Tom Dial <tdd...@comcast.net> writes: [...]
>From Harry's settings: >> LoginGraceTime 120 >> PermitRootLogin without-password Tom D wrote: > This will prevent root login using a password. Only other methods, such > as RSA authentication are to be permitted. That turned out to be exactly the problem. Somewhere amongst my fiddling, weeks ago now. I must have uncommented that or something like. [...] >From Harry's settings: >> PermitRootLogin yes > This may or may not be effective owing the the above setting of > "PermitRootLogin without-password" depending on how sshd treats > duplicate setting. My (jessie) man page does not say whether the first > or last setting will be effective. I guess we may assume it goes by the first since 'PermitRootLogin yes' was the very last line of my config. [...] David Christensen <dpchr...@holgerdanske.com> writes: [...] >> ChallengeResponseAuthentication no >> PasswordAuthentication yes > > I use: > > PasswordAuthentication no > > > This requires all users to have their remote user public keys entered > into their authorized_keys files to log in from those remote hosts. > > >> X11Forwarding yes >> X11DisplayOffset 10 >> PrintMotd no >> PrintLastLog yes >> TCPKeepAlive yes >> AcceptEnv LANG LC_* >> Subsystem sftp /usr/lib/openssh/sftp-server >> UsePAM yes >> PermitRootLogin yes > > This conflicts with the above setting (which is what I use): > > PermitRootLogin without-password Yup, that was the problem Thank you both for the excellent input.. (snipped in this response but kept on hand for future reference..)