Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes

[Christian Guggenberger <christian.guggenberger@physik.uni-regensburg.de>]

>On 16/09/2004 Frank Lichtenheld wrote:
>> On Wed, Sep 15, 2004 at 03:58:17PM +0200, Jonas Meurer wrote:
>> > after i changed PermitRootLogin from 'yes' to 'without-password', i was
>> > still able to login from a remote box without any key, and with typing
>> > the root password, not the key passphrase.
>> 
>> Are you sure you disabled PAM authentication which is the default
>> authentication method in the current packages? It is documented that
>> there are password based authentication methods that aren't covered by
>> without-password:
>> <quote sshd_config(5)>
>> If this option is set to ``without-password'' password authenti-
>> cation is disabled for root.  Note that other authentication
>> methods (e.g., keyboard-interactive/PAM) may still allow root to
>> login using a password.
>> </quote>

>if i use
>UsePAM no
>
>even normal user pam logins don't work any longer.
>
>that's not what i want.

well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
This will prevent root logins with password when 'without-password' is set.
Keep in mind that in this case passwords will go encrypted over the net.



cheers.
 - Christian


-- 
\|/ ____ \|/
"@'/ .. \'@"
/_| \__/ |_\
   \__U_/