PermitRootLogin without-password functionality differs for UsePAM yes/no option
Michael Stone
mstone at mathom.us
Thu Jan 20 23:50:48 EST 2005
On Thu, Jan 20, 2005 at 08:43:53PM +1100, you wrote:
>Strictly speaking it's keyboard-interactive authentication, not
>password. It's backended onto PAM, which in your case happens to
>authenticate via a simple password (it could have been S/Key or OPIE or
>mental telepathy but sshd has no way to know what PAM has in mind).
>
>You can prevent this by setting "PasswordAuthentication yes" and
>"ChallengeResponseAuthentication no" in sshd_config.
But that completely changes the authentication for all users. Let's try
putting this a different way: it would be nifty if there were a way to
allow root logins only with a key (which is what people thought they
were getting when they set without-password) which is short of
forced-command only.
Mike Stone
More information about the openssh-unix-dev
mailing list