>On 16/09/2004 Frank Lichtenheld wrote: >> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote: >> > after i changed PermitRootLogin from 'yes' to 'without-password', i was >> > still able to login from a remote box without any key, and with typing >> > the root password, not the key passphrase. >> >> Are you sure you disabled PAM authentication which is the default >> authentication method in the current packages? It is documented that >> there are password based authentication methods that aren't covered by >> without-password: >> <quote sshd_config(5)> >> If this option is set to ``without-password'' password authenti- >> cation is disabled for root. Note that other authentication >> methods (e.g., keyboard-interactive/PAM) may still allow root to >> login using a password. >> </quote>
>if i use >UsePAM no > >even normal user pam logins don't work any longer. > >that's not what i want. well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default). This will prevent root logins with password when 'without-password' is set. Keep in mind that in this case passwords will go encrypted over the net. cheers. - Christian -- \|/ ____ \|/ "@'/ .. \'@" /_| \__/ |_\ \__U_/
