Hi Stuart,
On Fri, Oct 13, 2017 at 02:01:17PM +0100, Stuart Henderson wrote:
> How about a briefer alternative that points people towards the
> more self-explanatory option keyword?
Or even better, to modify the first paragraph to put it clear from the
very start there are *four* arguments, not five (if my English fails let
me know, please):
To change this:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password, without-password,
forced-commands-only, or no. The default is prohibit-password.
for this:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be yes, prohibit-password (late without-password),
forced-commands-only, or no. The default is prohibit-password.
I still think some redundancy in the second paragraph is welcome to
leave the reader no doubt about what each option exactly allows and
prohibit. Without that clarification when you get to the third
paragraph:
If this option is set to forced-commands-only, root login with public
key authentication will be allowed, but only if the command option...
you may wonder if prohibit-password allows public key authentication.
At least that's what happened to me. :-)
New version:
--- sshd_config.5.orig Fri Oct 13 16:23:06 2017
+++ sshd_config.5 Fri Oct 13 16:20:34 2017
@@ -1189,8 +1189,8 @@
.Xr ssh 1 .
The argument must be
.Cm yes ,
-.Cm prohibit-password ,
-.Cm without-password ,
+.Cm prohibit-password
+.Pq late without-password ,
.Cm forced-commands-only ,
or
.Cm no .
@@ -1199,9 +1199,8 @@
.Pp
If this option is set to
.Cm prohibit-password
-or
-.Cm without-password ,
-password and keyboard-interactive authentication are disabled for root.
+(without-password is still valid) only non keyboard-interactive
+authentication (public-key, hostbased and GSSAPI) is allowed for root.
.Pp
If this option is set to
.Cm forced-commands-only ,
