PermitRootLogin without-password functionality differs for UsePAM yes/no option

Michael Stone mstone at mathom.us
Thu Jan 20 23:50:48 EST 2005


On Thu, Jan 20, 2005 at 08:43:53PM +1100, you wrote:
>Strictly speaking it's keyboard-interactive authentication, not 
>password.  It's backended onto PAM, which in your case happens to 
>authenticate via a simple password (it could have been S/Key or OPIE or 
>mental telepathy but sshd has no way to know what PAM has in mind).
>
>You can prevent this by setting "PasswordAuthentication yes" and 
>"ChallengeResponseAuthentication no" in sshd_config.

But that completely changes the authentication for all users. Let's try
putting this a different way: it would be nifty if there were a way to
allow root logins only with a key (which is what people thought they
were getting when they set without-password) which is short of
forced-command only.

Mike Stone




More information about the openssh-unix-dev mailing list