Hi guys, I just read about several attempts of brute-forcing on ssh servers (on incidents.org) - and wanted decided to just ensure that you couldn't login to my ssh server with password auth (as I've set "PermitRootLogin without-password" and "AllowUsers myuser root") - but I found that it will happily authenticate me without having a key :( This problem is VERY DANGEROUS - as many times you need root login, for backup purposes or other things, and use the without-password option, to ensure root login can't be bruteforced. Reproducible: Always Steps to Reproduce: 1.add the two options mentioned in Details to /etc/sshd/sshd_config 2.restart sshd 3.try to login as root with password.. Actual Results: I was let in :( Expected Results: Keep asking me for a password - as it does on atleast 3.7.1 and earlier.
If you have UsePAM=yes set, it's not a bug, it's by design. If you have UsePAM = yes, it's PAM that decides if root can log in, not "PermitRootLogin". man page for sshd_config makes it quite clear : PermitRootLogin [...] If this option is set to ``without-password'' password authenti- cation is disabled for root. Note that other authentication methods (e.g., keyboard-interactive/PAM) may still allow root to login using a password. A workaround is to configure ssh PAM stack to deny login access to root, something like : auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers This line should be inserted before reference to any other module of type 'auth' that performs actual authentication. The file /etc/ssh/denyusers should contain the only line containing 'root'. Please confirm that you have UsePAM=yes in your sshd_config, in which case we will close the bug as INVALID. If you feel it's buggy behaviour, feel free to bring up your case to the upstream developers, the OpenSSH team.
Thank you very much for that solution(it worked :) - oddly enough it won't let root login (without the pam-change you suggested) with PAM enabled, on 3.7.1 and earlier (on Red Hat 7.x's atleast I've confirmed it) - so they must have changed the behavior in recent versions :( But since it's appereantly meant to work this way - it's no bug - just an IMHO stupid change :)