Permit root to login via ssh only with key-based authentication

  • I have some doubts about certain ssh server configurations on /etc/ssh/sshd_config. I want the next behavior:

    1. Public key authentication is the only way to authenticate as root (no password authentication or other)
    2. Normal users can use both (password and public key authentication)

    If I set PasswordAuthentication no my first point is satisfied but not the second. There is a way to set PasswordAuthentication no only for root?

  • jordanm

    jordanm Correct answer

    7 years ago

    You can do this using the PermitRootLogin directive. From the sshd_config manpage:

    Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”.

    If this option is set to “without-password”, password authentication is disabled for root.

    The following will accomplish what you want:

    PasswordAuthentication yes
    PermitRootLogin without-password
    

    I tried this on Debian and verified with `service ssh restart` on the server and then on the client I tried connecting without my key with `ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no [email protected]` and indeed could not login with password but could with key for the root user.

    Yeah but if you just do this instead, then you can login with the password: `ssh -o PreferredAuthentications=password [email protected]` not particularly secure imho

    In 2019 it is "PermitRootLogin prohibit-password", the old without-password is a deprecated alias.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM