Pam may bypass the setting of Set PermitRootLogin without-password

Posted April 7, 2015 6.5k views

nano /etc/ssh/sshd_config

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

So how do I set this so PAM to not bypass “Set PermitRootLogin without-password”

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

With the default PAM settings, they shouldn’t interfere with the PermitRootLogin without-password. If you already have your SSH keys set up, you can test by renaming your private key (something like mv ~/.ssh/id_rsa ~/.ssh/diff_id_rsa) and it’ll prompt you for a password.

For a deeper look into PAM configuration, DO wrote this article

by Justin Ellingwood
PAM, or Pluggable Authentication Modules, is a system for connecting authentication services to application requesting authentication, through the use of a consistent API. Authentication schemes can be switched out without having to reconfigure large amounts of code. In this guide, we will discuss how PAM works and give a basic explanation of how the system operates.