[wplug-bsd] Root logins and public keys

Bill Moran wmoran at potentialtech.com
Sat Dec 3 20:57:46 EST 2005 

Brandon Kuczenski <brandon at 301south.net> wrote:
> [FreeBSD 5.3]
> 
> I recently learned about public-key authentication for ssh connections and 
> decided that it would be a swell way to solve the "root password" problem 
> on a box with a few administrators -- instead of them all knowing the root 
> password, they each have an rsa keypair, with the public componentss in 
> the /root/.ssh/authorized_keys file.  An administrator would then login as 
> normal, and then instead of su'ing to root, he would ssh root at localhost 
> and use his passphrase.
> 
> This requires that ssh accept root logins.  The PermitRootLogins setting 
> in /etc/sshd_config has a number of settings, including 
> 'without-password', which disables passwords as a means of authenticating, 
> but still allows rsa keys.  However, the ChallengeResponseAuthentication 
> setting, if set to 'yes', overrides the PermitRootLogins setting, and root 
> can still login from remote with a password.  If I turn off 
> ChallengeResponseAuthentication, however, I'm afraid I will disable access 
> to all users who do not have rsa keys setup.  If I remove root's login 
> password, root logins are disabled entirely -- from ssh or from the 
> console -- except for the case when the person attempting the login has an 
> rsa key pair.
> 
> This is the way my system is now configured: I have created a special rsa 
> key, put the public part into /root/.ssh/authorized_keys, modified my 
> ~/.ssh/config to use the private part of that key for authentication as 
> root, enabled root logins via ssh, and removed root's login password.
> 
> Is there a way to allow root to still login with a password from the 
> console, but to continue using rsa keys for remote authentication?  I have 
> two ideas: run two ssh daemons, one that only listens on localhost; or, 
> use the 'forced-commands-only' setting for PermitRootLogins, and somehow 
> setup the authorized_keys file so that run a normal login shell.  Good 
> idea? Bad idea?

An alternative would be to run 2 sshds.  One on the the external interface,
and the other only on the loopback.  Then you could configure each specific
to the way you want it to work.  The internal accepting keypairs only, and
the external refusing all root logins.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug-bsd mailing list