[Mageia-dev] SSH PAM configuration

David Walser luigiwalser at yahoo.com
Sun Aug 12 19:28:40 CEST 2012


There's an issue with the default openssh configuration now that we've switched to UsePAM yes as the default.

Through the PAM configuration for SSH shipped with the openssh-server package, root login is broken.  Here's why.  /etc/pam.d/sshd has:
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers

The file /etc/ssh/denyusers has "root" in it by default.

Whether allowing root login through SSH is "bad" is irrelevant here.  This is not an appropriate way to disable it by default.  There is already a configuration parameter in the regular configuration file, /etc/ssh/sshd_config, for whether or not to allow root login, and this is where it should be set.  It is set by msec to "without-password" which means only with SSH keys in the default security level, and set to "no" in the secure level, so basically we already have this disabled by default, and in a way that people know about and know how to change if they want.

Redundantly disabling it through some unintuitive PAM thing is not a good idea.  We actually had the same exact problem with KDM late in the Mageia 2 development cycle.  KDM has its normal way of disabling root logins in its standard kdmrc config file, but our package had additionally disabled it through PAM, which was confusing people.  This was reverted before the Mageia 2 release, so now it's just disabled in kdmrc, as it should be.

We should remove "root" from /etc/ssh/denyusers in our default configuration.  I asked Colin and he said ask the list about this as he's not the maintainer.  Whoever is, consider yourself asked :o)


More information about the Mageia-dev mailing list