On 29/09/2004 Christian Guggenberger wrote: > On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote: > > you _always_ have to turn on PasswordAuthentication, to still allow > > normal users logins, that's the relevant point. the setting of > > ChallengeResponseAuthentification doesn't matter for that issue. > > well, that's not true. Even with PasswordAuthentication set no, "normal" > users will be allowed in with their passwords via ChallengeResponse > Authentification/PAM. In that case ChallengeResponseAuthentification > really _does_ matter.
ok, but in this case root login without key still works. > But, as discussed earlier, then you have to disallow root logins > completely via ssh - the "without-password" option is not as fine > granulated as should/could be; it does not distinguish between ssh > rsd/dsa keys and s/keys. I think upstream is working on a finer > granulated scheme for that option. (i don't have the related openssh > bugID handy, sorry) what do you mean with that? what i would like to see, is a "Permission denied (publickey)" for root login attempts without key, and still working non-key logins for other users. bye jonas
