AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
#Power
 View Only

  • 1.  Disable direct root login AND enable passwordless authentication

    Posted Wed June 08, 2011 10:22 AM

    Originally posted by: morgan_gov


    I can disable direct root login by setting "rlogin=false" in the root stanza in /etc/security/user and setting "PermitRootLogin no" in /etc/ssh/sshd_config.

    However I can only get passwordless authentication for root ( using private keys) to work if set "PermitRootLogin Yes" in /etc/sshd_config.

    Can I have my cake and eat it too? i.e. can I configure a server to disable direct root login via ssh and yet still be able to configure a passwordless authentication for the root user?
    #AIX-Forum


  • 2.  Re: Disable direct root login AND enable passwordless authentication

    Posted Wed June 08, 2011 10:27 AM

    Originally posted by: tony.evans


    From the sshd_config man page,

    PermitRootLogin

    Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.

    The default is “yes”.

    If this option is set to “without-password”, password authentication is disabled for root.

    If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed).

    All other authentication methods are disabled for root.

    If this option is set to “no”, root is not allowed to log in.
    #AIX-Forum


  • 3.  Re: Disable direct root login AND enable passwordless authentication

    Posted Wed June 08, 2011 04:03 PM

    Originally posted by: MurstiMurikka


    Another finesse that can also be found from sshd_config -man page:

    You can set PermitRootLogin: No globally and then at the end of the file use Match

    Match Host <trusted_host>
    PermitRootLogin without-password

    This way You get even more secure setup where root logins are accepted only from <trusted_host> even with the right key.
    #AIX-Forum


  • 4.  Re: Disable direct root login AND enable passwordless authentication

    Posted Wed June 08, 2011 03:38 PM

    Originally posted by: shargus


    Another idea - one that we use...

    It sounds like you want to block interactive login for root, but allow non-interactive logins for root, to allow for commands to be issued from another server.

    Edit /etc/profile to block root login. Interactive logins will source /etc/profile, while non-interactive logins do not.
    This will also allow you to have a better control of root logins - for example, you can post an informative message, you can restrict root logins to certain $SSH_CLIENT clients, etc.
    #AIX-Forum


Related Content