Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
On Mon, Jan 12, 2004 at 01:14:43PM -0500, Andres Salomon wrote:
> With "PermitRootLogin forced-commands-only" in /etc/ssh/sshd_config,
> access is not allowed. Instead, I get:
>
> dilinger@wax:~$ ssh root@localhost id
> socket: Address family not supported by protocol
> root@localhost's password:
>
> In /var/log/auth.log, I get:
>
> Jan 12 13:09:34 wax sshd[31981]: ROOT LOGIN REFUSED FROM 127.0.0.1
>
> If I change sshd_config to use "PermitRootLogin without-password", it
> works fine:
>
> dilinger@wax:~$ ssh root@localhost id
> socket: Address family not supported by protocol
> uid=0(root) gid=0(root) groups=0(root)
>
>
> From the sshd_config manpage:
> If this option is set to ``forced-commands-only'' root login with
> public key authentication will be allowed, but only if the
> command option has been specified (which may be useful for taking
> remote backups even if root login is normally not allowed). All
> other authentication methods are disabled for root.
So do you have a command= option for the relevant key in
~root/.authorized_keys? I think not, since your transcript above
indicates that you're using password authentication, and the man page
explicitly says "root login with public key authentication will be
allowed [with the command option, and nothing else]".
The authorized_keys file format is described in sshd(8).
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: