From owner-freebsd-questions@FreeBSD.ORG Wed Oct 10 03:27:43 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 044E016A420 for ; Wed, 10 Oct 2007 03:27:43 +0000 (UTC) (envelope-from vinny-mail-01+f.questions20071007@palaceofretention.ca) Received: from www.giovannetti.ca (www.giovannetti.ca [206.248.136.48]) by mx1.freebsd.org (Postfix) with ESMTP id C8C1413C459 for ; Wed, 10 Oct 2007 03:27:42 +0000 (UTC) (envelope-from vinny-mail-01+f.questions20071007@palaceofretention.ca) Received: from the.palaceofretention.ca (intgateway.palaceofretention.ca [10.10.10.42]) by www.giovannetti.ca (Postfix) with ESMTP id E27B711460 for ; Tue, 9 Oct 2007 23:39:35 -0400 (EDT) Message-ID: <470C468D.4080604@palaceofretention.ca> Date: Tue, 09 Oct 2007 23:27:09 -0400 From: Vinny User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20070925150058.J79029@dogmatix.home.rakhesh.com> <46F910EE.6070005@cyberleo.net> <20070926145429.B65660@dogmatix.home.rakhesh.com> In-Reply-To: <20070926145429.B65660@dogmatix.home.rakhesh.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Confusion on SSH and PAM X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Oct 2007 03:27:43 -0000 Rakhesh Sasidharan wrote: > [snip] > > Here's another oddity I encountered today. > > If "PermitRootLogin" is set to "forced-commands-only", my understanding > is the SSHD will permit root logins if a command to be executed is > given. But that doesn't seem to be the case in practice! I have keys > setup for root to login, but instead of letting me in with those keys, > SSHD ignores them, passes me to PAM for password prompting (three times) > and the denies me out! Very strange. PermitRootLogin forced-commands-only This requires that a command be present in the authorized_keys file for a given key. For example, root's authorized_keys file might look like this for an rsync command: command="/root/.ssh/cron/validate-rsync",from="10.10.10.2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3N_more_public_key_data comment The entire text above should be only one line in the file. The command shown in: command="/root/.ssh/cron/validate-rsync" I.e. /root/.ssh/cron/validate-rsync must be the command submitted on the ssh command line, loosely: $ ssh -i private_key_matching_public_key_in_authorized_keys root@host \ /root/.ssh/cron/validate-rsync The root user cannot otherwise login to the system using ssh unless further keys with corresponding commands exist. Vinny