[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#271822: PermitRootLogin without-password actually does the same as PermitRootLogin yes

On Fri, 2004-09-24 at 16:27 +0200, Jonas Meurer wrote:
> On 24/09/2004 Christian Guggenberger wrote:
> > well, you can enable PAM, but you then need to disable ChallengeResponse Authentifiaction (enabled by default).
> > This will prevent root logins with password when 'without-password' is set.
> > Keep in mind that in this case passwords will go encrypted over the net.
> 
> well, i forgot ...
> you _always_ have to turn on PasswordAuthentication, to still allow
> normal users logins, that's the relevant point. the setting of
> ChallengeResponseAuthentification doesn't matter for that issue.
> 
well, that's not true. Even with PasswordAuthentication set no, "normal"
users will be allowed in with their passwords via ChallengeResponse
Authentification/PAM. In that case ChallengeResponseAuthentification
really _does_ matter.

But, as discussed earlier, then you have to disallow root logins
completely via ssh - the "without-password" option is not as fine
granulated as should/could be; it does not distinguish between ssh
rsd/dsa keys and s/keys. I think upstream is working on a finer
granulated scheme for that option. (i don't have the related openssh
bugID handy, sorry)

cheers.
 - Christian
Reply to: