On Sun, 5 Jan 2020 15:22:46 +0100 "lu hu" <luhu8...@mail.com> wrote:
> fuck I did a typo, sorry, I wanted to write: > > 66# sshd -T|grep -i permitr > permitrootlogin without-password > 66# > > really sorry. > > But the issue is still there. man page says there should be > prohibit-password and not without-password > > > Sent: Sunday, January 05, 2020 at 3:07 PM > > From: "lu hu" <luhu8...@mail.com> > > To: misc@openbsd.org > > Subject: Re: sshd_config#PermitRootLogin typo > > > > yes! > > > > > Sent: Sunday, January 05, 2020 at 3:00 PM > > > From: "Robert Klein" <rokl...@roklein.de> > > > To: misc@openbsd.org > > > Subject: Re: sshd_config#PermitRootLogin typo > > > > > > On Sun, 5 Jan 2020 14:47:15 +0100 > > > "lu hu" <luhu8...@mail.com> wrote: > > > > > > > Hello, > > > > > > > > http://man.openbsd.org/sshd_config#PermitRootLogin > > > > says > > > > ...The default is prohibit-password. > > > > If this option is set to prohibit-password (or its deprecated > > > > alias, without-password), password and keyboard-interactive > > > > authentication are disabled for root. > > > > > > > > SO: > > > > > > > > if I remove the PermitRootLogin line from sshd_config, then > > > > rcctl restart sshd, then why can I see > > > > > > > > 66# sshd -T|grep -i permitr > > > > permitrootlogin yes > > > > 66# > > > > > > > > instead of prohibit-password ? > > > > > > > > Thanks! > > > > > > > > > > Was the deleted one the only “PermitRootLogin” line in your > > > /etc/ssh/sshd_config? > > > > > > > PermitRootLogin option second paragraph: If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root. The output probably results from “without-password” being before “prohibit-password” in the list. Cf. /usr/src/usr.bin/ssh/servconf.c: static const struct multistate multistate_permitrootlogin[] = { { "without-password", PERMIT_NO_PASSWD }, { "prohibit-password", PERMIT_NO_PASSWD }, { "forced-commands-only", PERMIT_FORCED_ONLY }, { "yes", PERMIT_YES }, { "no", PERMIT_NO }, { NULL, -1 } }; Best regards Robert