From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 13:19:24 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD108106566C for ; Mon, 5 Apr 2010 13:19:24 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 77F008FC08 for ; Mon, 5 Apr 2010 13:19:24 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1NymD4-0003bC-GI for freebsd-questions@freebsd.org; Mon, 05 Apr 2010 15:19:22 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 05 Apr 2010 15:19:22 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 05 Apr 2010 15:19:22 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Marcin Wisnicki Date: Mon, 5 Apr 2010 13:19:07 +0000 (UTC) Lines: 53 Message-ID: References: <4BB9A6D4.8080604@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.132 (Waxed in Black) Subject: Re: SSH root login with keys only X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 13:19:24 -0000 On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 04/04/2010 22:04:35, Marcin Wisnicki wrote: >> Is it possible to configure sshd such that both conditions are met: >> >> 1. Root will be able to login only by using keys 2. Normal users will >> still be able to use pam/keyboard-interactive > > Only by running two instances of sshd on different ports / IP numbers. > Thanks for all reponses. I've finally solved it by configuring PAM to deny root. Unfortunately all of pam modules in base system that can do it, deny login only in "account" phase which is too late for sshd. I've modified pam_securetty to also provide "auth" facility. For anyone interested, here is a patch: --- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 00:12:28.000000000 +0100 +++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.000000000 +0200 @@ -45,2 +45,3 @@ +#define PAM_SM_AUTH #define PAM_SM_ACCOUNT @@ -54,2 +55,24 @@ PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + const char *user; + int r; + + if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + return (r); + + return (pam_sm_acct_mgmt(pamh, flags, argc, argv)); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + + return (PAM_SUCCESS); +} + + +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,