You should also consider posting your patch and related content to, 'freebsd-hack...@freebsd.org'.
-Modulok- On 4/5/10, Marcin Wisnicki <mwisnicki+free...@gmail.com> wrote: > On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 04/04/2010 22:04:35, Marcin Wisnicki wrote: >>> Is it possible to configure sshd such that both conditions are met: >>> >>> 1. Root will be able to login only by using keys 2. Normal users will >>> still be able to use pam/keyboard-interactive >> >> Only by running two instances of sshd on different ports / IP numbers. >> > > Thanks for all reponses. > I've finally solved it by configuring PAM to deny root. > Unfortunately all of pam modules in base system that can do it, > deny login only in "account" phase which is too late for sshd. > I've modified pam_securetty to also provide "auth" facility. > > For anyone interested, here is a patch: > > --- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 > 00:12:28.000000000 +0100 > +++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.000000000 +0200 > @@ -45,2 +45,3 @@ > > +#define PAM_SM_AUTH > #define PAM_SM_ACCOUNT > @@ -54,2 +55,24 @@ > PAM_EXTERN int > +pam_sm_authenticate(pam_handle_t *pamh, int flags, > + int argc, const char *argv[]) > +{ > + const char *user; > + int r; > + > + if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) > + return (r); > + > + return (pam_sm_acct_mgmt(pamh, flags, argc, argv)); > +} > + > +PAM_EXTERN int > +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, > + int argc __unused, const char *argv[] __unused) > +{ > + > + return (PAM_SUCCESS); > +} > + > + > +PAM_EXTERN int > pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"