[wplug-bsd] Root logins and public keys

[Brandon Kuczenski]

[FreeBSD 5.3]

I recently learned about public-key authentication for ssh connections and 
decided that it would be a swell way to solve the "root password" problem 
on a box with a few administrators -- instead of them all knowing the root 
password, they each have an rsa keypair, with the public componentss in 
the /root/.ssh/authorized_keys file.  An administrator would then login as 
normal, and then instead of su'ing to root, he would ssh root at localhost 
and use his passphrase.

This requires that ssh accept root logins.  The PermitRootLogins setting 
in /etc/sshd_config has a number of settings, including 
'without-password', which disables passwords as a means of authenticating, 
but still allows rsa keys.  However, the ChallengeResponseAuthentication 
setting, if set to 'yes', overrides the PermitRootLogins setting, and root 
can still login from remote with a password.  If I turn off 
ChallengeResponseAuthentication, however, I'm afraid I will disable access 
to all users who do not have rsa keys setup.  If I remove root's login 
password, root logins are disabled entirely -- from ssh or from the 
console -- except for the case when the person attempting the login has an 
rsa key pair.

This is the way my system is now configured: I have created a special rsa 
key, put the public part into /root/.ssh/authorized_keys, modified my 
~/.ssh/config to use the private part of that key for authentication as 
root, enabled root logins via ssh, and removed root's login password.

Is there a way to allow root to still login with a password from the 
console, but to continue using rsa keys for remote authentication?  I have 
two ideas: run two ssh daemons, one that only listens on localhost; or, 
use the 'forced-commands-only' setting for PermitRootLogins, and somehow 
setup the authorized_keys file so that run a normal login shell.  Good 
idea? Bad idea?

Also, is it dangerous to NOT have a root password?

Thanks,
Brandon