On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote: > On 04/04/10 23:04, Marcin Wisnicki wrote: >> Is it possible to configure sshd such that both conditions are met: >> >> 1. Root will be able to login only by using keys 2. Normal users will >> still be able to use pam/keyboard-interactive > > Yes, you can create a Match block with the criteria User, something like > this I guess will work (haven't tested): > > PermitRootLogin yes > Match User root > PasswordAuthentication no > > check the man page. You might also want to restrict from where root can > login with another match block. >
PasswordAuthentication is already disabled (by default). I need to disable ChallengeResponseAuthentication however: /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' is not allowed within a Match block Same thing for "UsePAM no" (though I would like to keep pam for accounting and session management) > I assume that you have decided root login is acceptable with the > increased security of key authentication. Just beware that the key must > be password protected. > > BR, Erik _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"