[Mageia-dev] SSH PAM configuration

Mon Aug 13 10:39:07 CEST 2012

-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+On 13/08/12 08:34, Guillaume Rousse wrote:
+> Le 12/08/2012 21:57, David Walser a écrit :
+>> Johnny A. Solbu wrote:
+>>> On Sunday 12 August 2012 19:28, David Walser wrote:
+>>>> Through the PAM configuration for SSH shipped with the 
+>>>> openssh-server package, root login is broken.  Here's why. 
+>>>> /etc/pam.d/sshd has: auth required pam_listfile.so item=user
+>>>> sense=deny file=/etc/ssh/denyusers
+>>>> 
+>>>> The file /etc/ssh/denyusers has "root" in it by default.
+>>> 
+>>> I read somewhere some time ago that PermitRootLogin in
+>>> sshd_config is ignored if PAM is used. That may be the reason
+>>> for this.
+>> 
+>> Nope, I just tested it and that is not true.
+> There is an explicit comment in the configuration file: # Depending
+> on your PAM configuration, # PAM authentication via
+> ChallengeResponseAuthentication may bypass # the setting of
+> "PermitRootLogin without-password".
+> 
+> My understanding is just than some specific PAM configuration
+> would eventually allow root user to authenticate through a
+> password, instead of a key.
+> 
+> Regarding your original problem, feel free to commit the relevant 
+> modifications.
+
+Why would anyone need root login over ssh?  I don't allow it on my
+server and it has never caused me any problems.  Su to root works
+perfectly well and avoids the security risk, so I don't understand
+this thread.
+
+Anne
+- -- 
+Need KDE help? Try
+http://userbase.kde.org or
+http://forum.kde.org
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
+
+iEYEARECAAYFAlAovSkACgkQj93fyh4cnBc8AQCbBY28p9fxW2LtWV9G89b1VlnT
+spYAn3hJGydYD5jdpNtSYTnjDznI4hED
+=c6wq
+-----END PGP SIGNATURE-----
+