I've always preferred setting PermitRootLogin without-password
in my sshd_config in order to allow root logins using a public key only. I'm sure the above directive was all I needed to change in the past in order to achieve this, however it now seems something has changed either in the default sshd_config file or PAM's configuration itself. The man page warns about several other directives i'm simply not sure of ( ChallengeResponseAuthentication, PasswordAuthentication and "pam_unix" within /etc/pam.d/sshd ) so I would appreciate some help on how to reach my goal. I am very confused! With a default sshd_config but PermitRootLogin set to 'without-password' I find that root is still allowed to login with a user/pass. A feeble attempt at understanding the sshd_config man page led me to disable ChallengeResponseAuthentication and enable PasswordAuthentication left me with no direct root access at all ( password or public key ). I have verified that my public key works correctly. There are several local users who prefer authentication with passwords, so I just want root to require the public key. This is a FreeBSD 5.4 box. My sshd_config is now default again ( except requirement of SSH2 ), here is my /etc/pam.d/sshd in case it is causing the problem. --------- # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the "sshd" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
