Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Michael Alatorre1
Michael Alatorre1 Author
User level: Level 1
25 points

PermitRootLogin without-password still allows root login

When I ran Panther server on my Xserves, I edited the Authentication section in the /etc/sshd_config file to...

PermitRootLogin without-password

... to disallow remote root login, but allow it for public key authentication for rsync backups. This worked, and it still allowed other accounts to remotely login. Then came the Tiger server upgrade of my Xserves.

When I did performed the same edit and tested it, lo and behold I found that ssh root@example.com would get me password prompt and a successful login when I entered its password. I then perused the sshd_config man page and found this:

"If this option is set to "without-password" password authentication is disabled for root. Note that other authentication methods (e.g., keyboard-interactive/PAM may still allow root to login using a password."

I suspect that Tiger server is now using a later version of OpenSSH and the previous behavior changed. Do others have any suggestions for sshd_config edits that would achieve the previous Panther server behavior? TIA

Posted on Nov 3, 2005 2:39 PM

Reply
3 replies
User profile for user: UptimeJeff
UptimeJeff
User level: Level 4
3,479 points

Nov 9, 2005 12:37 PM in response to Michael Alatorre1

Try changing the Service ACL for SSH to only allow the specific account(s) you want to have access. If you haven't looked at this feature yet....

In Server Admin, in left column where it list the services. Click the top item in the list (this should be your server vs a service).
Click Settings
Click Access
Uncheck "Use same access for all services"
Click SSH
Click +
Add the user(s) who need access.

I've never tested to see if this blocks root, but I suspect it will and is a more handy way to manage access.

Let me know if it works for you (or not).

Jeff
Reply
User profile for user: Michael Alatorre1
Michael Alatorre1 Author
User level: Level 1
25 points

Nov 10, 2005 3:25 PM in response to UptimeJeff

Mixed results regarding changing the Service ACL for SSH:

- disallows remote root login (good)
- allows others to remotely login (good)
- disallows public key authentication by root for remote rsync backups (bad)

Oh well. Dan Shoop from Apple's OS X server list confirmed that Tiger indeed uses a later version:

"Well that is easy enough to check. `ssh -v` on Panther 10.3.9 produces:
OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
while on Tiger 10.4.2 it produces:
OpenSSH_3.8.1p1, OpenSSL 0.9.7g 11 Apr 2005"

Google offered this similar debian-ssh thread:
<http://lists.debian.org/debian-ssh/2004/09/msg00008.html> with some various suggestions to try with the sshd_config file to achieve the previous behavior. Looks like I'll try those next. Thanks.
Reply

PermitRootLogin without-password still allows root login

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up