-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Colin Watson wrote: | On Mon, Jan 12, 2004 at 01:14:43PM -0500, Andres Salomon wrote: | |>With "PermitRootLogin forced-commands-only" in /etc/ssh/sshd_config, |>access is not allowed. Instead, I get: |> |>[EMAIL PROTECTED]:~$ ssh [EMAIL PROTECTED] id |>socket: Address family not supported by protocol |>[EMAIL PROTECTED]'s password: |> |>In /var/log/auth.log, I get: |> |>Jan 12 13:09:34 wax sshd[31981]: ROOT LOGIN REFUSED FROM 127.0.0.1 |> |>If I change sshd_config to use "PermitRootLogin without-password", it |>works fine: |> |>[EMAIL PROTECTED]:~$ ssh [EMAIL PROTECTED] id |>socket: Address family not supported by protocol |>uid=0(root) gid=0(root) groups=0(root) |> |> |> From the sshd_config manpage: |> If this option is set to ``forced-commands-only'' root login with |> public key authentication will be allowed, but only if the |> command option has been specified (which may be useful for taking |> remote backups even if root login is normally not allowed). All |> other authentication methods are disabled for root. | | | So do you have a command= option for the relevant key in | ~root/.authorized_keys? I think not, since your transcript above | indicates that you're using password authentication, and the man page | explicitly says "root login with public key authentication will be | allowed [with the command option, and nothing else]". | | The authorized_keys file format is described in sshd(8). | | Cheers, |
Ah, no. The sshd_config manpage simply says "command option"; I (and another person who came to the same conclusion as me) thought that just meant the command arg to ssh. Please add some mention of .authorized_keys in the sshd_config manpage, as it's confusing for someone who has just stumbled upon PermitRootLogin forced-commands-only. ~ I'd recommend something like: "but only if the command option has been specified in root's .authorized_keys (which may be useful for taking remote backups even if root login is normally not allowed)." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFABBC+78o9R9NraMQRAkbMAJ9F7ffUVqzNXydlFIVGdPEHZQq8/wCgxdyd EVcUkbVPJCDOBvVbcXim2II= =e/yY -----END PGP SIGNATURE-----
