Bug#227340: ssh: PermitRootLogin forced-commands-only is broken

[Colin Watson <cjwatson@debian.org>]

On Mon, Jan 12, 2004 at 01:14:43PM -0500, Andres Salomon wrote:
> With "PermitRootLogin forced-commands-only" in /etc/ssh/sshd_config,
> access is not allowed.  Instead, I get:
> 
> dilinger@wax:~$ ssh root@localhost id
> socket: Address family not supported by protocol
> root@localhost's password:
> 
> In /var/log/auth.log, I get:
> 
> Jan 12 13:09:34 wax sshd[31981]: ROOT LOGIN REFUSED FROM 127.0.0.1
> 
> If I change sshd_config to use "PermitRootLogin without-password", it
> works fine:
> 
> dilinger@wax:~$ ssh root@localhost id
> socket: Address family not supported by protocol
> uid=0(root) gid=0(root) groups=0(root)
> 
> 
>  From the sshd_config manpage:
>       If this option is set to ``forced-commands-only'' root login with
>       public key authentication will be allowed, but only if the
>       command option has been specified (which may be useful for taking
>       remote backups even if root login is normally not allowed). All
>       other authentication methods are disabled for root.

So do you have a command= option for the relevant key in
~root/.authorized_keys? I think not, since your transcript above
indicates that you're using password authentication, and the man page
explicitly says "root login with public key authentication will be
allowed [with the command option, and nothing else]".

The authorized_keys file format is described in sshd(8).

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]