[Mageia-dev] SSH PAM configuration
Pascal Terjan
pterjan at gmail.com
Mon Aug 13 10:58:06 CEST 2012
On Mon, Aug 13, 2012 at 9:39 AM, Anne Wilson <annew at kde.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 13/08/12 08:34, Guillaume Rousse wrote:
>> Le 12/08/2012 21:57, David Walser a écrit :
>>> Johnny A. Solbu wrote:
>>>> On Sunday 12 August 2012 19:28, David Walser wrote:
>>>>> Through the PAM configuration for SSH shipped with the
>>>>> openssh-server package, root login is broken. Here's why.
>>>>> /etc/pam.d/sshd has: auth required pam_listfile.so item=user
>>>>> sense=deny file=/etc/ssh/denyusers
>>>>>
>>>>> The file /etc/ssh/denyusers has "root" in it by default.
>>>>
>>>> I read somewhere some time ago that PermitRootLogin in
>>>> sshd_config is ignored if PAM is used. That may be the reason
>>>> for this.
>>>
>>> Nope, I just tested it and that is not true.
>> There is an explicit comment in the configuration file: # Depending
>> on your PAM configuration, # PAM authentication via
>> ChallengeResponseAuthentication may bypass # the setting of
>> "PermitRootLogin without-password".
>>
>> My understanding is just than some specific PAM configuration
>> would eventually allow root user to authenticate through a
>> password, instead of a key.
>>
>> Regarding your original problem, feel free to commit the relevant
>> modifications.
>
> Why would anyone need root login over ssh? I don't allow it on my
> server and it has never caused me any problems. Su to root works
> perfectly well and avoids the security risk, so I don't understand
> this thread.
Allowing login as root over ssh with a key can save things when for
some reason non local auth is down, like to fix the connection to the
ldap server (you can also create a local emergency account for that
usage).
More information about the Mageia-dev
mailing list