ID: <hpb7nh$csf$1@dough.gmane.org>
References: <hpaut3$4gl$1@dough.gmane.org> <4BB91FD5.3040403@locolomo.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl
User-Agent: Pan/0.132 (Waxed in Black)
Subject: Re: SSH root login with keys only
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Apr 2010 23:35:28 -0000

On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote:

> On 04/04/10 23:04, Marcin Wisnicki wrote:
>> Is it possible to configure sshd such that both conditions are met:
>>
>> 1. Root will be able to login only by using keys 2. Normal users will
>> still be able to use pam/keyboard-interactive
> 
> Yes, you can create a Match block with the criteria User, something like
> this I guess will work (haven't tested):
> 
> PermitRootLogin yes
> Match User root
>      PasswordAuthentication no
> 
> check the man page. You might also want to restrict from where root can
> login with another match block.
> 

PasswordAuthentication is already disabled (by default).
I need to disable ChallengeResponseAuthentication however:

 /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' 
   is not allowed within a Match block

Same thing for "UsePAM no" (though I would like to keep pam for accounting
and session management)

> I assume that you have decided root login is acceptable with the
> increased security of key authentication. Just beware that the key must
> be password protected.
> 
> BR, Erik