I can disable direct root login by setting "rlogin=false" in the root stanza in /etc/security/user and setting "PermitRootLogin no" in /etc/ssh/sshd_config.
However I can only get passwordless authentication for root ( using private keys) to work if set "PermitRootLogin Yes" in /etc/sshd_config.
Can I have my cake and eat it too? i.e. can I configure a server to disable direct root login via ssh and yet still be able to configure a passwordless authentication for the root user?
This topic has been locked.
3 replies Latest Post - 2011-06-08T20:02:55Z by MurstiMurikka
Pinned topic Disable direct root login AND enable passwordless authentication
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2011-06-08T20:02:55Z at 2011-06-08T20:02:55Z by MurstiMurikka
tony.evans 0600007X8X412 PostsACCEPTED ANSWER
Re: Disable direct root login AND enable passwordless authentication2011-06-08T14:27:25Z in response to morgan_govFrom the sshd_config man page,
Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.
The default is “yes”.
If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed).
All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
MurstiMurikka 2700048SKW7 PostsACCEPTED ANSWER
Re: Disable direct root login AND enable passwordless authentication2011-06-08T20:02:55Z in response to tony.evansAnother finesse that can also be found from sshd_config -man page:
You can set PermitRootLogin: No globally and then at the end of the file use Match
Match Host <trusted_host>
This way You get even more secure setup where root logins are accepted only from <trusted_host> even with the right key.
shargus 060001TUQ5157 PostsACCEPTED ANSWER
Re: Disable direct root login AND enable passwordless authentication2011-06-08T19:38:20Z in response to morgan_govAnother idea - one that we use...
It sounds like you want to block interactive login for root, but allow non-interactive logins for root, to allow for commands to be issued from another server.
Edit /etc/profile to block root login. Interactive logins will source /etc/profile, while non-interactive logins do not.
This will also allow you to have a better control of root logins - for example, you can post an informative message, you can restrict root logins to certain $SSH_CLIENT clients, etc.