On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman <vi...@unsane.co.uk> wrote:
> I missed the rest of this thread so sorry its its been said already. As > far as I knew the directive > PermitRootLogin without-password > in /etc/ssh/sshd_config > should accomplish what was requested. > > However a note later in the default sshd_config file regarding the > UsePAM setting says > 'Depending on your PAM configuration, > PAM authentication via ChallengeResponseAuthentication may bypass > the setting of "PermitRootLogin without-password".' That PAM comment in sshd_config got my attention a number of years ago, so I did a lot of testing of various sshd/pam settings to try and understand what could happen and to try and make some sense out of it. My configurations: in /etc/ssh/sshd_config: PermitRootLogin without-password UsePAM yes in /etc/pam.d/sshd: # auth: open policy: allow OPIE, ldap, and unix password auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass Using this configuration I have thoroughly tested on both FreeBSD-7 and (more recently) FreeBSD-8 and root is allowed in via ssh with public key auth only; typing the unix password at it gets permission denied for keyboard-interactive. Non-root users are allowed in via either LDAP password or local unix password as expected. I haven't configured OPIE for root, but it wouldn't bother me if it worked for root in this setup since its design addresses why passwords are insecure in the first place. I use this in production on all my systems and haven't changed any other of FreeBSD's default configurations for sshd. I haven't gone so far as to check source code to see why this works as it does. I'm guessing that PAM may allow passwords for root via something that isn't pam_unix since by design PAM can allow anything. But when using pam_unix, at least, it does observe the without-password setting for root. As always YMMV, but I am happy with this tested setup and so I use it with confidence. Peggy Wilkins Sysadmin, The University of Chicago Library _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"