I can disable direct root login by setting "rlogin=false" in the root stanza in /etc/security/user and setting "PermitRootLogin no" in /etc/ssh/sshd_config.
However I can only get passwordless authentication for root ( using private keys) to work if set "PermitRootLogin Yes" in /etc/sshd_config.
Can I have my cake and eat it too? i.e. can I configure a server to disable direct root login via ssh and yet still be able to configure a passwordless authentication for the root user?
Pinned topic Disable direct root login AND enable passwordless authentication
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2011-06-08T20:02:55Z at 2011-06-08T20:02:55Z by MurstiMurikka
tony.evans 0600007X8X412 Posts
Re: Disable direct root login AND enable passwordless authentication2011-06-08T14:27:25ZThis is the accepted answer. This is the accepted answer.From the sshd_config man page,
Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.
The default is “yes”.
If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed).
All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
shargus 060001TUQ5157 Posts
Re: Disable direct root login AND enable passwordless authentication2011-06-08T19:38:20ZThis is the accepted answer. This is the accepted answer.Another idea - one that we use...
It sounds like you want to block interactive login for root, but allow non-interactive logins for root, to allow for commands to be issued from another server.
Edit /etc/profile to block root login. Interactive logins will source /etc/profile, while non-interactive logins do not.
This will also allow you to have a better control of root logins - for example, you can post an informative message, you can restrict root logins to certain $SSH_CLIENT clients, etc.
MurstiMurikka 2700048SKW7 Posts
Re: Disable direct root login AND enable passwordless authentication2011-06-08T20:02:55ZThis is the accepted answer. This is the accepted answer.
- tony.evans 0600007X8X
You can set PermitRootLogin: No globally and then at the end of the file use Match
Match Host <trusted_host>
This way You get even more secure setup where root logins are accepted only from <trusted_host> even with the right key.