Bug#227340: ssh: PermitRootLogin forced-commands-only is broken

To: Colin Watson <cjwatson@debian.org>
Cc: 227340@bugs.debian.org
Subject: Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
From: Andres Salomon <dilinger@voxel.net>
Date: Tue, 13 Jan 2004 10:37:34 -0500
Message-id: <[🔎] 400410BE.4080806@voxel.net>
Reply-to: Andres Salomon <dilinger@voxel.net>, 227340@bugs.debian.org
In-reply-to: <[🔎] 20040113122400.GH31793@riva.ucam.org>
References: <[🔎] 20040112181443.6E9691FA34@wax.hq.voxel.net> <[🔎] 20040113122400.GH31793@riva.ucam.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colin Watson wrote:
| On Mon, Jan 12, 2004 at 01:14:43PM -0500, Andres Salomon wrote:
|
|>With "PermitRootLogin forced-commands-only" in /etc/ssh/sshd_config,
|>access is not allowed.  Instead, I get:
|>
|>dilinger@wax:~$ ssh root@localhost id
|>socket: Address family not supported by protocol
|>root@localhost's password:
|>
|>In /var/log/auth.log, I get:
|>
|>Jan 12 13:09:34 wax sshd[31981]: ROOT LOGIN REFUSED FROM 127.0.0.1
|>
|>If I change sshd_config to use "PermitRootLogin without-password", it
|>works fine:
|>
|>dilinger@wax:~$ ssh root@localhost id
|>socket: Address family not supported by protocol
|>uid=0(root) gid=0(root) groups=0(root)
|>
|>
|> From the sshd_config manpage:
|>      If this option is set to ``forced-commands-only'' root login with
|>      public key authentication will be allowed, but only if the
|>      command option has been specified (which may be useful for taking
|>      remote backups even if root login is normally not allowed). All
|>      other authentication methods are disabled for root.
|
|
| So do you have a command= option for the relevant key in
| ~root/.authorized_keys? I think not, since your transcript above
| indicates that you're using password authentication, and the man page
| explicitly says "root login with public key authentication will be
| allowed [with the command option, and nothing else]".
|
| The authorized_keys file format is described in sshd(8).
|
| Cheers,
|

Ah, no.  The sshd_config manpage simply says "command option"; I (and
another person who came to the same conclusion as me) thought that just
meant the command arg to ssh.  Please add some mention of
.authorized_keys in the sshd_config manpage, as it's confusing for
someone who has just stumbled upon PermitRootLogin forced-commands-only.
~ I'd recommend something like:

"but only if the command option has been specified in root's
.authorized_keys (which may be useful for taking remote backups even if
root login is normally not allowed)."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFABBC+78o9R9NraMQRAkbMAJ9F7ffUVqzNXydlFIVGdPEHZQq8/wCgxdyd
EVcUkbVPJCDOBvVbcXim2II=
=e/yY
-----END PGP SIGNATURE-----

Reply to:

References:
- Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
  - From: Andres Salomon <dilinger@voxel.net>
- Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
Next by Date: Bug#227474: ssh: Message 'No value for $TERM and no -T specified'
Previous by thread: Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
Next by thread: Bug#227340: ssh: PermitRootLogin forced-commands-only is broken
Index(es):
- Date
- Thread