[Mageia-dev] SSH PAM configuration
Anne Wilson
annew at kde.org
Mon Aug 13 12:01:23 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 13/08/12 09:58, Pascal Terjan wrote:
> On Mon, Aug 13, 2012 at 9:39 AM, Anne Wilson <annew at kde.org>
> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 13/08/12 08:34, Guillaume Rousse wrote:
>>> Le 12/08/2012 21:57, David Walser a écrit :
>>>> Johnny A. Solbu wrote:
>>>>> On Sunday 12 August 2012 19:28, David Walser wrote:
>>>>>> Through the PAM configuration for SSH shipped with the
>>>>>> openssh-server package, root login is broken. Here's
>>>>>> why. /etc/pam.d/sshd has: auth required pam_listfile.so
>>>>>> item=user sense=deny file=/etc/ssh/denyusers
>>>>>>
>>>>>> The file /etc/ssh/denyusers has "root" in it by default.
>>>>>
>>>>> I read somewhere some time ago that PermitRootLogin in
>>>>> sshd_config is ignored if PAM is used. That may be the
>>>>> reason for this.
>>>>
>>>> Nope, I just tested it and that is not true.
>>> There is an explicit comment in the configuration file: #
>>> Depending on your PAM configuration, # PAM authentication via
>>> ChallengeResponseAuthentication may bypass # the setting of
>>> "PermitRootLogin without-password".
>>>
>>> My understanding is just than some specific PAM configuration
>>> would eventually allow root user to authenticate through a
>>> password, instead of a key.
>>>
>>> Regarding your original problem, feel free to commit the
>>> relevant modifications.
>>
>> Why would anyone need root login over ssh? I don't allow it on
>> my server and it has never caused me any problems. Su to root
>> works perfectly well and avoids the security risk, so I don't
>> understand this thread.
>
> Allowing login as root over ssh with a key can save things when
> for some reason non local auth is down, like to fix the connection
> to the ldap server (you can also create a local emergency account
> for that usage).
OK, thanks for the answer. Looks like some more reading on this
subject is required :-) Although I do use login over ssh with keys
(as user) I don't use ldap, so I've never come across this.
Anne
- --
Need KDE help? Try
http://userbase.kde.org or
http://forum.kde.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlAo0GsACgkQj93fyh4cnBfqXACePg37FlvBQ8xkei9+GNXivQdo
IA4AoIppYO9aPb2YGG8aXA16fy86RxNg
=Om7Z
-----END PGP SIGNATURE-----
More information about the Mageia-dev
mailing list