PermitRootLogin issues

Stephen Roylance Stephen.Roylance at verizon.net
Mon Mar 22 11:42:27 EST 2004


Hello,
I'm currently experiencing the issue laid out in this thread from last year:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106908815129641&w=2

The discussion that ensued resulted in a number of ideas on how best to 
'fix' this issue.  The two that seemed most reasonable were:
1. implement a pubkey-only option to PermitRootLogin that would only 
allow root to login using pubkey authentication.
2. implement a more flexible arrangement where a list of allowed 
authentication methods could passed to PermitRootLogin.

I looked through the code and it seems that both are straightforward to 
code, but obviously 1 is much less work.  I coded up an implemetation of 
pubkey-only that works for me, and it's attached.  I'm willing to work 
on option 2, but since that's quite a bit more work, I'd like some 
assurance that that is the _right_ way before I start on it.

I think some solution needs to be merged ASAP.  I've seen the 
recommendation to use without-password if root logins for scripting must 
be allowed in various security docs.  With more sites using PAM and 
non-typical authentication methods (LDAP, winbind), it can be a nasty 
shock (or worse, completely unnoticed) to an administrator when that 
option doesn't work as they expect.

-Steve
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey-only2.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040321/43707d51/attachment.ksh 


More information about the openssh-unix-dev mailing list