[Mageia-dev] SSH PAM configuration

Anne Wilson annew at kde.org
Mon Aug 13 12:01:23 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/08/12 09:58, Pascal Terjan wrote:
> On Mon, Aug 13, 2012 at 9:39 AM, Anne Wilson <annew at kde.org>
> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 13/08/12 08:34, Guillaume Rousse wrote:
>>> Le 12/08/2012 21:57, David Walser a écrit :
>>>> Johnny A. Solbu wrote:
>>>>> On Sunday 12 August 2012 19:28, David Walser wrote:
>>>>>> Through the PAM configuration for SSH shipped with the 
>>>>>> openssh-server package, root login is broken.  Here's
>>>>>> why. /etc/pam.d/sshd has: auth required pam_listfile.so
>>>>>> item=user sense=deny file=/etc/ssh/denyusers
>>>>>> 
>>>>>> The file /etc/ssh/denyusers has "root" in it by default.
>>>>> 
>>>>> I read somewhere some time ago that PermitRootLogin in 
>>>>> sshd_config is ignored if PAM is used. That may be the
>>>>> reason for this.
>>>> 
>>>> Nope, I just tested it and that is not true.
>>> There is an explicit comment in the configuration file: #
>>> Depending on your PAM configuration, # PAM authentication via 
>>> ChallengeResponseAuthentication may bypass # the setting of 
>>> "PermitRootLogin without-password".
>>> 
>>> My understanding is just than some specific PAM configuration 
>>> would eventually allow root user to authenticate through a 
>>> password, instead of a key.
>>> 
>>> Regarding your original problem, feel free to commit the
>>> relevant modifications.
>> 
>> Why would anyone need root login over ssh?  I don't allow it on
>> my server and it has never caused me any problems.  Su to root
>> works perfectly well and avoids the security risk, so I don't
>> understand this thread.
> 
> Allowing login as root over ssh with a key can save things when
> for some reason non local auth is down, like to fix the connection
> to the ldap server (you can also create a local emergency account
> for that usage).

OK, thanks for the answer.  Looks like some more reading on this
subject is required :-)  Although I do use login over ssh with keys
(as user) I don't use ldap, so I've never come across this.

Anne

- -- 
Need KDE help? Try
http://userbase.kde.org or
http://forum.kde.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAo0GsACgkQj93fyh4cnBfqXACePg37FlvBQ8xkei9+GNXivQdo
IA4AoIppYO9aPb2YGG8aXA16fy86RxNg
=Om7Z
-----END PGP SIGNATURE-----


More information about the Mageia-dev mailing list