[Mageia-dev] SSH PAM configuration

Mon Aug 13 10:58:06 CEST 2012

On Mon, Aug 13, 2012 at 9:39 AM, Anne Wilson <annew at kde.org> wrote:
+> -----BEGIN PGP SIGNED MESSAGE-----
+> Hash: SHA1
+>
+> On 13/08/12 08:34, Guillaume Rousse wrote:
+>> Le 12/08/2012 21:57, David Walser a écrit :
+>>> Johnny A. Solbu wrote:
+>>>> On Sunday 12 August 2012 19:28, David Walser wrote:
+>>>>> Through the PAM configuration for SSH shipped with the
+>>>>> openssh-server package, root login is broken.  Here's why.
+>>>>> /etc/pam.d/sshd has: auth required pam_listfile.so item=user
+>>>>> sense=deny file=/etc/ssh/denyusers
+>>>>>
+>>>>> The file /etc/ssh/denyusers has "root" in it by default.
+>>>>
+>>>> I read somewhere some time ago that PermitRootLogin in
+>>>> sshd_config is ignored if PAM is used. That may be the reason
+>>>> for this.
+>>>
+>>> Nope, I just tested it and that is not true.
+>> There is an explicit comment in the configuration file: # Depending
+>> on your PAM configuration, # PAM authentication via
+>> ChallengeResponseAuthentication may bypass # the setting of
+>> "PermitRootLogin without-password".
+>>
+>> My understanding is just than some specific PAM configuration
+>> would eventually allow root user to authenticate through a
+>> password, instead of a key.
+>>
+>> Regarding your original problem, feel free to commit the relevant
+>> modifications.
+>
+> Why would anyone need root login over ssh?  I don't allow it on my
+> server and it has never caused me any problems.  Su to root works
+> perfectly well and avoids the security risk, so I don't understand
+> this thread.
+
+Allowing login as root over ssh with a key can save things when for
+some reason non local auth is down, like to fix the connection to the
+ldap server (you can also create a local emergency account for that
+usage).
+