In previous versions of OpenSSH (around 5.3), inserting "PasswordAuthentication no" into sshd_config also disabled password authentication for root. Now, even with this present, root can still login with a password: aaron@nexus ~ $ ssh root@snort.redacted Password: Last login: Tue Nov 30 22:43:36 GMT 2010 from cerebro.redacted on pts/0 snort ~ # grep Password /etc/ssh/sshd_config PasswordAuthentication no Is this an intended change? Those wishing to disable password authentication for root would now need an explicit: PermitRootLogin without-password Reproducible: Always Steps to Reproduce: 1. Configure OpenSSH to not allow password auth 2. Login as root with a password Actual Results: It let me in. Expected Results: Should have said access denied. snort ~ # eix -e openssh [I] net-misc/openssh Available versions: 5.2_p1-r3 5.3_p1-r1 ~5.4_p1-r3 5.5_p1-r2 ~5.6_p1-r1 5.6_p1-r2{tbz2} {X X509 hpn kerberos ldap libedit pam pkcs11 selinux skey smartcard static tcpd} Installed versions: 5.6_p1-r2{tbz2}(23:46:26 29/11/10)(pam -X -X509 -hpn -kerberos -ldap -libedit -selinux -skey -static -tcpd)
You have the pam USE flag enabled. Did you read the comment above the UsePAM setting in sshd_config?
My bad. Setting -pam and remerging fixes it. Hm.
