Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
Package: ssh
Version: 1:3.6.1p2-11
Severity: normal
Tags: sid
With "PermitRootLogin forced-commands-only" in /etc/ssh/sshd_config,
access is not allowed. Instead, I get:
dilinger@wax:~$ ssh root@localhost id
socket: Address family not supported by protocol
root@localhost's password:
In /var/log/auth.log, I get:
Jan 12 13:09:34 wax sshd[31981]: ROOT LOGIN REFUSED FROM 127.0.0.1
If I change sshd_config to use "PermitRootLogin without-password", it
works fine:
dilinger@wax:~$ ssh root@localhost id
socket: Address family not supported by protocol
uid=0(root) gid=0(root) groups=0(root)
From the sshd_config manpage:
If this option is set to ``forced-commands-only'' root login with
public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
remote backups even if root login is normally not allowed). All
other authentication methods are disabled for root.
My sshd_config is below:
# Package generated configuration file
# See the sshd(8) manpage for defails
# What ports, IPs and protocols we listen for
Port 22
# Uncomment the next entry to accept IPv6 traffic.
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin forced-commands-only
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user
#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
UsePrivilegeSeparation no
Subsystem sftp /usr/lib/sftp-server
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux wax.hq.voxel.net 2.4.21 #1 Wed Jul 9 14:15:24 EDT 2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages ssh depends on:
ii adduser 3.51 Add and remove users and groups
ii debconf 1.4.4 Debian configuration management sy
ii dpkg 1.10.18 Package maintenance system for Deb
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
ii libpam-modules 0.76-14.1 Pluggable Authentication Modules f
ii libpam-runtime 0.76-14.1 Runtime support for the PAM librar
ii libpam0g 0.76-14.1 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7c-5 SSL shared libraries
ii libwrap0 7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.1-3 compression library - runtime
-- debconf information:
* ssh/privsep_tell:
ssh/insecure_rshd:
ssh/privsep_ask: true
ssh/ssh2_keys_merged:
* ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
Reply to: