Permit root to login via ssh only with key-based authentication
I have some doubts about certain ssh server configurations on
/etc/ssh/sshd_config. I want the next behavior:
- Public key authentication is the only way to authenticate as root (no password authentication or other)
- Normal users can use both (password and public key authentication)
If I set
PasswordAuthentication nomy first point is satisfied but not the second. There is a way to set
PasswordAuthentication noonly for root?
You can do this using the
PermitRootLogindirective. From the
Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”.
If this option is set to “without-password”, password authentication is disabled for root.
The following will accomplish what you want:
PasswordAuthentication yes PermitRootLogin without-password
I tried this on Debian and verified with `service ssh restart` on the server and then on the client I tried connecting without my key with `ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no [email protected]` and indeed could not login with password but could with key for the root user.
Yeah but if you just do this instead, then you can login with the password: `ssh -o PreferredAuthentications=password [email protected]` not particularly secure imho