-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/08/12 09:58, Pascal Terjan wrote: > On Mon, Aug 13, 2012 at 9:39 AM, Anne Wilson <[email protected]> > wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 13/08/12 08:34, Guillaume Rousse wrote: >>> Le 12/08/2012 21:57, David Walser a écrit : >>>> Johnny A. Solbu wrote: >>>>> On Sunday 12 August 2012 19:28, David Walser wrote: >>>>>> Through the PAM configuration for SSH shipped with the >>>>>> openssh-server package, root login is broken. Here's >>>>>> why. /etc/pam.d/sshd has: auth required pam_listfile.so >>>>>> item=user sense=deny file=/etc/ssh/denyusers >>>>>> >>>>>> The file /etc/ssh/denyusers has "root" in it by default. >>>>> >>>>> I read somewhere some time ago that PermitRootLogin in >>>>> sshd_config is ignored if PAM is used. That may be the >>>>> reason for this. >>>> >>>> Nope, I just tested it and that is not true. >>> There is an explicit comment in the configuration file: # >>> Depending on your PAM configuration, # PAM authentication via >>> ChallengeResponseAuthentication may bypass # the setting of >>> "PermitRootLogin without-password". >>> >>> My understanding is just than some specific PAM configuration >>> would eventually allow root user to authenticate through a >>> password, instead of a key. >>> >>> Regarding your original problem, feel free to commit the >>> relevant modifications. >> >> Why would anyone need root login over ssh? I don't allow it on >> my server and it has never caused me any problems. Su to root >> works perfectly well and avoids the security risk, so I don't >> understand this thread. > > Allowing login as root over ssh with a key can save things when > for some reason non local auth is down, like to fix the connection > to the ldap server (you can also create a local emergency account > for that usage).
OK, thanks for the answer. Looks like some more reading on this subject is required :-) Although I do use login over ssh with keys (as user) I don't use ldap, so I've never come across this. Anne - -- Need KDE help? Try http://userbase.kde.org or http://forum.kde.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAo0GsACgkQj93fyh4cnBfqXACePg37FlvBQ8xkei9+GNXivQdo IA4AoIppYO9aPb2YGG8aXA16fy86RxNg =Om7Z -----END PGP SIGNATURE-----
