From owner-freebsd-stable@FreeBSD.ORG Fri Nov 23 05:21:55 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A63F516A41A for ; Fri, 23 Nov 2007 05:21:55 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id ACF9A13C459 for ; Fri, 23 Nov 2007 05:21:55 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 69C601CC079; Thu, 22 Nov 2007 21:21:55 -0800 (PST) Date: Thu, 22 Nov 2007 21:21:55 -0800 From: Jeremy Chadwick To: Quan Qiu Message-ID: <20071123052155.GA721@eos.sc1.parodius.com> References: <474325A0.7060802@gmail.com> <200711202315.lAKNFa4R012904@fire.js.berklix.net> <20071121002043.GA98340@eos.sc1.parodius.com> <53a565700711202145q3c1a8db5k8c0d41d7ad890405@mail.gmail.com> <53a565700711221721v1eb695bcy507780fc3fc30eaa@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53a565700711221721v1eb695bcy507780fc3fc30eaa@mail.gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-stable@freebsd.org Subject: Re: Software for distribution of configuration files and changes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Nov 2007 05:21:55 -0000 On Fri, Nov 23, 2007 at 09:21:24AM +0800, Quan Qiu wrote: > On Nov 22, 2007 1:01 AM, Vivek Khera wrote: > > > > On Nov 21, 2007, at 12:45 AM, Quan Qiu wrote: > > > > > > > > "ChallengeResponseAuthentication no" is also required to avoid sshd > > > accepting keyboard-interactive/pam. This affects all users, and not just root. This is probably not what you want. > Using the following settings in sshd_config: > > PermitRootLogin without-password > PasswordAuthentication no > UseDNS no > Subsystem sftp /usr/libexec/sftp-server > > PuTTY'ing to the box produces: > > Using username "root". > Using keyboard-interactive authentication. > Password: And have you tried actually attempting to log in with root's password that way? I'm betting it doesn't work. Here's proof from our RELENG_6 box, where I'm attempting to log in as root on it: eos$ whoami jdc eos$ ssh root@anubis.sc1.private.lan The authenticity of host 'anubis.sc1.private.lan (10.72.0.125)' can't be established. DSA key fingerprint is ... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'anubis.sc1.private.lan' (DSA) to the list of known hosts. Password: Password: Password: And the sshd_config from anubis is all defaults values, except for "PermitRootLogin without-password". -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |