Topic
  • 3 replies
  • Latest Post - ‏2011-06-08T20:02:55Z by MurstiMurikka
morgan_gov
morgan_gov
1 Post

Pinned topic Disable direct root login AND enable passwordless authentication

‏2011-06-08T14:21:37Z |
I can disable direct root login by setting "rlogin=false" in the root stanza in /etc/security/user and setting "PermitRootLogin no" in /etc/ssh/sshd_config.

However I can only get passwordless authentication for root ( using private keys) to work if set "PermitRootLogin Yes" in /etc/sshd_config.

Can I have my cake and eat it too? i.e. can I configure a server to disable direct root login via ssh and yet still be able to configure a passwordless authentication for the root user?
Updated on 2011-06-08T20:02:55Z at 2011-06-08T20:02:55Z by MurstiMurikka
  • tony.evans
    tony.evans
    412 Posts

    Re: Disable direct root login AND enable passwordless authentication

    ‏2011-06-08T14:27:25Z  
    From the sshd_config man page,

    PermitRootLogin

    Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.

    The default is “yes”.

    If this option is set to “without-password”, password authentication is disabled for root.

    If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed).

    All other authentication methods are disabled for root.

    If this option is set to “no”, root is not allowed to log in.
  • shargus
    shargus
    157 Posts

    Re: Disable direct root login AND enable passwordless authentication

    ‏2011-06-08T19:38:20Z  
    Another idea - one that we use...

    It sounds like you want to block interactive login for root, but allow non-interactive logins for root, to allow for commands to be issued from another server.

    Edit /etc/profile to block root login. Interactive logins will source /etc/profile, while non-interactive logins do not.
    This will also allow you to have a better control of root logins - for example, you can post an informative message, you can restrict root logins to certain $SSH_CLIENT clients, etc.
  • MurstiMurikka
    MurstiMurikka
    7 Posts

    Re: Disable direct root login AND enable passwordless authentication

    ‏2011-06-08T20:02:55Z  
    From the sshd_config man page,

    PermitRootLogin

    Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.

    The default is “yes”.

    If this option is set to “without-password”, password authentication is disabled for root.

    If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed).

    All other authentication methods are disabled for root.

    If this option is set to “no”, root is not allowed to log in.
    Another finesse that can also be found from sshd_config -man page:

    You can set PermitRootLogin: No globally and then at the end of the file use Match

    Match Host <trusted_host>
    PermitRootLogin without-password

    This way You get even more secure setup where root logins are accepted only from <trusted_host> even with the right key.