> I have used "Public key authentication before" as described by > http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Chapter8.html#8. The > user's passwords were never enabled on the host. A public key part of > public/private key had to be supplied by each user desiring access to > the host. What bothers me is that root has to have a password. All the > other users are using public key authentication, but poor old root is > just hanging out in the breeze. I could not find a way to turn on > public key authentication for root. I played with /etc/securetty.
Public Key authentication is SSH specific. if you leave ssh out of the equation, you don't get public key auth. > I > wanted to disable remote access by root but allow another user to use > public key to access the server, then su to root. Here, you only have ssh for the remote access, but not for su, so no public key possibility for su. *Bad idea* You could try to solve the su with ssh using public key auth. Which would involve using a second sshd instance not reachable from outside and Agent forwarding. First of all, lots of manpages. */Bad idea* You could also try to make your su switch wihtout using a password. That should be possible with an empty root pw. On our LEAF boxen, we allow direct root login, but only using pubkey auth. I move the public key file to a central location with the sshd_config lines PermitRootLogin yes AuthorizedKeysFile /etc/ssh/pubkeys/%u.pub PasswordAuthentication no Then a concatenate the public keys of all persons that are allowed access to the fw in /etc/ssh/pubkeys/root.pub This way, I don't have to share secret information (the root pw) - Alex ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html