Pam may bypass the setting of Set PermitRootLogin without-password

April 7, 2015 4.3k views
Security
3a0442f41c8f0a7ebfd6e6f282775843fe41c029
By:
stevehendo34

nano /etc/ssh/sshd_config

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

So how do I set this so PAM to not bypass “Set PermitRootLogin without-password”
?

Sign In to Comment
1 Answer
bruns.nicholas December 30, 2015

With the default PAM settings, they shouldn’t interfere with the PermitRootLogin without-password. If you already have your SSH keys set up, you can test by renaming your private key (something like mv ~/.ssh/id_rsa ~/.ssh/diff_id_rsa) and it’ll prompt you for a password.

For a deeper look into PAM configuration, DO wrote this article

How To Use PAM to Configure Authentication on an Ubuntu 12.04 VPS
by Justin Ellingwood
PAM, or Pluggable Authentication Modules, is a system for connecting authentication services to application requesting authentication, through the use of a consistent API. Authentication schemes can be switched out without having to reconfigure large amounts of code. In this guide, we will discuss how PAM works and give a basic explanation of how the system operates.
Report
Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Related