From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 06:52:40 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85110106564A for ; Mon, 5 Apr 2010 06:52:40 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 210048FC0A for ; Mon, 5 Apr 2010 06:52:39 +0000 (UTC) Received: from beta.1-16-172-dyn.locolomo.org (unknown [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 63AD21C0871 for ; Mon, 5 Apr 2010 08:52:38 +0200 (CEST) Message-ID: <4BB988B5.7090906@locolomo.org> Date: Mon, 05 Apr 2010 08:52:37 +0200 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4BB91FD5.3040403@locolomo.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: SSH root login with keys only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 06:52:40 -0000 On 05/04/10 01:35, Marcin Wisnicki wrote: > PasswordAuthentication is already disabled (by default). > I need to disable ChallengeResponseAuthentication however: > > /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' > is not allowed within a Match block > > Same thing for "UsePAM no" (though I would like to keep pam for accounting > and session management) You can configure two daemons one with root access allowed and the other without. Let the one with root access allowed run on a non-standard port. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org