On Mon, Aug 13, 2012 at 9:39 AM, Anne Wilson <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 13/08/12 08:34, Guillaume Rousse wrote: >> Le 12/08/2012 21:57, David Walser a écrit : >>> Johnny A. Solbu wrote: >>>> On Sunday 12 August 2012 19:28, David Walser wrote: >>>>> Through the PAM configuration for SSH shipped with the >>>>> openssh-server package, root login is broken. Here's why. >>>>> /etc/pam.d/sshd has: auth required pam_listfile.so item=user >>>>> sense=deny file=/etc/ssh/denyusers >>>>> >>>>> The file /etc/ssh/denyusers has "root" in it by default. >>>> >>>> I read somewhere some time ago that PermitRootLogin in >>>> sshd_config is ignored if PAM is used. That may be the reason >>>> for this. >>> >>> Nope, I just tested it and that is not true. >> There is an explicit comment in the configuration file: # Depending >> on your PAM configuration, # PAM authentication via >> ChallengeResponseAuthentication may bypass # the setting of >> "PermitRootLogin without-password". >> >> My understanding is just than some specific PAM configuration >> would eventually allow root user to authenticate through a >> password, instead of a key. >> >> Regarding your original problem, feel free to commit the relevant >> modifications. > > Why would anyone need root login over ssh? I don't allow it on my > server and it has never caused me any problems. Su to root works > perfectly well and avoids the security risk, so I don't understand > this thread.
Allowing login as root over ssh with a key can save things when for some reason non local auth is down, like to fix the connection to the ldap server (you can also create a local emergency account for that usage).
