On Wednesday 26 September 2007 11:02:26 Rakhesh Sasidharan wrote: > CyberLeo Kitsana wrote: > > Rakhesh Sasidharan wrote: > >> Any ideas or nudges in the right direction as to why this is happening? > >> Looks like I've understood the interaction between SSH and PAM wrong > >> here, so would appreciate some enlightenment. > > > > According to my understanding of the SSH protocol, you're continually > > asked because an authentication failure is not a fatal error. > > > > When authenticating an SSH session, a list of mutually supported methods > > is compiled (public-key, challenge-response, S/Key, > > keyboard-interactive, plaintext) and the client cycles through the list > > based on what it thinks is most likely to work. > > > > It's perfectly acceptable for a client to attempt password > > authentication before public-key, or even interleave them. All the > > server can do is say yay or nay to an attempt with a restricted method, > > because it cannot know if the next attempt may utilize an allowed method. > > > > After the requisite three or five failed attempts (depending on the > > server config), it may send a general failure code (too many failed > > attempts) and disconnect the client at it's discretion. > > Here's another oddity I encountered today. > > If "PermitRootLogin" is set to "forced-commands-only", my understanding is > the SSHD will permit root logins if a command to be executed is given. But > that doesn't seem to be the case in practice! I have keys setup for root > to login, but instead of letting me in with those keys, SSHD ignores them, > passes me to PAM for password prompting (three times) and the denies me > out! Very strange. > > I even setup a "Match User" clause for root and specified a command to > run. Still, SSHD refuses to let me in with/ without key and for a specific > command.
PermitRootLogin without-password won't allow what you want to do? To use it, you have to set up a passphrase (public key). _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"