PermitRootLogin issues
Stephen Roylance
Stephen.Roylance at verizon.net
Mon Mar 22 11:42:27 EST 2004
Hello,
I'm currently experiencing the issue laid out in this thread from last year:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106908815129641&w=2
The discussion that ensued resulted in a number of ideas on how best to
'fix' this issue. The two that seemed most reasonable were:
1. implement a pubkey-only option to PermitRootLogin that would only
allow root to login using pubkey authentication.
2. implement a more flexible arrangement where a list of allowed
authentication methods could passed to PermitRootLogin.
I looked through the code and it seems that both are straightforward to
code, but obviously 1 is much less work. I coded up an implemetation of
pubkey-only that works for me, and it's attached. I'm willing to work
on option 2, but since that's quite a bit more work, I'd like some
assurance that that is the _right_ way before I start on it.
I think some solution needs to be merged ASAP. I've seen the
recommendation to use without-password if root logins for scripting must
be allowed in various security docs. With more sites using PAM and
non-typical authentication methods (LDAP, winbind), it can be a nasty
shock (or worse, completely unnoticed) to an administrator when that
option doesn't work as they expect.
-Steve
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey-only2.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040321/43707d51/attachment.ksh
More information about the openssh-unix-dev
mailing list